One Potential Issue in AD Integration Scenarios

Monday, September 17, 2007 in Interoperability by slowe | 8 comments

Regular readers of this blog know that I like to work on integrating various systems into Active Directory.  I’ve written a couple of articles on the issue:

Linux-AD Integration, Version 4
Solaris 10-AD Integration, Version 3
Active Directory Integration Index

These articles have been pretty successful and from what I understand have helped a fair number of people integrate their non-Windows systems into Active Directory for simplified user management and authentication.  Occasionally, though, we run into the odd issue that isn’t quite so straightforward to resolve.

For example, I recently had a reader (let’s call him Johnny) who was having a difficult time getting the Linux-AD integration to work.  The “ldapsearch” and “kinit” commands worked fine, but “getent passwd” or “getent group” failed with no output.  The users in Active Directory did indeed have UNIX attributes added to their accounts.  There were no firewalls between the non-Windows systems and the Active Directory domain controllers, and there did not appear to be any connectivity issues whatsoever (this further underscored by the fact that “ldapsearch” successfully returned LDAP search results from AD, and “kinit” successfully obtained a Kerberos ticket from AD).  We were stumped.

Johnny and I traded e-mails back and forth a few times, until finally Johnny found his error and notified me about what had been happening.  As I read the description about the problem, I realized that this may be a problem that is affecting a lot of users, and may, in fact, have stumped some of you out there reading right now.  Here’s the details.

The method that I suggest using for AD integration uses two parts:

  • First, we use Kerberos to obtain a Kerberos ticket from an Active Directory domain controller (also a Kerberos key distribution center, or KDC).  This handles the authentication side of things and prevents the password from crossing the wire at any point in time.
  • Next, we use LDAP to centrally store account information, such as UID number, GID number, home directory, login shell, etc.  This is the part that typically requires schema extensions (although there is a workaround for that) and using this technique ensures that we don’t have to manage accounts individually on each Linux server.

This approach doesn’t work without both pieces.  The Kerberos authentication takes care of the password, but without account information logins still fail.  So if Kerberos works but LDAP doesn’t, logins will fail.  If Kerberos doesn’t work but LDAP is fine, logins will fail.  So part of troubleshooting this configuration is isolating where the problem lies.  In this particular case, “kinit” worked fine—no error was returned and “klist” showed a valid Kerberos ticket.  So the problem had to be with LDAP.  But where?  The “ldapsearch” command worked fine.

The problem lie with the /etc/ldap.conf file.  See, the nss_ldap libraries (which are responsible for using LDAP—and other sources, as defined in /etc/nsswitch.conf—as the backend information database for account information) are controlled by this file, but “ldapsearch” does not use it.  Specifically, the error was with the account that is used to bind (or connect) to Active Directory to perform the searches.

There are two ways of specifying this account in /etc/ldap.conf.  You can use the full DN, which looks something like “cn=Scott Lowe,cn=Users,dc=example,dc=com” or “cn=John Smith,ou=Marketing,ou=Departments,dc=example,dc=com”.  Alternately, you can use the universal principal name (UPN), which looks something like an e-mail address, such as “[email protected]” or “[email protected]”.  In this particular case, Johnny (our reader with the problem) was using the full DN, but he was using the wrong attribute in the DN.  Here’s the information he had:

First Name: John
Last Name: Smith
Full Name: John Smith
Display Name: John Smith
UPN: [email protected]
SAM Account Name (downlevel logon name): jsmith
Object name: jsmith

Which of these do you suppose should be used in the DN?  Full name?  No.  Display name?  No.  It must be the object name, in this case “jsmith”.  You can double-check your object name (or CN) using ADSI Edit or a similar utility.  You could use Active Directory Users and Computers, but that’s typically the confusing part.  In any case, once Johnny fixed the syntax for the bind account then “getent passwd” and “getent group” worked like a champ.

How do we avoid this kind of issue?  Simple: just use the UPN instead of the full DN.  This syntax works just as well and avoids the potential problem of using the wrong name when building the full DN.

Tags: , , , , , , ,

  1. Clif Smith’s avatar

    Clif Smith on Thursday, September 20, 2007 at 5:13 pm

    Thanks for the continued info and updates to it! I must say I’m disappointed that we UNIX/Linux admins still have to jump through so many complicated hoops when (unfortunately) AD has been the defacto authenticator for a number of years now. While I’ve been successful with Linux and Solaris, my attempts at integrating AIX continue to cause me to fall on my head.

  2. slowe’s avatar

    slowe on Friday, September 21, 2007 at 4:50 am

    Clif,

    I wish I could help with AIX! Unfortunately, I know absolutely nothing about how AIX works…does it support PAM and NSS? OpenBSD does not, for example, which completely prevents any sort of broad AD integration.

  3. Clif Smith’s avatar

    Clif Smith on Monday, September 24, 2007 at 4:26 pm

    As of AIX 5.2 a year or so ago, I don’t believe NSS was supported. As well, I believe PAM was supported only through AIX’s LAM. I’ve since migrated most of my 5.2 systems so hopefully this has all changed. Having said that, I tried a howto a couple of months back using 5.3 and still failed to get it going. :^(

    It simply shouldn’t be an issue. At this point it should be little more than a “checkbox”. (Said the tired admin)

  4. slowe’s avatar

    slowe on Monday, September 24, 2007 at 4:34 pm

    Clif,

    Well, without NSS you’re kind of stuck. Sorry–wish I could be more helpful!

  5. Zac439’s avatar

    Zac439 on Wednesday, October 24, 2007 at 8:39 pm

    Hey there! Very nice article you have here. If anyone was having problems understanding more about Kerberos, there is a good article on it here:
    http://www.learn-networking.com/security-basics/how-kerberos-authentication-works.html

  6. Brian’s avatar

    Brian on Saturday, March 1, 2008 at 3:42 pm

    Thanks so much for taking the time to write the articles about AD integration. I am having a problem that sounds like what is described here regarding the one-potential-issue… but I am having trouble translating the _two ways of specifying this account in /etc/ldap.conf_ into the actual lines in that file. Could you share some typical examples of the line(s) in ldap.conf for the bind account (and/or whatever other info in ldap.conf may be affected by this). Thanks.

  7. Dave McLeod’s avatar

    Dave McLeod on Tuesday, March 25, 2008 at 4:28 pm

    Hi Scott,
    I tried using your Solaris AD integration with somany attempts sometimes I get locked out sometimes it worked and sometimes it didn’t when it worked I was able to make winbindd daemon to start but when the Administrator account was the only account that could log-in other users couldn’t. I have re-installed Solaris 10 many times (I guess I’m enjoying the luxury of VMs)

  8. Stephen’s avatar

    Stephen on Tuesday, February 24, 2009 at 11:16 am

    Has anyone been able to get the UPN to work with Solaris 9? I stumbled upon some Solaris documentation that specifically says DO NOT use the UPN. I can’t get the UPN to work no matter what I do.