Centralized login using LDAP and Samba
From Maze's wiki
Revision as of 13:46, 7 May 2010 by Admin (talk | contribs) (Reverted edits by Admin (Talk) to last revision by 89.250.178.18)
To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.
LDAP Server
apt-get install slapd samba samba-doc smbldap-tools
- Administrator password: <password>
- Confirm password: <password>
- Workgroup/Domain Name: <EXAMPLE.COM>
- Modify smb.conf to use WINS settings from DHCP? <No>
Remove the database that was created during installation:
rm -rf /var/lib/ldap/*
Run
dpkg-reconfigure slapd
- Omit OpenLDAP server configuration? <No>
- DNS domain name: <example.com>
- Organization name: <Example Organization>
- Administrator password: <password>
- Confirm password: <password>
- Database backend to use: <HDB>
- Do you want the database to be removed when slapd is purged? <No>
- Move old database? <Yes>
- Allow LDAPv2 protocol? <No>
Copy the example samba.schema file
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
Edit /etc/ldap/slapd.conf to add 2 schemas
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
Replace the indexing options in /etc/ldap/slapd.conf
# Indexing options for database #1 index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres index uniqueMember eq,pres index uid pres,sub,eq index displayName pres,sub,eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
Change access rules in /etc/ldap/slapd.conf
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
Restart de OpenLDAP server
/etc/init.d/slapd restart
Samba
Create the profile and netlogon directories
mkdir /var/lib/samba/profiles chmod 777 /var/lib/samba/profiles mkdir /var/lib/samba/netlogon
Replace the contents of /etc/samba/smb.conf
[global] # Domain name .. workgroup = EXAMPLE # Server name - as seen by Windows PCs .. netbios name = SERVERNAME # Be a PDC .. domain logons = Yes domain master = Yes # Be a WINS server .. wins support = true obey pam restrictions = Yes dns proxy = No os level = 35 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = Yes # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del unix password sync = no ldap passwd sync = yes # Printing from PCs will go via CUPS .. load printers = yes printing = cups printcap name = cups # Use LDAP for Samba user accounts and groups .. passdb backend = ldapsam:ldap://localhost # This must match init.ldif .. ldap suffix = dc=example,dc=com # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb # This is done by running 'sudo smbpasswd -w'. ldap admin dn = cn=admin,dc=example,dc=com # 4 OUs that Samba uses when creating user accounts, computer accounts, etc. # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.) ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap # Samba and LDAP server are on the same server in this example. ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' # Values used when a new user is created .. # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1) logon drive = logon home = logon path = logon script = # This is required for Windows XP client .. server signing = auto server schannel = Auto [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No [profiles] comment = Roaming Profile Share # would probably change this to elsewhere in a production system .. path = /var/lib/samba/profiles read only = No profile acls = Yes browsable = No [printers] comment = All Printers path = /var/spool/samba use client driver = Yes create mask = 0600 guest ok = Yes printable = Yes browseable = No public = yes writable = yes admin users = root write list = root [print$] comment = Printer Drivers share path = /var/lib/samba/printers write list = root create mask = 0664 directory mask = 0775 admin users = root
Change these lines to match your configuration:
- workgroup = EXAMPLE
- netbios name = SERVERNAME
- ldap suffix = dc=example,dc=com
- ldap admin dn = cn=admin,dc=example,dc=com
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
smbpasswd -W
- New SMB password: <password>
- Retype new SMB password: <password>
Restart Samba:
/etc/init.d/samba restart
SMBLDAP-TOOLS
Copy the example configfiles
cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:
- sambaDomain
- suffix
- userSmbHome
- userProfile
- mailDomain
Change the following in /etc/smbldap-tools/smbldap.conf:
- #SID=
- defaultUserGid="5000"
- defaultComputerGid="2000"
Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration:
slaveDN="cn=admin,dc=example,dc=com" slavePw="the password you entered during ldap configuration" masterDN="cn=admin,dc=example,dc=com" masterPw="the password you entered during ldap configuration"
Set the correct permissions:
chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Now it's time to populate the directory with default samba information
smbldap-populate
- Enter the password for the domain root user (yes also on Windows it's called root now)
Start the engine
Index the OpenLDAP server
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add a user
smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk smbldap-passwd martijn.zeedijk
- New password: <password>
- Retype new password: <password>
LDAP client
apt-get install libnss-ldap
- LDAP server Uniform Resource Identifier: <ldap://ipaddress>
- Distinguished name of the search base: <dc=example,dc=com>
- LDAP version to use: <3>
- LDAP account for root: <cn=admin,dc=example,dc=com>
- Make local root Database admin. <Yes>
- Does the LDAP database require login? <No>
- LDAP account for root: <cn=admin,dc=example,dc=com>
Change these lines in /etc/nsswitch.conf
passwd: compat ldap group: compat ldap shadow: compat ldap
Replace /etc/pam.d/common-account with:
account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so
Replace /etc/pam.d/common-auth with:
auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
Replace /etc/pam.d/common-password with:
password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_first_pass password required pam_deny.so
Replace /etc/pam.d/common-session with:
session required pam_limits.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_unix.so session optional pam_ldap.so
