Difference between revisions of "Centralized login using LDAP and Samba"

From Maze's wiki
Jump to: navigation, search
(Configure smbldap-tools)
Line 1: Line 1:
 
To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.
 
To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.
=Install Samba=
 
<pre>
 
apt-get install samba
 
</pre>
 
*Workgroup/Domain Name: <EXAMPLE.COM>
 
*Modify smb.conf to use WINS settings from DHCP? <No>
 
 
 
=LDAP Server=
 
=LDAP Server=
 
<pre>
 
<pre>
apt-get install slapd samba-doc
+
apt-get install slapd samba samba-doc smbldap-tools
 
</pre>
 
</pre>
 
*Administrator password: <password>
 
*Administrator password: <password>
 
*Confirm password: <password>
 
*Confirm password: <password>
 
+
*Workgroup/Domain Name: <EXAMPLE.COM>
=Configure LDAP Server=
+
*Modify smb.conf to use WINS settings from DHCP? <No>
 
Remove the database that was created during installation:
 
Remove the database that was created during installation:
 
<pre>
 
<pre>
Line 36: Line 29:
 
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
 
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
 
</pre>
 
</pre>
Edit /etc/ldap/slapd.conf to add the samba schema
+
Edit /etc/ldap/slapd.conf to add 2 schemas
 
<pre>
 
<pre>
 +
# Schema and objectClass definitions
 +
include        /etc/ldap/schema/core.schema
 +
include        /etc/ldap/schema/cosine.schema
 +
include        /etc/ldap/schema/nis.schema
 +
include        /etc/ldap/schema/inetorgperson.schema
 
include        /etc/ldap/schema/samba.schema
 
include        /etc/ldap/schema/samba.schema
 +
include        /etc/ldap/schema/misc.schema
 
</pre>
 
</pre>
Add the indexing options to /etc/ldap/slapd.conf
+
Replace the indexing options in /etc/ldap/slapd.conf
 
<pre>
 
<pre>
index         uid,uidNumber,gidNumber,memberUid       eq
+
# Indexing options for database #1
index         cn,mail,surname,givenname              eq,subinitial
+
index ou,cn,sn,mail,givenname          eq,pres,sub
index         sambaSID                               eq
+
index uidNumber,gidNumber,memberUid     eq,pres
index         sambaPrimaryGroupSID                   eq
+
index loginShell                        eq,pres
index         sambaDomainName                         eq
+
index uniqueMember                      eq,pres
 +
index uid                              pres,sub,eq
 +
index displayName                      pres,sub,eq
 +
index sambaSID                         eq
 +
index sambaPrimaryGroupSID             eq
 +
index sambaDomainName                   eq
 +
index default                          sub
 
</pre>
 
</pre>
 
Change access rules in /etc/ldap/slapd.conf
 
Change access rules in /etc/ldap/slapd.conf
Line 60: Line 65:
 
/etc/init.d/slapd restart
 
/etc/init.d/slapd restart
 
</pre>
 
</pre>
 
+
=Samba=
=Configure Samba=
+
Create the profile and netlogon directories
Create the profile and netlogon directories for domain purpose:
 
 
<pre>
 
<pre>
 
mkdir /var/lib/samba/profiles
 
mkdir /var/lib/samba/profiles
Line 68: Line 72:
 
mkdir /var/lib/samba/netlogon
 
mkdir /var/lib/samba/netlogon
 
</pre>
 
</pre>
 +
Replace the contents of /etc/samba/smb.conf
 +
<pre>
 +
[global]
 +
# Domain name ..
 +
workgroup = EXAMPLE
 +
# Server name - as seen by Windows PCs ..
 +
netbios name = SERVERNAME
 +
# Be a PDC ..
 +
domain logons = Yes
 +
domain master = Yes
 +
# Be a WINS server ..
 +
wins support = true
 +
 +
obey pam restrictions = Yes
 +
dns proxy = No
 +
os level = 35
 +
log file = /var/log/samba/log.%m
 +
max log size = 1000
 +
syslog = 0
 +
panic action = /usr/share/samba/panic-action %d
 +
pam password change = Yes
 +
 +
# Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
 +
unix password sync = no
 +
ldap passwd sync = yes
 +
 +
# Printing from PCs will go via CUPS ..
 +
load printers = yes
 +
printing = cups
 +
printcap name = cups
 +
 +
# Use LDAP for Samba user accounts and groups ..
 +
passdb backend = ldapsam:ldap://localhost
 +
 +
# This must match init.ldif ..
 +
ldap suffix = dc=example,dc=com
 +
# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
 +
# This is done by running 'sudo smbpasswd -w'.
 +
ldap admin dn = cn=admin,dc=example,dc=com
 +
 +
# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
 +
# (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
 +
ldap machine suffix = ou=Computers
 +
ldap user suffix = ou=Users
 +
ldap group suffix = ou=Groups
 +
ldap idmap suffix = ou=Idmap
 +
# Samba and LDAP server are on the same server in this example.
 +
ldap ssl = no
  
=smbldap-tools=
+
# Scripts for Samba to use if it creates users, groups, etc.
Install smbldap-tools
+
add user script = /usr/sbin/smbldap-useradd -m '%u'
<pre>
+
delete user script = /usr/sbin/smbldap-userdel %u
apt-get install smbldap-tools
+
add group script = /usr/sbin/smbldap-groupadd -p '%g'
</pre>
+
delete group script = /usr/sbin/smbldap-groupdel '%g'
 +
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 +
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
 +
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
 +
 
 +
# Script that Samba users when a PC joins the domain ..
 +
# (when changing 'Computer Properties' on the PC)
 +
add machine script = /usr/sbin/smbldap-useradd -w '%u'
 +
 
 +
# Values used when a new user is created ..
 +
# (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
 +
logon drive =
 +
logon home =
 +
logon path =
 +
logon script =
 +
 
 +
# This is required for Windows XP client ..
 +
server signing = auto
 +
server schannel = Auto
  
=Configure smbldap-tools=
+
[homes]
Unzip and run the configure perl script
+
comment = Home Directories
<pre>
+
valid users = %S
gunzip /usr/share/doc/smbldap-tools/configure.pl.gz
+
read only = No
perl /usr/share/doc/smbldap-tools/configure.pl
+
browseable = No
</pre>
 
Be careful when entering these options:
 
*ldap suffix [] > dc=example,dc=com
 
*ldap group suffix [] > ou=Group
 
*ldap user suffix [] > ou=Users
 
*ldap machine suffix [] > ou=Computers
 
*Idmap suffix [ou=Idmap] > ou=Idmap
 
*ldap master bind dn [] > cn=admin,dc=example,dc=com
 
*ldap slave bind dn [] > cn=admin,dc=and,dc=com
 
*ldap tls support (1/0) [0] > 0
 
  
 +
[netlogon]
 +
comment = Network Logon Service
 +
path = /var/lib/samba/netlogon
 +
admin users = root
 +
guest ok = Yes
 +
browseable = No
  
 +
[profiles]
 +
comment = Roaming Profile Share
 +
# would probably change this to elsewhere in a production system ..
 +
path = /var/lib/samba/profiles
 +
read only = No        profile
 +
acls = Yes
 +
browsable = No
  
 +
[printers]
 +
comment = All Printers
 +
path = /var/spool/samba
 +
use client driver = Yes
 +
create mask = 0600
 +
guest ok = Yes
 +
printable = Yes
 +
browseable = No
 +
public = yes
 +
writable = yes
 +
admin users = root
 +
write list = root
  
 +
[print$]
 +
comment = Printer Drivers
 +
share path = /var/lib/samba/printers
 +
write list = root
 +
create mask = 0664
 +
directory mask = 0775
 +
admin users = root
 +
</pre>
 +
Change these lines to match your configuration:
 +
*workgroup = EXAMPLE
 +
*netbios name = SERVERNAME
 +
*ldap suffix = dc=example,dc=com
 +
*ldap admin dn = cn=admin,dc=example,dc=com
 +
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
 +
<pre>
 +
smbpasswd -W
 +
</pre>
 +
*New SMB password: <password>
 +
*Retype new SMB password: <password>
 +
Restart Samba:
 +
<pre>
 +
/etc/init.d/samba restart
 +
</pre>
 +
=SMBLDAP-TOOLS=
 
Copy the example configfiles
 
Copy the example configfiles
 
<pre>
 
<pre>
Line 99: Line 208:
 
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
 
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
 
</pre>
 
</pre>
Change these lines in /etc/smbldap-tools/smbldap.conf to match your configuration:
+
Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:
 
*sambaDomain
 
*sambaDomain
 
*suffix
 
*suffix
Line 126: Line 235:
 
</pre>
 
</pre>
 
*Enter the password for the domain root user (yes also on Windows it's called root now)
 
*Enter the password for the domain root user (yes also on Windows it's called root now)
 
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
 
<pre>
 
smbpasswd -W
 
</pre>
 
*New SMB password: <password>
 
*Retype new SMB password: <password>
 
 
 
=Start the engine=
 
=Start the engine=
 
Index the OpenLDAP server
 
Index the OpenLDAP server

Revision as of 14:35, 7 May 2010

To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.

LDAP Server

apt-get install slapd samba samba-doc smbldap-tools
  • Administrator password: <password>
  • Confirm password: <password>
  • Workgroup/Domain Name: <EXAMPLE.COM>
  • Modify smb.conf to use WINS settings from DHCP? <No>

Remove the database that was created during installation: 

rm -rf /var/lib/ldap/*

Run 

dpkg-reconfigure slapd
  • Omit OpenLDAP server configuration? <No>
  • DNS domain name: <example.com>
  • Organization name: <Example Organization>
  • Administrator password: <password>
  • Confirm password: <password>
  • Database backend to use: <HDB>
  • Do you want the database to be removed when slapd is purged? <No>
  • Move old database? <Yes>
  • Allow LDAPv2 protocol? <No>

Copy the example samba.schema file 

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf to add 2 schemas 

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

Replace the indexing options in /etc/ldap/slapd.conf 

# Indexing options for database #1
index ou,cn,sn,mail,givenname           eq,pres,sub
index uidNumber,gidNumber,memberUid     eq,pres
index loginShell                        eq,pres
index uniqueMember                      eq,pres
index uid                               pres,sub,eq
index displayName                       pres,sub,eq
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index default                           sub

Change access rules in /etc/ldap/slapd.conf 

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=com"  write
        by anonymous auth
        by self write
        by * none

Restart de OpenLDAP server 

/etc/init.d/slapd restart

Samba

Create the profile and netlogon directories 

mkdir /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon

Replace the contents of /etc/samba/smb.conf 

[global]
 # Domain name ..
 workgroup = EXAMPLE
 # Server name - as seen by Windows PCs ..
 netbios name = SERVERNAME
 # Be a PDC ..
 domain logons = Yes
 domain master = Yes
 # Be a WINS server ..
 wins support = true

 obey pam restrictions = Yes
 dns proxy = No
 os level = 35
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
 pam password change = Yes

 # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
 unix password sync = no
 ldap passwd sync = yes

 # Printing from PCs will go via CUPS ..
 load printers = yes
 printing = cups
 printcap name = cups

 # Use LDAP for Samba user accounts and groups ..
 passdb backend = ldapsam:ldap://localhost

 # This must match init.ldif ..
 ldap suffix = dc=example,dc=com
 # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
 # This is done by running 'sudo smbpasswd -w'.
 ldap admin dn = cn=admin,dc=example,dc=com

 # 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
 # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
 ldap machine suffix = ou=Computers
 ldap user suffix = ou=Users
 ldap group suffix = ou=Groups
 ldap idmap suffix = ou=Idmap
 # Samba and LDAP server are on the same server in this example.
 ldap ssl = no

 # Scripts for Samba to use if it creates users, groups, etc.
 add user script = /usr/sbin/smbldap-useradd -m '%u'
 delete user script = /usr/sbin/smbldap-userdel %u
 add group script = /usr/sbin/smbldap-groupadd -p '%g'
 delete group script = /usr/sbin/smbldap-groupdel '%g'
 add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
 set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

 # Script that Samba users when a PC joins the domain ..
 # (when changing 'Computer Properties' on the PC)
 add machine script = /usr/sbin/smbldap-useradd -w '%u'

 # Values used when a new user is created ..
 # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
 logon drive =
 logon home =
 logon path =
 logon script =

 # This is required for Windows XP client ..
 server signing = auto
 server schannel = Auto

[homes]
 comment = Home Directories
 valid users = %S
 read only = No
 browseable = No

[netlogon]
 comment = Network Logon Service
 path = /var/lib/samba/netlogon
 admin users = root
 guest ok = Yes
 browseable = No

[profiles]
 comment = Roaming Profile Share
 # would probably change this to elsewhere in a production system ..
 path = /var/lib/samba/profiles
 read only = No        profile
 acls = Yes
 browsable = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 use client driver = Yes
 create mask = 0600
 guest ok = Yes
 printable = Yes
 browseable = No
 public = yes
 writable = yes
 admin users = root
 write list = root

[print$]
 comment = Printer Drivers
 share path = /var/lib/samba/printers
 write list = root
 create mask = 0664
 directory mask = 0775
 admin users = root

Change these lines to match your configuration:

  • workgroup = EXAMPLE
  • netbios name = SERVERNAME
  • ldap suffix = dc=example,dc=com
  • ldap admin dn = cn=admin,dc=example,dc=com

Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup): 

smbpasswd -W
  • New SMB password: <password>
  • Retype new SMB password: <password>

Restart Samba: 

/etc/init.d/samba restart

SMBLDAP-TOOLS

Copy the example configfiles 

cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:

  • sambaDomain
  • suffix
  • userSmbHome
  • userProfile
  • mailDomain

Change the following in /etc/smbldap-tools/smbldap.conf:

  • #SID=
  • defaultUserGid="5000"
  • defaultComputerGid="2000"

Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: 

slaveDN="cn=admin,dc=example,dc=com"
slavePw="the password you entered during ldap configuration"
masterDN="cn=admin,dc=example,dc=com"
masterPw="the password you entered during ldap configuration"

Set the correct permissions: 

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now it's time to populate the directory with default samba information 

smbldap-populate
  • Enter the password for the domain root user (yes also on Windows it's called root now)

Start the engine

Index the OpenLDAP server 

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add a user 

smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk
smbldap-passwd martijn.zeedijk
  • New password: <password>
  • Retype new password: <password>

LDAP client

apt-get install libnss-ldap
  • LDAP server Uniform Resource Identifier: <ldap://ipaddress>
  • Distinguished name of the search base: <dc=example,dc=com>
  • LDAP version to use: <3>
  • LDAP account for root: <cn=admin,dc=example,dc=com>
  • Make local root Database admin. <Yes>
  • Does the LDAP database require login? <No>
  • LDAP account for root: <cn=admin,dc=example,dc=com>

Change these lines in /etc/nsswitch.conf 

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Replace /etc/pam.d/common-account with: 

account         sufficient      pam_unix.so 
account         sufficient      pam_ldap.so 
account         required        pam_deny.so

Replace /etc/pam.d/common-auth with: 

auth    required        pam_env.so 
auth    sufficient      pam_unix.so likeauth nullok 
auth    sufficient      pam_ldap.so use_first_pass 
auth    required        pam_deny.so

Replace /etc/pam.d/common-password with: 

password        sufficient      pam_unix.so nullok md5 shadow use_authtok 
password        sufficient      pam_ldap.so use_first_pass 
password        required        pam_deny.so

Replace /etc/pam.d/common-session with: 

session         required        pam_limits.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         required        pam_unix.so
session         optional        pam_ldap.so
Retrieved from "https://www.zeedijk.net/wiki/index.php?title=Centralized_login_using_LDAP_and_Samba&oldid=43"