HOWTO LDAP SAMBA PDC/Basic Setup
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
| Previous page | Top | Next Page |
Contents |
[edit] Configure LDAP
first thing first is to ensure the proper ownership of some key directories
# chown -R ldap:ldap /var/lib/openldap-*
[edit] /etc/openldap/slapd.conf
You can edit the /etc/openldap/slapd.conf file that ships with openldap or we can just create a new one either way we want it to resemble something similar to the following
The include statements include various schema's into our LDAP tree
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
The slapd gentoo init script doesn't make the pidfile or argsfile correctly so we specify them here.
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
| Note: 06/08/06 net-nds/openldap-2.2.28-r3 has the two previous lines present in /etc/openldap/slapd.conf by default. evilshenaniganz |
You should set loglevel to 256 initially, this will give you some good hints when debugging problems. Read man slapd.conf for more information on what the loglevel directive will give you
loglevel 256
for database you can either use "bdb" or "ldbm". bdb is generally favoured by the openldap project as it is faster and more stable, it is somewhat difficult to setup when your server is under high load. Hint: create a DB_CONFIG file in your data directory (/var/lib/openldap-data/) and read the berkeley db documentation at sleepycat.com. suffix is the suffix for the root of our LDAP tree. The field names here must be all caps, or Windows will turn up its nose when asked to join your domain, with an error stating "User account not found." It will be very frustrating. directory designates the data directory for our LDAP database. rootdn is the hardcoded super-user of the database. rootpw is the hardcoded root password.
To generate a 'secret' you can use
# slappasswd -h {MD5}
New password: <example>
Re-enter new password: <example>
{MD5}s+JROT6YmCR/KFfL3N9o4w==
{MD5} indicates the scheme we will be using to encrypt the password. For more information about using different schemes: slappasswd () The index directives define optional indexes that are used to help speed up searches aginst common LDAP data.
database ldbm
suffix "dc=example,dc=net"
rootdn "cn=Manager,dc=example,dc=net"
rootpw {MD5}s+JROT6YmCR/KFfL3N9o4w==
directory /var/lib/openldap-data/
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
| Note: 5/05/2007 Alternative Using bdb (faster DB for large record) |
database bdb
suffix "dc=example,dc=net"
checkpoint 32 30 # <kbyte> <min>
rootdn "cn=Manager,dc=example,dc=net"
rootpw {MD5}s+JROT6YmCR/KFfL3N9o4w==
directory /var/lib/openldap-data/
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
| Note: 14/03/2007 Additionally, i had to remove (or maybe move after "suffix") a entry called "checkpoint" out of my configuration, which was in by default. User:emphasis.nils-wisiol.de |
| Note: 28/04/2007 if you use ldbm change directory to /var/lib/openldap-ldbm LDAP-howto . Don't forget to run chown ldap:ldap /var/lib/openldap-ldbm |
[edit] /etc/openldap/ldap.conf
You should also have a file called /etc/openldap/ldap.conf. This file tells the client programs from the openldap package (ldapsearch, ldapadd, ...) which server it should connect to. Don't confuse this one with /etc/ldap.conf which is for the pam_ldap and nss_ldap packages from padl.com.
to configure conectivity for the OpenLDAP tools we only need to define the HOST and BASE settings to match our slapd settings
HOST 127.0.0.1 BASE dc=example,dc=net
[edit] /etc/conf.d/slapd
we need to make sure the OPTS= line in /etc/conf.d/slapd looks similar to the following. If it dosen't we may have issues starting it through the gentoo scripts. also it wont start a ssl port with out it.
OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
[edit] Finalizing openldap
We should allways do a sanity check on /etc/openldap/slapd.conf every time we change it. We can accomplish this with slaptest
# slaptest
| Note: 11/01/2007 If you're using bdb use slaptest -u to check the sanity of /etc/openldap/slapd.conf then start manually the deamon with /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 255 to generate the initial db and check if something wrong. Then stop it with ctrl+C and change the permission on /var/lib/openldap-data as shown in the note number 3. |
| Note: 14/03/2007 Maybe your openldap executable is not in /usr/sbin/slapd, like said in the first node, but in /usr/lib/openldap/slapd. User:emphasis.nils-wisiol.de |
| Note: 11/09/06 If you're using bdb the rights for the database in /var/lib/openldap-data/ may have been created as root. If so you need to chown ldap:ldap /var/lib/openldap-data/* before starting slapd dcrawford |
Next we can attempt to start slapd. Also dont forget to add slapd to the default runlevel.
# /etc/init.d/slapd start # rc-update add slapd default
| Note: 09/12/06 check ldap is the owner of files in /var/lib/openldap-data if failed started |
hopefully slapd started [ok], if it didn't ([!!]) skip down to the troubleshooting section, otherwise continue with the testing section to make sure everything's running correctly.
[edit] Configure PAM
[edit] /etc/pam.d/system-auth
| Note: 5/05/2007 Please skip this section as pam will know where to go when reading /etc/nsswitch.conf - FIXME: is this correct? I need to add those pam_ldap.so lines. Else it won't work here. |
PAM, short for Plugable Authentication Module(s) is a system that allows us to define the modules used for system authentication. redefining pam.d/system-auth along with nsswitch.conf will allow us to authenticate against our LDAP directory.
You should also have a file called /etc/pam.d/system-auth. We need to edit the file to resemble something like this:
| File: /etc/pam.d/system-auth |
#%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type= password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so |
[edit] /etc/pam.d/su
You probably want to make a few changes to su authentication. By default, su checks that the user is in group wheel, and then authenticates them as the root user through the normal system-auth methods. There are two changes that you may want to make.
You probably want to have the wheel group information in LDAP instead of in /etc/group. Unfortunately, pam_group.so and pam_wheel.so seem to stop after checking /etc/group if the group wheel is present in the file and the user is not in the group. You can safely remove the wheel group and and then add it to LDAP with the following commands:
# groupdel wheel # smbldap-groupadd -g 10 -o wheel # smbldap-groupmod -m <userlist, comma separated> wheel
| Note: 01/05/08 By removing wheel from /etc/group, you might not be able to su if your LDAP server is down. This makes remote administration difficult, since a secure setup only allows root to login from the console. |
[NOTE: You probably should perform an smbldap-populate (information provided on the next page for completing this) before you remove/add the wheel group.]
You may not want to allow su'ing with the LDAP root password, but force the /etc/passwd password instead. If that is the case, you should copy the auth section from /etc/pam.d/system-auth to /etc/pam.d/su and remove the pam_ldap.so line. This will override the new default, LDAP-centric authentication behavior. Here is a sample auth section.
| File: /etc/pam.d/su |
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_wheel.so auth required pam_env.so auth sufficient pam_ldap.so auth required pam_deny.so |
[edit] Configure NSS_LDAP
[edit] /etc/nsswitch.conf
You should also have a file called /etc/nsswitch.conf.we need to modify the lines pretaining to passwd:, group, and shadow to resemble the following.
passwd: files ldap group: files ldap shadow: files ldap
| Note: 5/05/2007 Alternative Configuration |
passwd: compat ldap shadow: compat ldap group: compat ldap #sudoers: files ldap
For LDAP sudoer please check on HOWTO secure OpenLDAP network
[edit] /etc/ldap.conf
Next we want to configure /etc/ldap.conf this file sets directives pertaining to the ldap we specified in nsswitch.conf above.
again we use host and base to refer to our ldap server address and context of our ldap tree respectively.
host 127.0.0.1 base dc=example,dc=net
some ldap attribute which is different from the default ldap.conf
pam_filter objectclass=posixAccount pam_login_attribute uid
the nss_base_* specify the context in ldap to look for the suffix config item where refering to. make sure to have two nss_base_passwd sections to cover users and computers so you don't get a nasty "user name could not be found error" when joining computers to the domain.
nss_base_passwd ou=Computers,dc=example,dc=net?sub nss_base_passwd ou=Users,dc=example,dc=net?sub nss_base_shadow ou=Users,dc=example,dc=net?sub nss_base_group ou=Groups,dc=example,dc=net?one
Here we use debug to specify the output message complexity, during testing this value should be 256 to help track down problems. the logdir directive tells us where we store the logs that the debug directive produces.
debug 256 logdir /var/log/nss_ldap
The ssl directive is used to identify whether or not we're using an encrypted conversation. pam_password ... tbe ...
ssl no pam_password md5
| Note: You can also use the following. This will let the ldap server do the encrypting and storing of the password. This plays well with the smbk5pwd overlay. Po0ky |
pam_password exop
Dont forget to create the folder(s) refrenced in the logdir directive. we can accomplish this with the following command.
# mkdir -p /var/log/nss_ldap
To avoid greater timeout delays on boot time, set bind_policy to soft. This ensures no waiting for a timeout if the slapd is not yet started and a service needs to switch user.
bind_policy = soft
[edit] Configure Samba
Next we're going to try to tackle the big item, Samba. Configuring Samba can become quite a complex task on its own right. As such where going to keep our samba config to the minimum nesscary for us to get a PDC running, with a LDAP backend.
The following is mostly cut and pasted out of the HOWTO Implement Samba as your PDC and modified for our needs.The following is /etc/samba/smb.conf
The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria.
[edit] The [global] service section =
netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.
- IMPORTANT** make sure that your workgroup(domain) name is not a full DNS name in the samba setup. using a name such as domainexample.com here will make an xp client search your DNS server for AD SRV records when you try to join a domain. setting it to "domainexample" is the best bet.
[global] netbios name = COMPUTER_NAME workgroup = YOUR_DOMAIN server string = LDAP PDC [on Gentoo :: Samba server %v]
hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.
hosts allow = 192.168.4.0/24 127.0.0.0/8 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth0 bind interfaces only = yes
To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.
local master = yes os level = 65 domain master = yes preferred master = yes
null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.
null passwords = no hide unreadable = yes hide dot files = yes
domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client.
For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection.
domain logons = yes ;logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U
IMPORTANT NOTE: This may sound pretty obvious, but will save you a ton of headaches and Windows-cursing. You really want to have your logon drive as Z:, just in case.
Why, you ask? Take a look at the following example: you have a computer with three HDD partitions (C:, D:, and E:), as well as a DVD reader (F:) and a CD-RW (G:). And, yes, your logon drive at H:. Common sense would suggest that, should you connect any removable media to this computer (say, a USB drive, an external DVD burner, etc.), it would get allocated as I:, right?
The first mistake here is that you assumed that Microsoft would use any common sense. Let me explain what happened to me in such a case. Apparently, the recently-inserted media tries to get H: and the only result is that it becomes unaccessible. Another example would be a computer that doesn't have such a heavily partitioned HDD, but is filled with removable media bays, just as any VAIO or HP you can find out there. --Demiurgo 00:49, 23 June 2006 (UTC)
wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.
wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no
time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to.
time server = yes log file = /var/log/samba/log.%m max log size = 50
The following are parameters to assist you in adding/deleting users/machines from a client. Note: That using these peramaters that refrence the smbldap-tools means that you must install it when presented later in this HowTo
add user script = /usr/sbin/smbldap-useradd -m "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
...tbe...
passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = Yes ldap ssl = no winbind nested groups = no
| Note: You must add the line for winbind or samba will not start. This is a known bug in samba. Chucks |
The following settings refer to the positions of various LDAP objects in our directory. ldap suffix is the same one we entered in slapd.conf and is the root of our LDAP tree. ldap admin dn is the distunguished name of your rootdn previously named in slapd.conf. ldap xxxx suffix is the suffix of each of the containers you see, where xxxx = group, user, machine, idmap.
ldap suffix = dc=example,dc=net ldap admin dn = cn=Manager,dc=example,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap
[edit] The [SHARE_NAME] services section
This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!
netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).
[netlogon] path = /var/lib/samba/netlogon guest ok = Yes browseable = no write list = root
profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 1757). Inside this directory is where you user profiles are located.
[profiles] path = /var/lib/samba/profiles writable = yes browseable = no create mode = 0644 directory mode = 0755 guest ok = yes
homes defines the users home directory. Nothing special needs to be done to this directive or directory.
[homes] path = /home/%U browseable = no valid users = %S read only = no create mask = 0664 directory mask = 0775
public is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public].
[public] comment = Public Stuff path = /public public = yes read only = yes browseable = yes write list = @users
[edit] Finishing up Samba
Now that we have configured smb.conf with the rootdn, we need to store the password for it. we can accomplish this with the following command.# smbpasswd -w secret
Before we will be able to start samba we need to do a quick sanity check.
- check to make sure all folders refrenced in /etc/samba/smb.conf actualy exist
- ensure the proper permissions are on the folder referenced by netlogon and profiles (usualy they dont) we can fix them with a chmod 0755 /path/to/folder
You should also use testparm to run a sanity check against smb.conf. You can do this by executing the following command.
# testparm
Make sure to add samba to the default runlevel
# rc-update add samba default
now that its time to start up samba
# /etc/init.d/samba start
now with fingers crossed we should have had a successfull start
[edit] Configure smbldap-tools
Next you will need to edit the two smbldap-tools config files /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf the editing of these files is straightforward and mostly needs to reflect settings you have specifed previously. With the execption of the lines noted below edit the config files to suit your needs.
[edit] /etc/smbldap-tools/smbldap.conf
the directives ldapTLS, verify, and hash_encypt have to be set as follows. any of the other directives should be changed to match settings we have previously set in other files. if you dont know what a directive does, it should be safe to skip it.
ldapTLS="0" verify="none" hash_encrypt="MD5" # Other configuration should be altered too!!!
[edit] /etc/smbldap-tools/smbldap_bind.conf
this file need only to be updated with the rootdn that you have previously specified as well as the secret password of the rootdn in plain text.
after editing the above files feel free to move onto the next section.
[edit] Using Smbk5pwd overlay
I'm still working on this subject, you can take a peak by checking out the Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup - Po0ky
| Previous page | Top | Next Page |
[edit] Common errors and fixes
"I have no name!@<hostname>" as my prompt.
chmod +r /etc/ldap.conf
With OpenLDAP 2.3 / nss_ldap-239+ a readable /etc/ldap.conf may not be enough. Use nscd (Name Service Cache Daemon)
/etc/init.d/nscd start rc-update add nscd default
