Regular readers of this blog know that I like to work on integrating various systems into Active Directory. I’ve written a couple of articles on the issue:
These articles have been pretty successful and from what I understand have helped a fair number of people integrate their non-Windows systems into Active Directory for simplified user management and authentication. Occasionally, though, we run into the odd issue that isn’t quite so straightforward to resolve.
For example, I recently had a reader (let’s call him Johnny) who was having a difficult time getting the Linux-AD integration to work. The â€œldapsearchâ€ and â€œkinitâ€ commands worked fine, but â€œgetent passwdâ€ or â€œgetent groupâ€ failed with no output. The users in Active Directory did indeed have UNIX attributes added to their accounts. There were no firewalls between the non-Windows systems and the Active Directory domain controllers, and there did not appear to be any connectivity issues whatsoever (this further underscored by the fact that â€œldapsearchâ€ successfully returned LDAP search results from AD, and â€œkinitâ€ successfully obtained a Kerberos ticket from AD). We were stumped.
Johnny and I traded e-mails back and forth a few times, until finally Johnny found his error and notified me about what had been happening. As I read the description about the problem, I realized that this may be a problem that is affecting a lot of users, and may, in fact, have stumped some of you out there reading right now. Here’s the details.
The method that I suggest using for AD integration uses two parts:
- First, we use Kerberos to obtain a Kerberos ticket from an Active Directory domain controller (also a Kerberos key distribution center, or KDC). This handles the authentication side of things and prevents the password from crossing the wire at any point in time.
- Next, we use LDAP to centrally store account information, such as UID number, GID number, home directory, login shell, etc. This is the part that typically requires schema extensions (although there is a workaround for that) and using this technique ensures that we don’t have to manage accounts individually on each Linux server.
This approach doesn’t work without both pieces. The Kerberos authentication takes care of the password, but without account information logins still fail. So if Kerberos works but LDAP doesn’t, logins will fail. If Kerberos doesn’t work but LDAP is fine, logins will fail. So part of troubleshooting this configuration is isolating where the problem lies. In this particular case, â€œkinitâ€ worked fine—no error was returned and â€œklistâ€ showed a valid Kerberos ticket. So the problem had to be with LDAP. But where? The â€œldapsearchâ€ command worked fine.
The problem lie with the /etc/ldap.conf file. See, the nss_ldap libraries (which are responsible for using LDAP—and other sources, as defined in /etc/nsswitch.conf—as the backend information database for account information) are controlled by this file, but â€œldapsearchâ€ does not use it. Specifically, the error was with the account that is used to bind (or connect) to Active Directory to perform the searches.
There are two ways of specifying this account in /etc/ldap.conf. You can use the full DN, which looks something like â€œcn=Scott Lowe,cn=Users,dc=example,dc=comâ€ or â€œcn=John Smith,ou=Marketing,ou=Departments,dc=example,dc=comâ€. Alternately, you can use the universal principal name (UPN), which looks something like an e-mail address, such as â€œ[email protected]â€ or â€œ[email protected]â€. In this particular case, Johnny (our reader with the problem) was using the full DN, but he was using the wrong attribute in the DN. Here’s the information he had:
First Name: John
Last Name: Smith
Full Name: John Smith
Display Name: John Smith
UPN: [email protected]
SAM Account Name (downlevel logon name): jsmith
Object name: jsmith
Which of these do you suppose should be used in the DN? Full name? No. Display name? No. It must be the object name, in this case â€œjsmithâ€. You can double-check your object name (or CN) using ADSI Edit or a similar utility. You could use Active Directory Users and Computers, but that’s typically the confusing part. In any case, once Johnny fixed the syntax for the bind account then â€œgetent passwdâ€ and â€œgetent groupâ€ worked like a champ.
How do we avoid this kind of issue? Simple: just use the UPN instead of the full DN. This syntax works just as well and avoids the potential problem of using the wrong name when building the full DN.