Centralized login using LDAP and Samba
Follow this tutorial to create a centralized authentication system where both Windows and Linux/Unix clients can authenticate against.
Contents
Samba
Installation
apt-get install samba samba-doc
Create the profile and netlogon directories
mkdir /var/lib/samba/profiles chmod 777 /var/lib/samba/profiles mkdir /var/lib/samba/netlogon
Change the following lines
workgroup = EXAMPLE.COM wins support = yes passdb backend = ldapsam:ldap://localhost unix password sync = no domain logons = yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\%N\%U logon script = logon.bat add user script = /usr/sbin/smbldap-useradd -m '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' load printers = yes
Then in the [homes] section
read only = no
Uncomment the [netlogon] section and change these lines:
path = /var/lib/samba/netlogon
Uncomment the [profiles] section and change these lines:
path = /var/lib/samba/netlogon
Change these lines to match your configuration:
- workgroup = EXAMPLE
- netbios name = SERVERNAME
- ldap suffix = dc=example,dc=com
- ldap admin dn = cn=admin,dc=example,dc=com
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
smbpasswd -W
- New SMB password: <password>
- Retype new SMB password: <password>
Restart Samba:
/etc/init.d/samba restart
LDAP Server
Installation
apt-get install slapd
- Administrator password: <password>
- Confirm password: <password>
- Workgroup/Domain Name: <EXAMPLE.COM>
- Modify smb.conf to use WINS settings from DHCP? <No>
Remove the database that was created during installation:
rm -rf /var/lib/ldap/*
Run
Configuration
dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? <No>
- DNS domain name: <example.com>
- Organization name: <Example Organization>
- Administrator password: <password>
- Confirm password: <password>
- Database backend to use: <HDB>
- Do you want the database to be removed when slapd is purged? <No>
- Move old database? <Yes>
- Allow LDAPv2 protocol? <No>
Copy the example samba.schema file
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
Edit /etc/ldap/slapd.conf to add 2 schemas
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
Replace the indexing options in /etc/ldap/slapd.conf
# Indexing options for database #1 index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres index uniqueMember eq,pres index uid pres,sub,eq index displayName pres,sub,eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
Change access rules in /etc/ldap/slapd.conf
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
Restart de OpenLDAP server
/etc/init.d/slapd restart
smbldap-tools
Installation
apt-get install smbldap-tools
Copy the example configfiles
cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:
- sambaDomain
- suffix
- userSmbHome
- userProfile
- mailDomain
Change the following in /etc/smbldap-tools/smbldap.conf:
- #SID=
- defaultUserGid="5000"
- defaultComputerGid="2000"
Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration:
slaveDN="cn=admin,dc=example,dc=com" slavePw="the password you entered during ldap configuration" masterDN="cn=admin,dc=example,dc=com" masterPw="the password you entered during ldap configuration"
Set the correct permissions:
chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Now it's time to populate the directory with default samba information
smbldap-populate
- Enter the password for the domain root user (yes also on Windows it's called root now)
Start the engine
Index the OpenLDAP server
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add a user
smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk smbldap-passwd martijn.zeedijk
- New password: <password>
- Retype new password: <password>
LDAP client
apt-get install libnss-ldap
- LDAP server Uniform Resource Identifier: <ldap://ipaddress>
- Distinguished name of the search base: <dc=example,dc=com>
- LDAP version to use: <3>
- LDAP account for root: <cn=admin,dc=example,dc=com>
- Make local root Database admin. <Yes>
- Does the LDAP database require login? <No>
- LDAP account for root: <cn=admin,dc=example,dc=com>
Change these lines in /etc/nsswitch.conf
passwd: compat ldap group: compat ldap shadow: compat ldap
Replace /etc/pam.d/common-account with:
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so
Replace /etc/pam.d/common-auth with:
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
Replace /etc/pam.d/common-password with:
password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so
Replace /etc/pam.d/common-session with:
session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix.so session optional pam_ldap.so
