Mapping User and Group Ownership through LDAP

Question

I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across.

When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs.

[root@edgar2 openldap]# ls -l /data/home | tail
drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5

Other details: centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off.

I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient.

Relevant parts of /etc/nsswitch:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap

netgroup:   nisplus ldap
#netgroup:   ldap

publickey:  nisplus

automount:  files nisplus ldap
#automount:  files ldap
aliases:    files nisplus

Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

host dir1.ourdomain.com
base dc=.ourdomain,dc=com
#uri ldaps://dir1.ourdomain.com
uri ldap://dir1.ourdomain.com

# basic auth config
binddn cn=admin,dc=ourdomain,dc=com
rootbinddn cn=admin,dc=ourdomain,dc=com

# random stuff
#timelimit 120
#bind_timelimit 120
#bind_policy hard
# brought these times down wmodes Aug 11, 2008
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap

# pam config
#pam_password md5
pam_password md5

# config for nss
nss_base_passwd ou=people,dc=ourdomain,dc=com?one
nss_base_shadow ou=people,dc=ourdomain,dc=com?one
nss_base_group  ou=group,dc=ourdomain,dc=com?one

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl no

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
#tls_checkpeer yes

# CA certificates for server certificate verification
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts

# Client certificate and key
tls_cert /etc/openldap/cacerts/servercert.pem
tls_key /etc/openldap/cacerts/serverkey.pem

Relevant parts of /etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

And the only line in /etc/sysconfig/authconfig I changed was:

USELDAP=yes

Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this.

just a remark: with RHEL/CentOS 6 I'd rather stick with `sssd` than `nslcd`. AFAIK it's now the default when using `authconfig`. — fuero, Feb 15 '13 at 11:11
I have a very very simple solution to this problem and will post it as time allows. — Wes Modes, Jul 13 '13 at 06:39

score 0 · Answer 1 · answered Jul 16 '13 at 05:52

I was overthinking this. No need to use pam_ldap and sssd. According to the sssd and CentOS lists, generally one uses one or the other.

In the end, I recreated a system from my VM template and used authconfig, which edits the appropriate system files.

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap.mydomain.edu --ldapbasedn="dc=mydomain,dc=com" --update

The only weakness in authconfig is that it doesn't cleanly disable options you use it to enable. So it is far from safe to experiment with since you can easily host your system.

Mapping User and Group Ownership through LDAP

1 Answers1