Difference between revisions of "Centralized login using LDAP and Samba"
(→Configure LDAP Server) |
(→Configure LDAP Server) |
||
| Line 40: | Line 40: | ||
include /etc/ldap/schema/samba.schema | include /etc/ldap/schema/samba.schema | ||
</pre> | </pre> | ||
| − | + | Add the indexing options to /etc/ldap/slapd.conf | |
<pre> | <pre> | ||
| − | + | index uid,uidNumber,gidNumber,memberUid eq | |
| − | index | + | index cn,mail,surname,givenname eq,subinitial |
| − | + | index sambaSID eq | |
| − | index | + | index sambaPrimaryGroupSID eq |
| − | + | index sambaDomainName eq | |
| − | |||
| − | |||
| − | index sambaSID | ||
| − | index sambaPrimaryGroupSID | ||
| − | index sambaDomainName | ||
| − | |||
</pre> | </pre> | ||
Change access rules in /etc/ldap/slapd.conf | Change access rules in /etc/ldap/slapd.conf | ||
Revision as of 14:05, 7 May 2010
To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.
Contents
Install Samba
apt-get install samba
- Workgroup/Domain Name: <EXAMPLE.COM>
- Modify smb.conf to use WINS settings from DHCP? <No>
LDAP Server
apt-get install slapd samba-doc
- Administrator password: <password>
- Confirm password: <password>
Configure LDAP Server
Remove the database that was created during installation:
rm -rf /var/lib/ldap/*
Run
dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? <No>
- DNS domain name: <example.com>
- Organization name: <Example Organization>
- Administrator password: <password>
- Confirm password: <password>
- Database backend to use: <HDB>
- Do you want the database to be removed when slapd is purged? <No>
- Move old database? <Yes>
- Allow LDAPv2 protocol? <No>
Copy the example samba.schema file
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
Edit /etc/ldap/slapd.conf to add the samba schema
include /etc/ldap/schema/samba.schema
Add the indexing options to /etc/ldap/slapd.conf
index uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq
Change access rules in /etc/ldap/slapd.conf
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
Restart de OpenLDAP server
/etc/init.d/slapd restart
Configure Samba
Create the profile and netlogon directories for domain purpose:
mkdir /var/lib/samba/profiles chmod 777 /var/lib/samba/profiles mkdir /var/lib/samba/netlogon
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
smbpasswd -W
- New SMB password: <password>
- Retype new SMB password: <password>
Restart Samba:
/etc/init.d/samba restart
smbldap-tools
Install smbldap-tools
apt-get install smbldap-tools
Copy the example configfiles
cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
Change these lines in /etc/smbldap-tools/smbldap.conf to match your configuration:
- sambaDomain
- suffix
- userSmbHome
- userProfile
- mailDomain
Change the following in /etc/smbldap-tools/smbldap.conf:
- #SID=
- defaultUserGid="5000"
- defaultComputerGid="2000"
Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration:
slaveDN="cn=admin,dc=example,dc=com" slavePw="the password you entered during ldap configuration" masterDN="cn=admin,dc=example,dc=com" masterPw="the password you entered during ldap configuration"
Set the correct permissions:
chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Now it's time to populate the directory with default samba information
smbldap-populate
- Enter the password for the domain root user (yes also on Windows it's called root now)
Start the engine
Index the OpenLDAP server
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add a user
smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk smbldap-passwd martijn.zeedijk
- New password: <password>
- Retype new password: <password>
LDAP client
apt-get install libnss-ldap
- LDAP server Uniform Resource Identifier: <ldap://ipaddress>
- Distinguished name of the search base: <dc=example,dc=com>
- LDAP version to use: <3>
- LDAP account for root: <cn=admin,dc=example,dc=com>
- Make local root Database admin. <Yes>
- Does the LDAP database require login? <No>
- LDAP account for root: <cn=admin,dc=example,dc=com>
Change these lines in /etc/nsswitch.conf
passwd: compat ldap group: compat ldap shadow: compat ldap
Replace /etc/pam.d/common-account with:
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so
Replace /etc/pam.d/common-auth with:
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
Replace /etc/pam.d/common-password with:
password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so
Replace /etc/pam.d/common-session with:
session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix.so session optional pam_ldap.so
