Revision as of 14:09, 7 May 2010 (view source) Admin (talk | contribs) (→‎smbldap-tools) ← Older edit		Revision as of 14:09, 7 May 2010 (view source) Admin (talk | contribs) (→‎Configure Samba) Newer edit →
Line 67:		Line 67:
	chmod 777 /var/lib/samba/profiles		chmod 777 /var/lib/samba/profiles
	mkdir /var/lib/samba/netlogon		mkdir /var/lib/samba/netlogon
−	</pre>
−
−	Restart Samba:
−	<pre>
−	/etc/init.d/samba restart
	</pre>		</pre>

---

Revision as of 14:09, 7 May 2010

To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.

Install Samba

apt-get install samba

• Workgroup/Domain Name: <EXAMPLE.COM>
• Modify smb.conf to use WINS settings from DHCP? <No>

LDAP Server

apt-get install slapd samba-doc

• Administrator password: <password>
• Confirm password: <password>

Configure LDAP Server

Remove the database that was created during installation:

rm -rf /var/lib/ldap/*

Run

dpkg-reconfigure slapd

• Omit OpenLDAP server configuration? <No>
• DNS domain name: <example.com>
• Organization name: <Example Organization>
• Administrator password: <password>
• Confirm password: <password>
• Database backend to use: <HDB>
• Do you want the database to be removed when slapd is purged? <No>
• Move old database? <Yes>
• Allow LDAPv2 protocol? <No>

Copy the example samba.schema file

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf to add the samba schema

include         /etc/ldap/schema/samba.schema

Add the indexing options to /etc/ldap/slapd.conf

index         uid,uidNumber,gidNumber,memberUid       eq
index         cn,mail,surname,givenname               eq,subinitial
index         sambaSID                                eq
index         sambaPrimaryGroupSID                    eq
index         sambaDomainName                         eq

Change access rules in /etc/ldap/slapd.conf

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=com"  write
        by anonymous auth
        by self write
        by * none

Restart de OpenLDAP server

/etc/init.d/slapd restart

Configure Samba

Create the profile and netlogon directories for domain purpose:

mkdir /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon

smbldap-tools

Install smbldap-tools

apt-get install smbldap-tools

Copy the example configfiles

cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Change these lines in /etc/smbldap-tools/smbldap.conf to match your configuration:

• sambaDomain
• suffix
• userSmbHome
• userProfile
• mailDomain

Change the following in /etc/smbldap-tools/smbldap.conf:

• #SID=
• defaultUserGid="5000"
• defaultComputerGid="2000"

Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration:

slaveDN="cn=admin,dc=example,dc=com"
slavePw="the password you entered during ldap configuration"
masterDN="cn=admin,dc=example,dc=com"
masterPw="the password you entered during ldap configuration"

Set the correct permissions:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf 

Now it's time to populate the directory with default samba information

smbldap-populate

• Enter the password for the domain root user (yes also on Windows it's called root now)

Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):

smbpasswd -W

• New SMB password: <password>
• Retype new SMB password: <password>

Start the engine

Index the OpenLDAP server

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add a user

smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk
smbldap-passwd martijn.zeedijk

• New password: <password>
• Retype new password: <password>

LDAP client

apt-get install libnss-ldap

• LDAP server Uniform Resource Identifier: <ldap://ipaddress>
• Distinguished name of the search base: <dc=example,dc=com>
• LDAP version to use: <3>
• LDAP account for root: <cn=admin,dc=example,dc=com>
• Make local root Database admin. <Yes>
• Does the LDAP database require login? <No>
• LDAP account for root: <cn=admin,dc=example,dc=com>

Change these lines in /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Replace /etc/pam.d/common-account with:

account         sufficient      pam_unix.so 
account         sufficient      pam_ldap.so 
account         required        pam_deny.so

Replace /etc/pam.d/common-auth with:

auth    required        pam_env.so 
auth    sufficient      pam_unix.so likeauth nullok 
auth    sufficient      pam_ldap.so use_first_pass 
auth    required        pam_deny.so

Replace /etc/pam.d/common-password with:

password        sufficient      pam_unix.so nullok md5 shadow use_authtok 
password        sufficient      pam_ldap.so use_first_pass 
password        required        pam_deny.so

Replace /etc/pam.d/common-session with:

session         required        pam_limits.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         required        pam_unix.so
session         optional        pam_ldap.so