CentOS 7 login with Samba4 LDAP

Centralized authentication may be a good solution for large environments. Sysadmin can better manage users’ logins and permissions. Here I list a few steps in order to implement authentication of a CentOS 7 server against an Samba4 LDAP service.

My example environment

  • Samba4 server = ldap1.example.com
  • CentOS 7 client = localhost.example.com

My user
*I will assume your Samba4 server is already running.

dn: CN=Eduardo de Lima Ramos,OU=people,DC=example,DC=com
uidNumber: 10000
unixHomeDirectory: /home/eduardo.ramos
gidNumber: 10
loginShell: /bin/bash
...

Instalation and configuration

[root@localhost ~]# yum install -y nss-pam-ldapd 

Now, configure the PAM. Make sure that the following lines exist in these files
/etc/pam.d/system-auth:

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so

/etc/pam.d/password-auth:

auth        sufficient    pam_ldap.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password    sufficient    pam_ldap.so use_authtok
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so umask=0027

That will make PAM use ldap users and create homedir when it does not exist.

Now, we need to configure the nslcd daemon. Use the following model.
/etc/nslcd.conf

uid nslcd
gid ldap

uri ldap://ldap1.example.com
ldap_version 3
base dc=example,dc=com

binddn LOCAL\Administrator
bindpw super$ecret

pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)

ssl no
tls_cacertdir /etc/openldap/cacerts

Now, just enable and start the nslcd and nscd daemons:

[root@localhost ~]$ sudo systemctl enable nslcd
[root@localhost ~]$ sudo systemctl enable nscd
[root@localhost ~]$ sudo systemctl start nslcd
[root@localhost ~]$ sudo systemctl start nscd

Try to login.

Internal/Isolated networks on oVirt

For those who are accustomed with virt-manager administration and operation, create an isolated network among the VMs seems to be a very easy task. But oVirt haven’t so direct configuration. In fact, we need some commands on terminal. I must tell you this post is valid only when you have just one host hypervisior. With 2 or more, external connectivity is inevitable.

In order to create an internal network you can use dummy module. First of all, make sure your server loads dummy module at startup.
Create /etc/sysconfig/modules/dummy.modules:

modprobe dummy > /dev/null 2&1
exit 0

Manually, you can run modprobe to load in runtime. It will appear a dummy0 network interface. Done this, create /etc/sysconfig/network-scripts/ifcfg-dummy0 with this content:

DEVICE=dummy0
BOOTPROTO=none
ONBOOT=yes
NM_CONTROLLED=no
PROMISC=yes

Now comes the oVirt configuration. In webadmin portal, go to the ‘Network’ tab and click new:

New network
New network

The definition could be simple. Just give a name and match ‘VM network‘:

New network
New network

With the virtual switch created, we need to link our dummy interface on it. Go to the network configuration of host:

Configure network on host
Configure network on host
Configure network on host
Configure network on host

Drag internal network and drop in dummy0 interface

Configure network on host
Configure network on host

Check ‘Save network configuration’ and click OK.

Configure network on host
Configure network on host

Now, for each virtual machine you want to use internal network, you can create a virtual NIC and attach to internal virtual switch.

Configure network on guest
Configure network on guest

It was tested on oVirt 3.4 setup in all-in-one mode.