CentOS 7 login with Samba4 LDAP

Centralized authentication may be a good solution for large environments. Sysadmin can better manage users’ logins and permissions. Here I list a few steps in order to implement authentication of a CentOS 7 server against an Samba4 LDAP service.

My example environment

  • Samba4 server = ldap1.example.com
  • CentOS 7 client = localhost.example.com

My user
*I will assume your Samba4 server is already running.

dn: CN=Eduardo de Lima Ramos,OU=people,DC=example,DC=com
uidNumber: 10000
unixHomeDirectory: /home/eduardo.ramos
gidNumber: 10
loginShell: /bin/bash
...

Instalation and configuration

[root@localhost ~]# yum install -y nss-pam-ldapd 

Now, configure the PAM. Make sure that the following lines exist in these files
/etc/pam.d/system-auth:

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

/etc/pam.d/password-auth:

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so umask=0027

That will make PAM use ldap users and create homedir when it does not exist.

Now, we need to configure the nslcd daemon. Use the following model.
/etc/nslcd.conf

uid nslcd
gid ldap

uri ldap://ldap1.example.com
ldap_version 3
base dc=example,dc=com

binddn LOCAL\Administrator
bindpw super$ecret

pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

ssl no
tls_cacertdir /etc/openldap/cacerts

Now, just enable and start the nslcd and nscd daemons:

[root@localhost ~]$ sudo systemctl enable nslcd
[root@localhost ~]$ sudo systemctl enable nscd
[root@localhost ~]$ sudo systemctl start nslcd
[root@localhost ~]$ sudo systemctl start nscd

Try to login.

Leave a Comment

Your email address will not be published. Required fields are marked *