[Samba] Samba and OpenLDAP - success?
joe_tseng at hotmail.com
Sat Jan 8 11:09:50 MST 2011
I've spent almost two months learning about setting up Samba and OpenLDAP for SSO. I was finally able to get it done (at least for Win XP Pro at this point) and I've compiled some notes on how I did it. The latest copy of my notes will be at the link below:
I've also discovered during my travels in Google-land that when you try a potentially useful URL in a page several years old, that link may end up invalid. So to avoid that from happening with the link above I've included my notes up to this point below. YMMV.
I'm no expert on this topic so I'll assume there are going to be mistakes in security and maintenance in my configuration. I would warmly welcome comments and corrections.
If you type "Google" into Google, you can break the Internet. -- Jen Barber
How To Set Up Samba & LDAP with Amahi - January 2011Set up Fedora 12 with Amahi: http://www.amahi.org/support/instructionsSet up Amahi server as a PDC: http://wiki.amahi.org/index.php/PDCnote: follow instructions under header “Full Procedure for Windows XP”note: in /etc/samba/smb.conf I made changes under [global]:logon home = \\%L\%Ulogin path = \\%L\profiles\%UCreate a backup copy of /etc/samba/smb.confSet up OpenLDAP in Amahi server: http://wiki.amahi.org/index.php/LDAPI
don’t know what the clear password was in that document for root
(rootpw) since it was encrypted so I made my own using
/usr/sbin/slappasswd and saved that in /etc/openldap/slapd.conf.Updated slapd.conf: include /etc/openldap/schema/samba.schemaUsed any lines I already didn’t have in /etc/samba/smb.conf and added them: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc25Changes I made to the above (to get my set up working) include:ldap ssl = offcommented out valid users under [shares] (I believe users’ filesystem permissions should protect contents.)commented out valid users and force user under [profiles]Verify directories exist for [profiles] and [netlogon]Run testparm to confirm configuration fileRestarted samba to enable updates: service smb restartInstalled and set up smbldap-tools: yum -y install smbldap-toolsUpdate /etc/smbldap-tools/smbldap.confSID - instructions on how to create one is included in fileUncomment sambaDomain and provide your domain nameset masterLDAP/slaveLDAP explicitly to 127.0.0.1ldapTLS="0"update suffixhash_encrypt="SSHA"update userSmbHome with your machine nameupdate userProfile with your machine nameI put in an updated value for mailDomain although I currently don’t own an Internet domainUpdate /etc/smbldap-tools/smbldap_bind.confInsert new entries into LDAP using smbldap-populate: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc31I used the same password as the cleartext one I used in step 3.Insert new userinto LDAP: smbldap-useradd -a -P -A 1 usernamesmbldap-passwd usernameinto server: useradd usernamecreated new user directory in path defined in [profiles] in smb.confchown username userdirchmod 700 userdirInsert new workstationinto LDAP: smbldap-useradd -w workstationnameinto server: useradd -s /bin/false -d /home/nobody workstationname$For Windows XP Pro:Join workstation to domainWhen Windows prompts for a username and password, use “root” and password created in step 10
More information about the samba