Skip to content

use:winbind

Jump to bottom
Jonathan Perkin edited this page Dec 2, 2020 · 4 revisions

Contents

  1. Introduction
  2. Installation
  3. Kerberos Configuration
  4. NSS Configuration
  5. PAM Configuration

Introduction

This document describes how to set up Winbind via NSS and PAM, allowing a SmartOS zone to lookup and authenticate against an Active Directory service.

Many thanks go to Faithlife Engineering. This guide is based on their "Winbind in SmartOS" series here:

See their posts for more detailed information and further configuration, though note that with the new samba-compat32 package there is no need for any of the hacks listed.

Installation

The current implementation of NSS and PAM in illumos requires that all libraries are 32-bit. This causes issues with SmartOS images that target 64-bit binaries.

In order to work around this limitation, there is a special package available on certain 64-bit images that bundle Samba libraries from a 32-bit package set. The first step is to install this package:

$ pkgin -y install samba-compat32

For Kerberos authentication the mit-krb5 package is required:

$ pkgin -y install mit-krb5

Kerberos Configuration

Configuration of the various files will naturally be site-specific, but these examples have been used in a proof of concept, so should work with the correct settings for your network.

For this example network we're using the following settings:

  • Realm: EXAMPLE.JOYENT.COM
  • Workgroup: EXAMPLE

It is assumed that DNS has already been configured for KDC lookups.

Edit /opt/local/etc/krb5.conf:

[libdefaults]
        default_realm = EXAMPLE.JOYENT.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        EXAMPLE.JOYENT.COM = {
                default_domain = example.joyent.com
        }

[domain_realm]
        pdc = EXAMPLE.JOYENT.COM

Now we can create a Kerberos ticket using kinit for a valid AD user:

$ kinit administrator
Password for [email protected]: 
Warning: Your password will expire in 41 days on Wed Jan 13 10:20:32 2021
$

You can verify the Kerberos ticket using klist:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting     Expires            Service principal
12/02/20 10:21:00  12/02/20 20:21:00  krbtgt/[email protected]
        renew until 12/03/20 10:20:58

Now we can join to the domain using the Kerberos credentials with the net command. The host we're connecting from has the hostname testhost in this example:

$ net join -k
Using short domain name -- EXAMPLE
Joined 'TESTHOST' to dns domain 'example.joyent.com'

With the host joined to the domain, we can now start the winbind service:

$ svcadm enable svc:/pkgsrc/samba:winbind

At this point we should be able to verify that winbind lookups function correctly using wbinfo. If not you will need to diagnose the issue before continuing.

$ wbinfo -u
guest
administrator
krbtgt

$ wbinfo -g
enterprise admins
group policy creator owners
dnsupdateproxy
domain controllers
...

$ wbinfo -i administrator
administrator:*:10500:10513::/home/administrator:/usr/bin/bash

NSS Configuration

Name services can be configured to perform lookups through winbind.

First, edit /etc/nsswitch.conf and add winbind to the list of backends for each service required. This will normally just be passwd and group:

passwd:     files winbind
group:      files winbind

In order for the nss(4) to locate the support for each backend it looks for a shared library named nss_<backend>.so.1 in the library lookup path. As the 32-bit library is shipped in non-standard /opt/local/lib/i386 directory we need to add that path:

$ crle -c /var/ld/ld.config -l /lib:/usr/lib:/opt/local/lib/i386

If nscd, the name service cache, is running then it will need to be restarted:

$ svcadm restart svc:/system/name-service-cache:default

Now lookups using tools such as getent(1M) and id(1M) should show AD users and groups. Make sure that you are using the system tools and not GNU counterparts installed in /opt/local/bin as they do not support NSS:

$ PATH=/usr/bin:$PATH

$ getent passwd administrator
administrator:*:10500:10513::/home/administrator:/usr/bin/bash

$ id krbtgt
uid=10502(krbtgt) gid=10513(domain users)

PAM Configuration

As noted in the Faithlife documents, configuring PAM is a delicate operation, however the below configuration for /etc/pam.conf should at least provide a working configuration to start from:

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         /opt/local/lib/samba/security/i386/pam_winbind.so use_first_pass
other   auth required           pam_unix_auth.so.1

other   account sufficient      /opt/local/lib/samba/security/i386/pam_winbind.so use_first_pass
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1

other   session required        pam_unix_session.so.1
other   session required        /opt/local/lib/samba/security/i386/pam_winbind.so

other   password required       pam_dhkeys.so.1
other   password sufficient     /opt/local/lib/samba/security/i386/pam_winbind.so
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

pkgsrc is a registered trademark of The NetBSD Foundation, Inc.

pkgsrc.smartos.org | @pkgsrc | @jperkin | MNX Cloud

pkgsrc wiki

pkgsrc logo

Home

About

Usage Guides

Package Development

External Links

Clone this wiki locally