Centralized login using LDAP and Samba

From Maze's wiki
Revision as of 14:01, 7 May 2010 by Admin (talk | contribs)

Jump to: navigation, search

To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.

Install Samba

apt-get install samba
  • Workgroup/Domain Name: <EXAMPLE.COM>
  • Modify smb.conf to use WINS settings from DHCP? <No>

LDAP Server

apt-get install slapd samba-doc
  • Administrator password: <password>
  • Confirm password: <password>

Configure LDAP Server

Remove the database that was created during installation: 

rm -rf /var/lib/ldap/*

Run 

dpkg-reconfigure slapd
  • Omit OpenLDAP server configuration? <No>
  • DNS domain name: <example.com>
  • Organization name: <Example Organization>
  • Administrator password: <password>
  • Confirm password: <password>
  • Database backend to use: <HDB>
  • Do you want the database to be removed when slapd is purged? <No>
  • Move old database? <Yes>
  • Allow LDAPv2 protocol? <No>

Copy the example samba.schema file 

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf to add 2 schemas 

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

Replace the indexing options in /etc/ldap/slapd.conf 

# Indexing options for database #1
index ou,cn,sn,mail,givenname           eq,pres,sub
index uidNumber,gidNumber,memberUid     eq,pres
index loginShell                        eq,pres
index uniqueMember                      eq,pres
index uid                               pres,sub,eq
index displayName                       pres,sub,eq
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index default                           sub

Change access rules in /etc/ldap/slapd.conf 

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=com"  write
        by anonymous auth
        by self write
        by * none

Restart de OpenLDAP server 

/etc/init.d/slapd restart

Configure Samba

Create the profile and netlogon directories for domain purpose: 

mkdir /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon

Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup): 

smbpasswd -W
  • New SMB password: <password>
  • Retype new SMB password: <password>

Restart Samba: 

/etc/init.d/samba restart

smbldap-tools

Install smbldap-tools 

apt-get install smbldap-tools

Copy the example configfiles 

cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Change these lines in /etc/smbldap-tools/smbldap.conf to match your configuration:

  • sambaDomain
  • suffix
  • userSmbHome
  • userProfile
  • mailDomain

Change the following in /etc/smbldap-tools/smbldap.conf:

  • #SID=
  • defaultUserGid="5000"
  • defaultComputerGid="2000"

Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: 

slaveDN="cn=admin,dc=example,dc=com"
slavePw="the password you entered during ldap configuration"
masterDN="cn=admin,dc=example,dc=com"
masterPw="the password you entered during ldap configuration"

Set the correct permissions: 

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now it's time to populate the directory with default samba information 

smbldap-populate
  • Enter the password for the domain root user (yes also on Windows it's called root now)

Start the engine

Index the OpenLDAP server 

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add a user 

smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk
smbldap-passwd martijn.zeedijk
  • New password: <password>
  • Retype new password: <password>

LDAP client

apt-get install libnss-ldap
  • LDAP server Uniform Resource Identifier: <ldap://ipaddress>
  • Distinguished name of the search base: <dc=example,dc=com>
  • LDAP version to use: <3>
  • LDAP account for root: <cn=admin,dc=example,dc=com>
  • Make local root Database admin. <Yes>
  • Does the LDAP database require login? <No>
  • LDAP account for root: <cn=admin,dc=example,dc=com>

Change these lines in /etc/nsswitch.conf 

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Replace /etc/pam.d/common-account with: 

account         sufficient      pam_unix.so 
account         sufficient      pam_ldap.so 
account         required        pam_deny.so

Replace /etc/pam.d/common-auth with: 

auth    required        pam_env.so 
auth    sufficient      pam_unix.so likeauth nullok 
auth    sufficient      pam_ldap.so use_first_pass 
auth    required        pam_deny.so

Replace /etc/pam.d/common-password with: 

password        sufficient      pam_unix.so nullok md5 shadow use_authtok 
password        sufficient      pam_ldap.so use_first_pass 
password        required        pam_deny.so

Replace /etc/pam.d/common-session with: 

session         required        pam_limits.so
session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         required        pam_unix.so
session         optional        pam_ldap.so
Retrieved from "https://www.zeedijk.net/wiki/index.php?title=Centralized_login_using_LDAP_and_Samba&oldid=35"