[Samba] Initial samba + ldap howto
Wim Bakker
koreander at planet.nl
Mon Apr 12 15:28:35 GMT 2004
A couple of days ago I decided that I needed a samba and ldap
setup. After reading the samba mailing list , specifically the
thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
I decided to buy the Official Samba-3 HowTo and Reference guide",
(the Samba-3 By Example mentioned in that thread wasn't available
in my bookstore and they could't order it for me too) expecting
to find a workable example for a setup, as I made out more or less
from the remarks in that thread there would be, chapter 2 specifically.
That chapter has an example (page 26) but I wouldn't recommend to
actually use it, it's very limited and inaccurate, lacks information
of what more is needed, which additional system packages etc. It says
in the beginning that a functioning os is assumed , but that's rather
vague on what implies a functioning os. From page 136 on there are
some more examples of ldap pwdbackend, but hardly sufficient.
http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
info on how to get samba-3 and ldap working, but that document seems
to be incomplete and transitioning from samba-2 to samba-3.
One of the posters on the aforementioned thread remarked that an accurate,
complete into detail, config file is a great help for learning to grasp
what has to be done , and how things work together, I agree and following
are the steps I took to get a working samba-3 + ldap install. I hardly know
anything of linux or samba , let alone ldap , but from the mailling list
I understood that the following is neccessary:
A goal:
get samba + ldap on slackware 9.1 with support for acl's in a usable
state working.
The means:
slackware-9.1
acl-2.2.22.src.tar.gz
attr-2.4.14.src.tar.gz
ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz
linux-2.4.24.tar.gz
coreutils-5.0-attr+acl.tar.gz
nss_ldap.tgz
pam_ldap.tgz
perl-5.8.3.tar.gz
openldap-2.1.19.tgz
ldap-account-manager_0.4.5.tar.gz
Linux-PAM-0.77.tar.bz2
openssl-0.9.7d.tar.gz
db-4.2.52.tar.gz
samba-3.0.2a.tar.gz
smbldap-tools-0.8.4.tgz
I made the following install and configs, I don't know
how correct or secure or unneccessary they were, in the end
I had a complete and correct funcioning ldap + samba setup,
that was usable.It was especially frustrating to get tls connection
working, it kept failing with the following error:
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
samba and ldap run on the same server. Besides the documented config
for slapd: (etc/openldap/slapd.conf)
TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
TLSCACertificateFile /etc/ssl/certs/ca.pem
quite important it is allso that ldap knows how to verify:
(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
TLS_CACERT /etc/ssl/certs/ca.pem
Maybe the documentation that exists mentions it, but I couldn't
find it.
http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
fairly helpful to get things right, including the initial populating
of the ldap database. Their site mentions two config files in
/etc/smbldap-tools, but I think that configuration is overruled by
the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
the same info as those config files.I moved the /etc/smbldap-tools away
and everything still worked correctly with the parameters from
/usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm.
Allso , I don't think pam_ldap is neccessary if you don't have linux users.
Anyways, if the following example would have been in the howto, I wouldn't
have
wasted 4 days, figuring out what was wrong/incomplete with the current example
in the howto book, but could have spent that time figuring out what it all
means. Everything comes from various websites, but there is no site where
it is complete in one place.
-slackware 9.1
standard installation without samba and ldap etc. only basic + compiler +cups.
-openssl-0.9.7d
./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install
-perl-5.8.3
built with prefix=/usr , defaults accepted.
perl -MCPAN -e 'shell'
install Bundle::CPAN
(chose follow for dependencies)
install Net::LDAP
install Net::SSLeay
install IO::Socket::SSL
Net::SSLeay failed because of ou of memory
during tcp tests (I built everything on a dual P233 MMX
with 104Mb of edo-ram), but manually it installed fine.
-Linux-PAM-0.77
./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \
--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
--localstatedir=/var --infodir=/usr/share/info
--sharedstatedir=/usr/share/com
make install.
/etc/pam.d/passwd :
password required pam_cracklib.so
password sufficient pam_ldap.so
password sufficient pam_unix.so
password required pam_deny.so
/etc/pam.d/login
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
/etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
-db-4.2.52
../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
--enable-compat185 --enable-cxx
make and make install
-openldap-2.1.x
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
--enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite
--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor
--enable-shared; make depend ; make ; make install
-nss_ldap and pam_ldap
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
--enable-shared
make install
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
/etc/pam_ldap.conf:
uri ldap://smb.ahm.nl/
base dc=ahm,dc=nl
pam_password exop
------------------------
TLS certs:
% cd /etc/ssl
% ./misc/CA.sh -newca
CA certificate filename (or enter to create) <enter>
etc...
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
Organizational Unit Name (eg, section) []:Suckers from Hell
Common Name (eg, YOUR name) []:smb.ahm.nl
Email Address []:.
%
This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and
private key).
Make your server certificate signing request (CSR):
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM
Organizational Unit Name (eg, section) []:Suckers from Hell
Common Name (eg, YOUR name) []:smb.ahm.nl
Email Address []:wastebin at office.desk
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
A challenge password []: <pass>
An optional company name []:.
% etc....
The result is newreq.pem.
Have the CA sign the CSR:
% ./misc/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase: <ca pass>
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
etc....
Signed certificate is in newcert.pem
%
This creates newcert.pem (server certificate signed by CA) with private key,
newreq.pem.
Now the certificates can be moved to the desired certificate repository and
renamed.
% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem
% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem
% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key
% chmod 400 /etc/ssl/keys/smb.ahm.nl.key
------------------
slappasswd -v -s secret:
{SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
/etc/openldap/slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
TLSCACertificateFile /etc/ssl/certs/ca.pem
TLSCipherSuite EXPORT56
database bdb
suffix "dc=ahm,dc=nl"
rootdn "cn=Manager,dc=ahm,dc=nl"
rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
directory /var/openldap-data
cachesize 40000
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index memberUid eq
index objectClass eq
access to dn=".*,dc=ahm,dc=nl"
by self write
by * read
-------------------------
/etc/ldap.conf:
# LDAP Defaults
#
host 10.0.0.20
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=ahm,dc=nl
#URI ldap://smb.ahm.nl
nss_base_passwd dc=ahm,dc=nl?sub
nss_base_shadow dc=ahm,dc=nl?sub
nss_base_group dc=ahm,dc=nl?one
ssl no
pam_passwd md5
TLS_CACERT /etc/ssl/certs/ca.pem
------------------------------
-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
Build kernel with acl support etc. and libraries.
patched and rebuilt the coreutils after that allso.
mount filesystems with acl,user_xattr options to have it work (ext2,ext3).
-samba-3.0.2a
./configure --with-automount --with-smbmount --with-acl-support
--with-libsmbclient --with-configdir=/etc/samba
--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private
--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups
--with-ldap ; make install
/etc/samba/smb.conf:
[global]
workgroup = AHM
netbios name = LAVIE
server string = Samba PDC running %v
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
encrypt passwords = Yes
update encrypted = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
SO_RCVBUF=8192
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
ldap suffix = dc=ahm,dc=nl
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=People
ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
ldap ssl = start_tls
ldap passwd sync = yes
ldap delete dn = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
Still not sure what idmap uid and gid now exactly do, but the
entries don't seem to be harmfull as up till now.The reference
guide and howto explain it(page 151), but I don't understand
that explanation or it's implication. It doesn't seem to influence
the UID_START GID_START parameters of the smbldap_tools or prevent
the correct working of the net command, so I suppose it's ok to have
them there.
----------------------
smbldap-tools.
extracted to /usr/local/sbin
moved smbldap_conf.pm and smbldap_tools.pm
to /usr/lib/perl5/site_perl/5.8.3/
built mkntpwd and moved to /usr/local/sbin.
-------------------
smbldap_conf.pm variables:
$UID_START = 1000;
$GID_START = 1000;
# to obtain this number do: "net getlocalsid"
$SID = "S-1-5-21-4269728302-1655870493-3894479995";
$slaveLDAP = "127.0.0.1";
$slavePort = "389";
# Master LDAP : needed for write operations
# Ex: $masterLDAP = "127.0.0.1";
$masterLDAP = "127.0.0.1";
$masterPort = "389";
# Use SSL for LDAP
# If set to "1", this option will use start_tls for connection
# (you should also used the port 389)
$ldapSSL = "1";
$suffix = "dc=ahm,dc=nl";
$usersou = q(People);
$usersdn = "ou=People,$suffix";
$computersou = q(Computers);
$computersdn = "ou=Computers,$suffix";
$groupsou = q(Groups);
$groupsdn = "ou=Groups,$suffix";
$scope = "sub";
$hash_encrypt = "SSHA";
$binddn = "cn=Manager,$suffix";
$bindpasswd = "secret";
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;
$_userLoginShell = q(/bin/false);
$_userHomePrefix = q(/shares/home);
$_userGecos = q(System User);
$_defaultUserGid = 513;
$_defaultComputerGid = 553;
$_skeletonDir = q(/etc/skel);
$_defaultMaxPasswordAge = 45;
$_userSmbHome = q(\\\\LAVIE\\homes);
$_userProfile = q(\\\\LAVIE\\profiles\\);
$_userHomeDrive = q(H:);
$_userScript = q(startup.cmd); # make sure script file is edited under dos
$with_smbpasswd = 0;
$smbpasswd = "/usr/local/samba/bin/smbpasswd";
$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";
$ldap_path = "/usr/bin";
if ( $ldapSSL eq "0" ) {
$ldap_opts = "-x";
} elsif ( $ldapSSL eq "1" ) {
$ldap_opts = "-x -Z";
} else {
die "ldapSSL option must be either 0 or 1.\n";
}
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN'
-w '$masterPw'";
1;
# - The End
#I think the $_userSmbHome and the $_userProfile should be
#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp.
#with the lam webinterface that gets correct.
-----------------------------------
Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and
/usr/local/samba/sbin/smbd.
run:
%smbpasswd -w secret
%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb
running smbldap_populate.pl fills ldap with the first initial
entries:
dn: sambaDomainName=AHM,dc=ahm,dc=nl
sambaDomainName: AHM
sambaSID: S-1-5-21-4269728302-1655870493-3894479995
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 41000
sambaNextGroupRid: 41001
structuralObjectClass: sambaDomain
entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411144816Z
entryCSN: 2004041114:48:16Z#0x0001#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040411144816Z
etc...
added to /etc/group:
wheel:x:512:root,administrator
smbusers:x:513:
smbguests:x:514:
exact:x:1000:
net groupmap list:
Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel
Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers
Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests
exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
smbldap-groupshow.pl exact:
dn: cn=exact,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: exact
gidNumber: 1000
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
sambaGroupType: 4
memberUid: gerrit,piet
net rpc group LIST global -U administrator
Password:
Domain Admins
Domain Users
Domain Guests
Administrators
users
Guests
Power Users
Account Operators
Server Operators
Print Operators
Backup Operators
Replicator
Domain Computers
smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false
-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage"
-C'\\LAVIE\thadeus' thadeus :
adds thadeus to the domain admins and the domain users:
dn: uid=thadeus,ou=People,dc=ahm,dc=nl
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: Thadeus Hermitage
sn: Hermitage
uid: thadeus
uidNumber: 1004
gidNumber: 513
homeDirectory: /shares/home/thadeus
loginShell: /bin/false
gecos: System User
description: System User
structuralObjectClass: inetOrgPerson
entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040412125141Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
sambaHomeDrive: H:
sambaLogonScript: startup.cmd
sambaProfilePath: \\LAVIE\profiles\thadeus
sambaHomePath: \\LAVIE\thadeus
sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
sambaPwdLastSet: 1081774312
sambaPwdMustChange: 1085662312
userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
entryCSN: 2004041212:51:52Z#0x0002#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040412125152Z
and :
dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
memberUid: thadeus
description: Netbios Domain Administrators
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411143705Z
entryCSN: 2004041212:51:42Z#0x0001#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040412125142Z
ls -l /shares/home:
drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit
drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie
drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis
drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus
The only necessity is still to add manually the groups
for groupmapping to /etc/group, otherwise the users can't access the
shares that are for groups accessible. I thought it would be
enough to add the group smbusers to ldap with the same gid as
"Domain Users" and that the entry in nsswitch.con: group: files ldap,
would do the rest , is not the case, though it is for users.
Don't understand why or how.
smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
this can take the following types, domain, local and builtin, which will
be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
types:
SID_NAME_USE_NONE = 0,/* NOTUSED */
SID_NAME_USER = 1, /* user */
SID_NAME_DOM_GRP = 2, /* domain group */
SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
SID_NAME_ALIAS = 4, /* local group */
SID_NAME_WKN_GRP = 5, /* well-known group */
SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
SID_NAME_INVALID = 7, /* invalid account */
SID_NAME_UNKNOWN = 8 /* oops. */
as found on one of the websites.
What one should choose when creating a group is not clear to me, I suppose
that type 2 is a windows domain group , visible with windows tools and
needs to be mapped to a unix group with the same gid to function.
Type 4 is a local unixgroup and has no groupmapping but exists in the
ldap database and in /etc/group with the same gid. Type 5 is a riddle.
Hope this helps getting samba + ldap up and running a little faster
than I did.
WB
More information about the samba
mailing list