[Samba] Initial samba + ldap howto

John Schmerold john at katy.com
Mon Apr 12 16:33:32 GMT 2004


Thanks for this information . Later this week, I'm scheduled to attempt 
installation of SAMBA+LDAP using the by Example book. I'll let you know 
how it goes. They by Example books seems better than the How-To in terms 
of practical information needed to get a server up and running. Only 
problem with the by Example book is that it's a bit long. In addition, 
it does the same thing every other Linux book does, that is it goes into 
detail about too many approaches to doing things. When I searched for 
the word Linux on Amazon, I came up with 3,735 books. I wish one of them 
specifically outlined how to do what I want done, that is a book the 
helps me configure a SBS (microsoft small business server) replacement.

I may be missing something, but in essence it would be a series of books:
Replacing SBS with Linux (second edition):
1. Download & install Fedora
2. Install LDAP and configure for use with SAMBA & postfix
3. Download & install Samba
4. Download & install postfix/courier/squirrelmail
5. Download & install ClamAV/Spam Assassin/TDMA
6. Download & install Apache
7. Keeping system up to date with YUM
8. Appendix 1 - Updating first edition of this book
Replacing linksys with Linux
1. Configuring netfilter
2. Configuring VPN - Server
3. Configuring VPN - Client
4. Download & install dansguardian.
5. Configure PPPOE

There could be different books for different distributions. Most people 
reading (myself included) don't care about many of the decisions. For 
example I don't care about Fedora vs SUSE vs Debian, I am going with 
Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't 
care about Courier vs Dovecot. I do care about LDAP because this is the 
holy grail of system administration, with LDAP, you can have a central 
addressbook / accout store etc just like NWAdmin or Domain manager.


Wim Bakker wrote:

>A couple of days ago I decided that I needed a samba and ldap
>setup. After reading the samba mailing list , specifically the
>thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
>I decided to buy the Official Samba-3 HowTo and Reference guide",
>(the Samba-3 By Example mentioned in that thread wasn't available
>in my bookstore and they could't order it for me too) expecting
>to find a workable example for a setup, as I made out more or less
>from the remarks in that thread there would be, chapter 2 specifically.
>That chapter has an example (page 26) but I wouldn't recommend to 
>actually use it, it's very limited and inaccurate, lacks information
>of what more is needed, which additional system packages etc. It says
>in the beginning that a functioning os is assumed , but that's rather
>vague on what implies a functioning os. From page 136 on there are
>some more examples of ldap pwdbackend, but hardly sufficient.
> http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
>info on how to get samba-3 and ldap working, but that document seems
>to be incomplete and transitioning from samba-2 to samba-3.
>One of the posters on the aforementioned thread remarked that an accurate,
>complete into detail, config file is a great help for learning to grasp
>what has to be done , and how things work together, I agree and following
>are the steps I took to get a working samba-3 + ldap install. I hardly know
>anything of linux or samba , let alone ldap , but from the mailling list
>I understood that the following is neccessary:
>A goal:
>get samba + ldap  on slackware 9.1 with support for acl's in a usable
>state working.
>The means:
>I made the following install and configs, I don't know
>how correct or secure or unneccessary they were, in the end 
>I had a complete and correct funcioning ldap + samba setup,
>that was usable.It was especially frustrating to get tls connection
>working, it kept failing with the following error:
>TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
>samba and ldap run on the same server. Besides the documented config
>for slapd: (etc/openldap/slapd.conf)
>TLSCertificateFile      /etc/ssl/certs/smb.ahm.nl.pem
>TLSCertificateKeyFile   /etc/ssl/keys/smb.ahm.nl.key
>TLSCACertificateFile    /etc/ssl/certs/ca.pem
>quite important it is allso that ldap knows how to verify:
>(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
>TLS_CACERT /etc/ssl/certs/ca.pem
>Maybe the documentation that exists mentions it, but I couldn't
>find it. 
>http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
>fairly helpful to get things right, including the initial populating
>of the ldap database. Their site mentions two config files in 
>/etc/smbldap-tools, but I think that configuration is overruled by
>the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
>the same info as those config files.I moved the /etc/smbldap-tools away
>and everything still worked correctly with the parameters from
>Allso , I don't think pam_ldap is neccessary if you don't have linux users.
>Anyways, if the following example would have been in the howto, I wouldn't 
>wasted 4 days, figuring out what was wrong/incomplete with the current example
>in the howto book, but could have spent that time figuring out what it all
>means. Everything comes from various websites, but there is no site where
>it is complete in one place.
>-slackware 9.1 
>standard installation without samba and ldap etc. only basic + compiler +cups.
>./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install
>built with prefix=/usr , defaults accepted.
>perl -MCPAN -e 'shell'
>install Bundle::CPAN
>(chose follow for dependencies)
>install Net::LDAP
>install Net::SSLeay
>install IO::Socket::SSL
>Net::SSLeay failed because of ou of memory
>during tcp tests (I built everything on a dual P233 MMX
>with 104Mb of edo-ram), but manually it installed fine.
>./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ 
>--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
>--localstatedir=/var  --infodir=/usr/share/info 
>make install.
>/etc/pam.d/passwd :
>password    required      pam_cracklib.so
>password    sufficient    pam_ldap.so
>password    sufficient    pam_unix.so
>password    required      pam_deny.so
>auth        required      pam_nologin.so
>auth        sufficient    pam_ldap.so
>auth        sufficient    pam_unix.so shadow use_first_pass
>auth        required      pam_deny.so
>account     sufficient    pam_unix.so
>account     sufficient    pam_ldap.so
>account     required      pam_deny.so
>auth            required        /lib/security/pam_env.so
>auth            sufficient      /lib/security/pam_unix.so likeauth nullok
>auth            sufficient      /lib/security/pam_ldap.so use_first_pass
>auth            required        /lib/security/pam_deny.so
>account         required        /lib/security/pam_unix.so
>account         sufficient      /lib/security/pam_ldap.so
>password        required        /lib/security/pam_cracklib.so retry=3 type=
>password        sufficient      /lib/security/pam_unix.so nullok use_authtok 
>md5 shadow
>password        sufficient      /lib/security/pam_ldap.so use_authtok
>password        required        /lib/security/pam_deny.so
>session         required        /lib/security/pam_limits.so
>session         required        /lib/security/pam_unix.so
>session         optional        /lib/security/pam_ldap.so
>../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
>--enable-compat185 --enable-cxx 
>make and make install
>./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
>--enable-passwd --enable-perl --enable-shell --enable-crypt  --enable-rewrite 
>--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor 
>--enable-shared; make depend ; make ; make install 
>-nss_ldap and pam_ldap
>./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
>make install
>passwd:         files ldap
>shadow:         files ldap
>group:          files ldap
>uri ldap://smb.ahm.nl/
>base dc=ahm,dc=nl
>pam_password exop
>TLS certs:
>% cd /etc/ssl
>% ./misc/CA.sh -newca 
>CA certificate filename (or enter to create) <enter> 
>Country Name (2 letter code) [AU]:NL 
>State or Province Name (full name) [Some-State]:Noordholland
>Locality Name (eg, city) []:Amsterdam
>Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM 
>Organizational Unit Name (eg, section) []:Suckers from Hell 
>Common Name (eg, YOUR name) []:smb.ahm.nl 
>Email Address []:. 
>This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and 
>private key). 
>Make your server certificate signing request (CSR): 
>Country Name (2 letter code) [AU]:NL 
>State or Province Name (full name) [Some-State]:Noordholland
>Locality Name (eg, city) []:Amsterdam
>Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM 
>Organizational Unit Name (eg, section) []:Suckers from Hell 
>Common Name (eg, YOUR name) []:smb.ahm.nl 
>Email Address []:wastebin at office.desk
>% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 
>A challenge password []: <pass> 
>An optional company name []:. 
>% etc....
>The result is newreq.pem. 
>Have the CA sign the CSR: 
>% ./misc/CA.sh -sign 
>Using configuration from /etc/ssl/openssl.cnf 
>Enter PEM pass phrase: <ca pass> 
>Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) 
>Sign the certificate? [y/n]:y 
>1 out of 1 certificate requests certified, commit? [y/n]y 
>Write out database with 1 new entries 
>Data Base Updated 
> etc....
>Signed certificate is in newcert.pem 
>This creates newcert.pem (server certificate signed by CA) with private key, 
>Now the certificates can be moved to the desired certificate repository and 
>% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem 
>% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem 
>% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key 
>% chmod 400 /etc/ssl/keys/smb.ahm.nl.key
>slappasswd -v -s secret:
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/samba.schema
>pidfile         /var/run/slapd.pid
>argsfile        /var/run/slapd.args
>TLSCertificateFile      /etc/ssl/certs/smb.ahm.nl.pem
>TLSCertificateKeyFile   /etc/ssl/keys/smb.ahm.nl.key
>TLSCACertificateFile    /etc/ssl/certs/ca.pem
>TLSCipherSuite         EXPORT56
>database        bdb
>suffix          "dc=ahm,dc=nl"
>rootdn          "cn=Manager,dc=ahm,dc=nl"
>rootpw          {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
>directory       /var/openldap-data
>cachesize       40000
>index           cn,sn,uid,displayName           pres,sub,eq
>index           uidNumber,gidNumber             eq
>index           sambaSID                        eq
>index           sambaPrimaryGroupSID            eq
>index           sambaDomainName                 eq
>index           default                         sub
>index memberUid     eq
>index   objectClass     eq
>access  to dn=".*,dc=ahm,dc=nl"
>         by self                         write
>         by *                            read
># LDAP Defaults
># See ldap.conf(5) for details
># This file should be world readable but not world writable.
>BASE            dc=ahm,dc=nl
>#URI            ldap://smb.ahm.nl
>nss_base_passwd dc=ahm,dc=nl?sub
>nss_base_shadow dc=ahm,dc=nl?sub
>nss_base_group  dc=ahm,dc=nl?one
>ssl             no
>pam_passwd      md5
>TLS_CACERT /etc/ssl/certs/ca.pem
>-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
>Build kernel with acl support etc. and libraries. 
>patched and rebuilt the coreutils after that allso.
>mount filesystems with acl,user_xattr options to have it work (ext2,ext3).
>./configure --with-automount --with-smbmount --with-acl-support 
>--with-libsmbclient --with-configdir=/etc/samba 
>--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private 
>--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups 
>--with-ldap ; make install
>        workgroup = AHM
>        netbios name = LAVIE
>        server string = Samba PDC running %v
>        passdb backend = ldapsam:ldap://localhost
>        username map = /etc/samba/smbusers
>        encrypt passwords = Yes
>        update encrypted = Yes
>        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
>        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
>        delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
>"%u" "%g"
>        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" 
>        logon script = logon.bat
>        logon path = \\%L\profiles\%U
>        logon drive = H:
>        logon home = \\%L\%U\.profile
>        domain logons = Yes
>        os level = 255
>        preferred master = Yes
>        domain master = Yes
>        local master = Yes
>        wins support = Yes
>        ldap suffix = dc=ahm,dc=nl
>        ldap machine suffix = ou=Computers
>        ldap user suffix = ou=People
>        ldap group suffix = ou=Groups
>        ldap idmap suffix = ou=People
>        ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
>        ldap ssl = start_tls
>        ldap passwd sync = yes
>        ldap delete dn = Yes
>        idmap uid = 15000-20000
>        idmap gid = 15000-20000
>        winbind separator = +
>Still not sure what idmap uid and gid now exactly do, but the
>entries don't seem to be harmfull as up till now.The reference
>guide and howto explain it(page 151), but I don't understand 
>that explanation or it's implication. It doesn't seem to influence
>the UID_START GID_START parameters of the smbldap_tools or prevent
>the correct working of the net command, so I suppose it's ok to have
>them there.
>extracted to /usr/local/sbin
>moved smbldap_conf.pm  and smbldap_tools.pm
>to /usr/lib/perl5/site_perl/5.8.3/
>built mkntpwd and moved to /usr/local/sbin.
>smbldap_conf.pm variables:
>$UID_START = 1000;
>$GID_START = 1000;
># to obtain this number do: "net getlocalsid"
>$SID = "S-1-5-21-4269728302-1655870493-3894479995";
>$slaveLDAP = "";
>$slavePort = "389";
># Master LDAP : needed for write operations
># Ex: $masterLDAP = "";
>$masterLDAP = "";
>$masterPort = "389";
># Use SSL for LDAP
># If set to "1", this option will use start_tls for connection
># (you should also used the port 389)
>$ldapSSL = "1";
>$suffix = "dc=ahm,dc=nl";
>$usersou = q(People);
>$usersdn = "ou=People,$suffix";
>$computersou = q(Computers);
>$computersdn = "ou=Computers,$suffix";
>$groupsou = q(Groups);
>$groupsdn = "ou=Groups,$suffix";
>$scope = "sub";
>$hash_encrypt = "SSHA";
>$binddn = "cn=Manager,$suffix";
>$bindpasswd = "secret";
>$slaveDN = $binddn;
>$slavePw = $bindpasswd;
>$masterDN = $binddn;
>$masterPw = $bindpasswd;
>$_userLoginShell = q(/bin/false);
>$_userHomePrefix = q(/shares/home);
>$_userGecos = q(System User);
>$_defaultUserGid = 513;
>$_defaultComputerGid = 553;
>$_skeletonDir = q(/etc/skel);
>$_defaultMaxPasswordAge = 45;
>$_userSmbHome = q(\\\\LAVIE\\homes);
>$_userProfile = q(\\\\LAVIE\\profiles\\);
>$_userHomeDrive = q(H:);
>$_userScript = q(startup.cmd); # make sure script file is edited under dos
>$with_smbpasswd = 0;
>$smbpasswd = "/usr/local/samba/bin/smbpasswd";
>$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
>$slaveURI = "ldap://$slaveLDAP:$slavePort";
>$masterURI = "ldap://$masterLDAP:$masterPort";
>$ldap_path = "/usr/bin";
>if ( $ldapSSL eq "0" ) {
>        $ldap_opts = "-x";
>} elsif ( $ldapSSL eq "1" ) {
>        $ldap_opts = "-x -Z";
>} else {
>        die "ldapSSL option must be either 0 or 1.\n";
>$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' 
>-w '$masterPw'";
># - The End
>#I think the  $_userSmbHome and the $_userProfile should be
>#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp.
>#with the lam webinterface that gets correct.
>Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and
>%smbpasswd -w secret
>%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb
>running smbldap_populate.pl fills ldap with the first initial
>dn: sambaDomainName=AHM,dc=ahm,dc=nl
>sambaDomainName: AHM
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995
>sambaAlgorithmicRidBase: 1000
>objectClass: sambaDomain
>sambaNextUserRid: 41000
>sambaNextGroupRid: 41001
>structuralObjectClass: sambaDomain
>entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040411144816Z
>entryCSN: 2004041114:48:16Z#0x0001#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040411144816Z
>added to /etc/group:
>net groupmap list:
>Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel
>Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers
>Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests
>exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
>smbldap-groupshow.pl exact:
>dn: cn=exact,ou=Groups,dc=ahm,dc=nl
>objectClass: posixGroup,sambaGroupMapping
>cn: exact
>gidNumber: 1000
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
>sambaGroupType: 4
>memberUid: gerrit,piet
>net rpc group LIST global -U administrator
>Domain Admins
>Domain Users
>Domain Guests
>Power Users
>Account Operators
>Server Operators
>Print Operators
>Backup Operators
>Domain Computers
>smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false 
>-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage" 
>-C'\\LAVIE\thadeus' thadeus :
>adds thadeus to the domain admins and the domain users:
>dn: uid=thadeus,ou=People,dc=ahm,dc=nl
>objectClass: top
>objectClass: inetOrgPerson
>objectClass: posixAccount
>objectClass: sambaSamAccount
>cn: Thadeus Hermitage
>sn: Hermitage
>uid: thadeus
>uidNumber: 1004
>gidNumber: 513
>homeDirectory: /shares/home/thadeus
>loginShell: /bin/false
>gecos: System User
>description: System User
>structuralObjectClass: inetOrgPerson
>entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040412125141Z
>sambaLogonTime: 0
>sambaLogoffTime: 2147483647
>sambaKickoffTime: 2147483647
>sambaPwdCanChange: 0
>displayName: System User
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
>sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
>sambaHomeDrive: H:
>sambaLogonScript: startup.cmd
>sambaProfilePath: \\LAVIE\profiles\thadeus
>sambaHomePath: \\LAVIE\thadeus
>sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
>sambaAcctFlags: [U]
>sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
>sambaPwdLastSet: 1081774312
>sambaPwdMustChange: 1085662312
>userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
>entryCSN: 2004041212:51:52Z#0x0002#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040412125152Z
>and :
>dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>gidNumber: 512
>cn: Domain Admins
>memberUid: Administrator
>memberUid: thadeus
>description: Netbios Domain Administrators
>sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
>sambaGroupType: 2
>displayName: Domain Admins
>structuralObjectClass: posixGroup
>entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd
>creatorsName: cn=Manager,dc=ahm,dc=nl
>createTimestamp: 20040411143705Z
>entryCSN: 2004041212:51:42Z#0x0001#0#0000
>modifiersName: cn=Manager,dc=ahm,dc=nl
>modifyTimestamp: 20040412125142Z
>ls -l /shares/home:
>drwx------+   2 gerrit   smbusers     4096 Apr 11 19:01 gerrit
>drwx------+   2 hornie   smbusers     4096 Apr 12 16:40 hornie
>drwx------+   2 krelis   smbusers     4096 Apr 11 20:58 krelis
>drwx------+   2 thadeus  smbusers     4096 Apr 12 14:51 thadeus
>The only necessity is still to add manually the groups
>for groupmapping to /etc/group, otherwise the users can't access the
>shares that are for groups accessible. I thought it would be 
>enough to add the group smbusers to ldap with the same gid as
>"Domain Users" and that the entry in nsswitch.con: group:  files ldap, 
>would do the rest , is not the case, though it is for users. 
>Don't understand why or how. 
>smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
>this can take the following types, domain, local and builtin, which will
>be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
>         SID_NAME_USE_NONE = 0,/* NOTUSED */
>         SID_NAME_USER    = 1, /* user */
>         SID_NAME_DOM_GRP = 2, /* domain group */
>         SID_NAME_DOMAIN  = 3, /* domain: don't know what this is */
>         SID_NAME_ALIAS   = 4, /* local group */
>         SID_NAME_WKN_GRP = 5, /* well-known group */
>         SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
>         SID_NAME_INVALID = 7, /* invalid account */
>         SID_NAME_UNKNOWN = 8  /* oops. */
>as found on one of the websites.
>What one should choose when creating a group is not clear to me, I suppose
>that type 2 is a windows domain group , visible with windows tools and
>needs to be mapped to a unix group with the same gid to function. 
>Type 4 is a local unixgroup and has no groupmapping but exists in the 
>ldap database and in /etc/group with the same gid. Type 5 is a riddle.
>Hope this helps getting samba + ldap up and running a little faster
>than I did.

John Schmerold
Katy Computer Systems, Inc
20 Meramec Station Rd
Valley Park MO 63088
314-316-9000 v
775-227-6947 f

More information about the samba mailing list