So, if you haven’t seen how to get Debian working with Active Directory then you might want to read that first.

To make use of LDAP/Active Directory you will need to use the exim4-daemon-heavy package, not exim4-daemon-light as it has no LDAP support. I also set Exim to use the “multiple configuration files” option.

Dovecot

Dovecot is largely straight forward. Dovecot will use PAM and we have already got this working off the AD servers. We only want the IMAP server, so we installed the dovecot-imapd package with apt.

We have the following options specifically set in /etc/dovecot/dovecot.conf

ssl = required # requires either SSL or STARTTLS to be used. No unencrypted connections

mail_location = maildir:~/Maildir # if you use maildirs this forces their use

passdb pam {
  args = session=yes dovecot #  this makes dovecot create the home directory 
}

You will need to restart Dovecot to apply these changes.

Exim

Using Dovecot’s deliver

Exim can use Dovecot’s delivery program which will automatically create the indexes that it uses. It is not required, but if you are using mbox (not maildir) there can be a delay as it rebuilds indexes after email delivery. There is less of a benefit when you’re using Maildir though

Create a file called /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery with the contents:

dovecot_delivery:
  driver = pipe
  command = /usr/lib/dovecot/deliver
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

Then edit /etc/exim4/update-exim4.conf.conf and modify the dc_localdelivery entry:

dc_localdelivery='dovecot_delivery'

You will then need to issue the command

update-exim4.conf

This will update the configuration and Exim should then use this without a restart.

Keeping email aliases in AD

This one took a bit of figuring out and I found only pieces from other people.

Active Directory setup

We are using Windows 2008 and this does not require us to add anything to the AD to support this

Using the Active Directory Users and Groups tool if you edit a user’s information and go to the Attribute Editor tab you can scroll to the otherMailbox entry. Editing this allows you to add and remove email addresses to the list. I use full email addresses, but I imagine it may work fine with simple usernames also

Exim configuration

A couple of configuration files are needed here. Firstly you need a file with all your LDAP configuration for which I create the file /etc/exim4/conf.d/main/04_exim4-config_ldap which contains:

ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net

Obviously you should use the command “chmod 640 /etc/exim4/conf.d/main/04_exim4-config_ldap” so users cannot see the password in this file.

# Configuration for LDAP email aliases
ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net
LDAPUSER = cn=ldapuser,cn=Users,dc=int,dc=inutility,dc=net
LDAPPASS = ARealPassword
LDAPSEARCHBASE = dc=int,dc=inutility,dc=net

Obviously you need to update your own values. Multiple AD servers can be specified separated by :. You will also need to make an LDAP account with limited privileges to be able to enumerate the aliases. It only needs to have limited access, but I’m afraid I won’t be covering the set up of this here.

The second file you need is /etc/exim4/conf.d/router/450_exim4-config_ldap_aliases and should contain:

ldap_aliases:
        debug_print = "R: ldap_aliases LDAP lookup for $local_part@$domain"
        driver = redirect
        domains = +local_domains
        condition = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE?mail?sub?(otherMailbox=*${quote_ldap:$local_part@$domain}*)}}
        data = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE

Nothing should need to be changed in this file.  You will then need to update your Exim config with the

update-exim4.conf

And then exim will use this configuration. You can use the command below to check the routing of email addresses and that the lookup is working correctly:

exim4 -bt <email address or alias>

Warning: Acronym overload ahead…

Given that the virtual machines (VM), in Xen parlance these are known as DomU, are not going to change I thought it easier to try and migrate the hosts over one by one.

They are all running Debian, though not all the same version nor the same architecture (i386/amd64). Some are running Lenny rather than Squeeze and I don’t want to force myself to upgrade just yet.

The plan of action. This is a plan, not exact details. I’ll probably add them in blow

• Create a logical volume (LV) on the host with LVM to contain all of the VM disk space.
• Create a “test” VM. This is required as I’m going to create an LVM volume group (VG) within the LV I just created, and I seem unable to do this on the host. I could be wrong about that
• Add the VM LV as a secondary disk to the “test” VM & start the “test” VM
• On the VM disk create two partitions. One 500Mb (for /boot) and one containing the rest for LVM.
• Create LV paritions for / /var /usr & /home as neccessary. Mount in the usual file structure
• Stop services on the source machine (except SSH obviously) and rsync files over SSH
• Modify files as neccessary (such as /etc/fstab) to accomodate changes
• Chroot to the mount point and install LVM2 if not installed.
• Shut down “test” VM
• Create VM for the copied machine and include the KVM host’s kernel & initrd. This will allow it to boot as Xen PVMs do not have a kernel or Grub
• Start the KVM, all should boot okay if you updated. This will fail if LVM2 package is not installed
• Install a kernel and Grub. Shut down the VM
• Remove the KVM hosts kernel & initrd and start the VM It should boot Grub in the VM and all should be well

I expect to add a more detailed description on this later.

It seems quite good so far, but not without some minor issues.

Boot order

I experienced a problem between the cgroups and libvirt-bin. By default it seems that cgroups (/etc/init.d/cgred) starts before libvirt-bin and this stopped my virtual machines from starting up. It gave the following errors trying to start the “test1″ virtual machine (VM).

warning : qemudParsePCIDeviceStrs:1422 : Unexpected exit status '1', qemu probably failed
error : qemuSetupCgroup:3416 : Unable to create cgroup for test1: No such file or directory
error : qemuRemoveCgroup:3501 : internal error Unable to find cgroup for test1#012
warning : qemudShutdownVMDaemon:4067 : Failed to remove cgroup for test1

Not being too knowledgeable with the new dependency based boot system it took me a while to work out how to get it to change the order but eventually I edited /etc/init.d/libvirt.bin and changed the line

# Required-Start:    $network $remote_fs $syslog

to

# Required-Start:    $network $remote_fs $syslog cgred

Then you need to apply this change with the following command:

insserv libvirt-bin

This makes the dependency make sure it starts after cgred. Whether this is the “official” way I don’t know, but this now works correctly for me.

Starting VM at boot

By default new virtual machines do not start with the computer but this can be enabled:

virsh autostart <vmname>

as well as disabled

virsh autostart <vmname> --disable

Shutting down VMs on reboot/shutdown

As I only have on server I will be wanting to (at least try to) shut down virtual machines when I shutdown or reboot rather than killing them which seems to happen by default. An entry on Vivek’s blog has a script which can do this. It has been noted in the comments that this does not get called with the new Debian dependency boot scripts.

I have, for now hacked my libvirt-bin init.d script, amendnig the “stop” section to call this script just before the libvirt daemon is shutdown.

Not the most elegant, but works for now. I’ll have to try and tidy that up.

This originally started as a note to myself should I ever need to revisit this, but I have expanded it a bit to make it a bit more general in case others might find it useful.

I use Debian Squeeze on our Linux servers. I have been trying to get them to authenticate off of our Active Directory/Windows Server 2008. Previously we used OpenLDAP and this worked well, but with AD I’d rather have one authentication system. One password rather than two.

My experience with Winbind has not been favourable. Despite documentation and plenty of blogs with well written examples of how to do it I could not get it to work for me. Most of what is written is from there.

In this blog I will use the following settings on my network which I will use in my examples. You will wish to change them to reflect your own settings:

server1.int.inutility.net – 192.168.188.10 – Windows Active Directory & WINS server
server2.int.inutility.net -  192.168.188.11 – Windows Active Directory server
linux.int.inutility.net – 192.168.188.20 – Debian Linux box to authenticate against AD
INUTILITY – Windows Domain
INT.INUTILITY.NET – Kerberos/AD Realm

Preparation

Active Directory

You can edit this using the “Active Directory Users & Computers” program on your Windows server, finding a user (or group) and going to the “UNIX Attributes” tab. If you do not have this tab then you are missing the “Identify Management for UNIX” role, and you probably want to investigate that before following this.

DNS

If you are just using Windows DNS and Windows DHCP then you are probably already set for this and can probably skip this section.

You need to make sure your domain name is correct.  If you use a mixture of Windows & Linux services (for DHCP & DNS) then you need to make sure your /etc/resolv.conf has the correct “domain” setting to match the DNS of your Windows servers. If not it is possible you may experience a problem later. This may be set manually or automatically from your DHCP server

Secondly you need to make sure your Windows DNS servers are configured. My /etc/resolv.conf is

domain int.inutility.net
search int.inutility.net
nameserver 192.168.188.10
nameserver 192.168.188.11

NTP

It’s good practice to have time syncronised up. My Windows servers both provide NTP service.

apt-get install ntp

Edit the /etc/ntp.conf file, commenting out the existing debian servers and adding in your servers

Line 21

#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst

server server1.int.inutility.net iburst
server server2.int.inutility.net iburst

You will then need to restart the NTP daemon:

/etc/init.d/ntpd restart

This may take some time to syncronise your Debian server’s clock with that of the Windows Servers’. Check your syslog. ntpd -q will report information on your time servers and syncronisation.

Installation

LDAP Authentication

This allows you to authenticate your users against the Active Directory using LDAP. It allows you to SSH into your server as your AD users and is required to access your server using Samba.

apt-get install libnss-ldapd libpam-ldapd nslcd unscd

This is not to be confused to libpam-ldap and libnss-ldap (no d at the end) which are older methods of LDAP authentication that I have not satisfactorily got working with Active Directory.

It will ask you a few questions while the packages install. For LDAP server URI I entered both my AD servers:

ldap://server1.int.inutility.net/ ldap://server2.int.inutility.net/

You can leave it at one server, or add as many as you want separated by spaces.

You will be asked for your LDAP server search base. It will guess this based on your DNS domain, but sometimes it gets the ending wrong (espcially with country codes). I entered:

dc=int,dc=inutility,dc=net

You will then need to select the Name Services to use with LDAP. Select “group“, “passwd” and “shadow“. It will then finish installation, but there is still a bit to be configured.

It will automatically edit your PAM files (in /etc/pam.d) and your /etc/nsswitch.conf with correct entries so you do not have to unless your set up is a bit unusual. For historical reasons our UIDs start at 500 so I edited the /etc/pam.d/common-* files so the “minimum_uid” entry was 500, not the default 1000.

I use TLS encryption to my servers, using a certificate we have purchased. It requires intermediate certificates which it terms a bundle. You may not require the “tls_cacertfile” entry, but you may require the “ca-certificates” Debian package installed. The “bundle” can be an intermediate chain of Certificate Authorities. Your SSL certificate provider will provide this. Using the “tls_reqcert demand” entry makes sure that if the certificate is not verified the connection will not proceed. Add the following lines to your /etc/nslcd.conf:

# SSL options
ssl starttls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/bundle.crt

You also require some entries in this file so it knows where to pull all the user information from. Again this is in /etc/nslcd.conf

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember     member

After restarting nslcd you should then be able to check users & groups are listed using the getent tool:

/etc/init.d/nslcd restart
Restarting LDAP connection daemon: nslcd.
getent passwd al
al:*:1000:100:Al:/home/al:/bin/bash

You should now be able to SSH into your machine as your Active Directory users, though they may not have home directories (see also the section “Automatic creation of user’s home directory” towards the bottom of the page).

Kerberos

Install the Kerberos packages:

apt-get install krb5-config krb5-user

Then edit /etc/krb5.conf to include entries for your realm:

[libdefaults]
 default_realm = INT.INUTILITY.NET

and

[realms]
        INT.INUTILITY.NET= {
                kdc = 192.168.188.10:88
                admin_server = 192.168.188.10
                default_domain = int.inutility.net
        }
        ATHENA.MIT.EDU = {

and

[domain_realm]
        .int.inutility.net = INT.INUTILITY.NET
        int.inutility.net = INT.INUTILITY.NET
        .mit.edu = ATHENA.MIT.EDU

Samba

Firstly you’ll need to install the samba packages:

apt-get install samba samba-common samba-common-bin

I was asked only for my “Workgroup/Domain Name” which I entered in as “INUTILITY” during installation.

Then you need to make some edits to your /etc/samba/smb.conf.

Add the Kerberos realm:

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = INUTILITY
   realm = INT.INUTILITY.NET

Add in WINS server:

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
   wins server = 192.168.188.10

To use Active Directory security:

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = ads

To configure SAMBA not to be the master browser for the domain.

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
   domain master = no
   local master = no
   preferred master = no

Restart the samba services to load these settings.

/etc/init.d/samba restart

Joining the domain

You can not joing the domain with the following command (or another administrator account can be used)

net ads join -U Administrator

This suceeds, but reports:

kerberos_kinit_password LINUX$@INT.INUTILITY.NET failed: Client not found in Kerberos database

This is something I’ve not been able to trace down yet, but everything works as expected. I have been advised that this may in fact be down to our incorrect reverse DNS.

You should now be able to access the machine using \\LINUX as per a normal Windows server.

Other useful things

Automatic creation of user’s home directory

If you edit /etc/pam.d/common-session you can add an entry to automatically create a user’s home directory upon login:

session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent

This saves you having to manually copy the /etc/skel files for any users who have not logged into the system before.

Leaving the AD Domain

This can be done using the command below and removes your computer’s entry from the Active Directory:

net ads leave -U Administrator

Update 30/10/2012: LDAP timeouts

Occasionally we get the following messages in our syslog:

ldap_search_ext() failed: Can't contact LDAP server
connected to LDAP server ldap://server1.int.inutility.net/

These seem to be due to the AD server(s) timing out the connection without nslcd noticing this, which while not fatal is annoying and can slow down resolving a username & their groups. AD seems to timeout the connections after 2 minutes.

If you put:

idle_timelimit 60

Into your /etc/nslcd.conf file this will disconnect after a minute and reconnect as needed which is a much faster process than the connection failure it was doing.