[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows
how?
Igor Belyi
sambauser at katehok.ac93.org
Wed Sep 29 02:08:00 GMT 2004
Jim C. wrote:
> Folks have been telling me that it is best for one's Domain Controller
> if it has it's own dn for accessing the ldap server rather than using
> the ldap server's root dn. One of the issues is scalability. If you have
> several balancing domain controllers, how do you know which one has made
> changes to the database? They will all show up in the logs as the root
> dn unless you have it set up otherwise.
>
> What I've been hearing is that one does this by adding the
> simpleSecurityObject to a host record so that it now has a password.
> Then you include the dn of that host record as a member of the group
> 'Domain Controllers' and set up the LDAP ACLs so that this group has
> access.
>
> I can't get it to work to save my life. For one thing, when I set it up
> I frequently have problems with devfsd on startup. Basically it simply
> never completes so the startup process hangs. If I comment out the line
> below in /etc/devfsd.conf then devfsd will start but I don't know the
> security implications so I would rather avoid it.
I still don't know what you have tried, and what it has to do with devfs
(shouldn't you be moving away from it to udev?!) But here's what I would do:
# Create your hashed password:
% slappasswd
New password:
Re-enter new password:
{SSHA}<hashed-password>
# Create your Samba admin DN:
% ldapadd -W -D <rooddn>
Enter LDAP Password:
dn: cn=dadmin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: dadmin
userPassword: {SSHA}<hashed-password>
^D
# Verify that you can login with it by looking at yourself:
% ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b
"cn=dadmin,dc=yourdomain,dc=com"
Enter LDAP Password:
....
dn: cn=dadmin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: dadmin
userPassword: <base64 of the {SSHA}<hashed-password>>
....
# Verfiy that you don't have access to password fields yet.
# Don't worry if you have - it's just a security breach.
# You'll fix it in the next steps.
% ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b
"uid=user,ou=People,dc=yourdomain,dc=com"
Enter LDAP Password:
....
dn: uid=user,ou=People,dc=yourdomain,dc=com"
uid: user
cn: Simple User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 11740
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/zsh
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user
gecos: Simple User,,,
sambaSID: <your domain SID>-3000
sambaPrimaryGroupSID: <your domain SID>-3001
displayName: Simple User,,,
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000 00000000
sambaAcctFlags: [U ]
sambaKickoffTime: 0
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
sambaPwdCanChange: 1095895480
sambaPwdMustChange: 1097709880
sambaPwdLastSet: 1095895480
....
# Add the following lines for your 'backend' in your slapd.conf
# Those a special lines for LM and NT password and restricted
# write access to trees written in your smb.conf as ldap suffixes.
# If you already have records for those fields you'll just need
# to add 'by dn='cn=dadmin,dc=yourdomain,dc=com" write' to them.
# read man slapd.access for details
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=dadmin,dc=yourdomain,dc=com" write
by self write
by * none
access to dn.subtree="ou=People,dc=yourdomain,dc=com"
by dn="cn=dadmin,dc=yourdomain,dc=com" write
by * read
access to dn.subtree="ou=Group,dc=yourdomain,dc=com"
by dn="cn=dadmin,dc=yourdomain,dc=com" write
by * read
access to dn.subtree="ou=Computers,dc=yourdomain,dc=com"
by dn="cn=dadmin,dc=yourdomain,dc=com" write
by * read
# Restart slapd and see if your "cn=dadmin,dc=yourdomain,dc=com"
# can see now LM and NT password fields of
# "cn=user,ou=People,dc=yourdomain,dc=com" by repeating the last
# search
# You can also check that "cn=dadmin,dc=yourdomain,dc=com" has write
# access by changing something:
% ldapmodify -W -D "cn=dadmin,dc=yourdomain,dc=com"
Enter LDAP Password:
dn: cn=user,ou=People,dc=yourdomain,dc=com
changetype: modify
replace: gecos
gecos: Not that Simple User,,,,
^D
# Now edit your smb.conf to change 'ldap admin dn':
ldap admin dn = cn=dadmin,dc=yourdomain,dc=com
# Update password Samba uses with this DN:
% smbpasswd -w <you cn=dadmin secret>
# Restart Samba and it will use this new none Root DN
# After that you can start playing with LDAP groups.
# By I'm not that familiar with them. I suspect that
# you will need to change your access line
# 'by dn='cn=dadmin,dc=yourdomain,dc=com" write'
# for all access statements to the following:
by group="cn=Domain Controllers,dc=yourdomain,dc=com" write
# Then add this group to LDAP with your Admin DN in its member field:
% ldapadd -W -D <rootdn>
Enter LDAP Password:
dn: cn=Domain Controllers,dc=yourdomain,dc=com
objectClass: groupOfNames
cn: Domain Controllers
member: cn=dadmin,dc=yourdomain,dc=com
^D
# Restart slapd and check that you still have access to
# LM and NT passwords and can change fields in records.
# By this time you should have accomplish what you wanted to do.
# It's that simple! ;o)
Hope it helps,
Igor
More information about the samba
mailing list