OpenLDAP/Samba3 Server Quick Setup

(v3.0.7 5-4-2005)

OpenLDAP
Server Setup:
Install: openldap-<ver>.rpm
openldap-servers-<ver>.rpm openldap-clients-<ver>.rpm FEDORA: samba-3.0.<ver>.i386.rpm samba-common-3.0.<ver>.i386.rpm samba-client-3.0.<ver>.i386.rpm samba-swat-3.0.<ver>.i386.rpm smbldap-tools-<ver>.rpm Using apt-get: # apt-get install openldap openldap-servers openldap-clients # apt-get install samba samba-common samba-client samba-swat samba-winbind smbldap-tools Copy: /usr/share/doc/samba-3.0.<ver>/LDAP/samba.schema /etc/openldap/schema/ MDK: samba3-common-3.0.0-<ver>mdk.i586.rpm samba3-server-3.0.0-<ver>mdk.i586.rpm samba3-swat-3.0.0-<ver>mdk.i586.rpm Using urpmi: # urpmi samba3-common samba3-server samba3-swat SLES 9: Use YaST to configure LDAP (during install or later on) Copy: /usr/share/doc/packages/samba/examples/LDAP/samba.schema /etc/openldap/schema Download: wget http://pronetworkconsulting.com/linux/docs/schemas/postfix.schema /etc/openldap/schema Download: wget http://pronetworkconsulting.com/linux/docs/configs/ldap/slapd.access.conf /etc/openldap

Server Setup:
Edit:
/etc/openldap/slapd.conf

Edit:
database bdb suffix <base dn> # i.e. o=mydomain rootdn <root dn> # i.e. cn=root,o=mydomain rootpw <root dn password> # slappasswd –h {md5} <password> FEDORA: Add: include /etc/openldap/schema/samba.schema MDK 9.x: Uncomment: include /usr/share/openldap/schema/samba.schema SLES 9: Use YaST to configure LDAP (during install or later on) Add: include /etc/openldap/schema/samba.schema

Add at end of includes:
include include /etc/openldap/schema/postfix.schema /etc/openldap/slapd.access.conf

Uncomment:
TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt TLSCertificateFile /usr/share/ssl/certs/slapd.pem TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

©Ron Terry

1

Edit: /etc/openldap/slapd.access.conf
Replace ‘mydomain’ with the name of your Base DN.

Run:
# touch /etc/openldap/slapd.access.conf # chown :ldap /etc/openldap/slapd.access.conf # chmod 640 /etc/openldap/slapd.access.conf

Start Server:
# chkconfig ldap on # /etc/init.d/ldap restart -insure server starts automatically -start the LDAP service

Server and Client Setup:
Edit: /etc/ldap.conf Edit: host
BASE binddn bindpw rootbinddn scope nss_base_passwd nss_base_shadow nss_base_group ssl pam_passwd <ldap server hostname or IP address> <base dn> uid=NSS,ou=LDAPadmin,<base dn> nsspass cn=root,<base dn> sub <accounts dn> <accounts dn> <groups dn> no (or start_tls) md5

# i.e. o=mydomain

# i.e. ou=accounts,o=mydomain # i.e. ou=accounts,o=mydomain # i.e. ou=groups,o=mydomain

FEDORA: Run authconfig to automatically configure /etc/ldap.conf. Note: nss_base_passwd, nss_base_shadow, nss_base_group still must be edited after running authconfig. SLES 9: Use YaST to configure authentication.

Create: /etc/ldap.secret
Add your rootdn password (in plain text) on the first line of this file.

Run: # chmod 0400 /etc/ldap.secret
# chown root:root /etc/ldap.secret

Edit:

/etc/openldap/ldap.conf

Add at end of file:
TLS_REQCERT allow

©Ron Terry

2

NSS and PAM
Client Setup:
Install:
MDK 9.x: nss_ldap-<ver>.rpm pam_ldap-<ver>.rpm Using urpmi: # urpmi nss_ldap pam_ldap

NSS:
FEDORA: Run authconfig to automatically configure /etc/nsswitch.conf. MDK 9.x: Edit: /etc/nsswitch.conf passwd: shadow: group: files ldap nisplus nis files ldap nisplus nis files ldap nisplus nis

(see example config file) SLES 9: Use YaST to configure authentication.

PAM:
FEDORA: Run authconfig to automatically configure /etc/pam.d/system-auth. MDK 9.x: Edit: /etc/pam.d/system-auth Add before pam_unix.so line in auth section: auth sufficient /lib/security/pam_ldap.so Add before pam_unix.so line in account section: account sufficient /lib/security/pam_ldap.so Add before pam_unix.so line in password section: password sufficient /lib/security/pam_ldap.so Add before pam_unix.so line in session section: session sufficient /lib/security/pam_ldap.so (see example config file) SLES 9: Use YaST to configure authentication.

©Ron Terry

3

pam_mkhomedir
Client and/or Server Setup:
Edit:
/etc/pam.d/system-auth Insert before other session lines: Note: Make the path to pam_mkhomedir.so the same as paths to other *.so files in the file you are editing. session MDK 9.x: session FEDORA:
session

required

pam_mkhomedir.so skel=/etc/skel umask=0066

required
required

/lib/security/pam_mkhomedir.so skel=/etc/skel umask=0066
/lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0066

SLES 9: session required /lib.security/pam_mkhomedir.so skel=/etc/skel umask=0066

Import initial LDAP entries
Server Setup:
Edit:
full-base.ldif

Search & Replace: <base dn name> with <your base dn name>
(i.e. if <base dn> = o=mydomain then <base dn name> = mydomain )

Run:

# ldapadd -x -h <hostname/IP> -D “<root dn>” -f full-base.ldif -W
Note: The –h <hostname/IP> option is required only if you are trying to access a remote ldap server.

Change:
admin password fake’ root password (i.e. uid=admin,<base dn>) (i.e. uid=root,ou=users,ou=accounts,<base dn>)

Note: You may change these passwords after you have installed and an administration utility (i.e. phpldapadmin). SLES 9: LDAP directory is setup automatically.

©Ron Terry

4

Samba
Server Setup:
Edit:
/etc/samba/smb.conf

Edit or Add:
workgroup = <your domain name> netbios name = <your computer name> passdb backend = ldapsam:ldap://<hostname or IP of LDAP server> ldap suffix = <base dn> # i.e. o=mydomain ldap machine suffix = <computer dn> # i.e. ou=computers,ou=accounts,o=mydomain ldap user suffix = <user dn> # i.e. ou=users,ou=accounts,o=mydomain ldap group suffix = <groups dn> # i.e. ou=groups, o=mydomain ldap idmap suffix = <idmap dn> # i.e. ou=idmap,ou=accounts,o=mydomain ldap admin dn = <admin dn> # i.e. cn=root,o=mydomain or uid=admin,o=mydomain ldap port = 389 ldap ssl = start no (or start_tls) ldap passwd sync = Yes FEDORA: Edit or Add: ldap delete dn = yes add machine script = /usr/sbin/smbldap-useradd –w “%u” add user script = /usr/sbin/smbldap-useradd –m “%u” delete user script = /usr/sbin/smbldap-userdel “%u” add group script = /usr/sbin/smbldap-groupadd –p “%g” delete group script = /usr/sbin/smbldap-groupdel “%g” add user to group script = /usr/sbin/smbldap-groupmod –m “%u” “%g” delete user from group script = /usr/sbin/smbldap-usermod –x “%u” “%g” set primary group script = /usr/sbin/smbldap-usermod –g “%g” “%u” Create: mkdir mkdir mkdir mkdir mkdir chmod

/var/lib/samba /var/lib/samba/netlogon /var/lib/samba/profiles /var/lib/samba/printers /var/tmp 1757 /var/lib/samba/profiles

MDK 9.x: Edit: add user script =
/usr/share/scripts//smbldap-useradd.pl –w –d /dev/null –g Machines –c “Machine Account” –s /bin/false %u

SLES 9: Use YaST to configure Samba to use LDAP as a backend.

Run:
FEDORA: MDK 9.x: SLES9: smbpasswd –w <admin dn password> smbpasswd3 –w <admin dn password> YaST configures this automatically -clear the screen. -clear bash history. -make the ldap “fake” root account a samba account and create SID object.

# clear # history –c # smbpasswd –a root

Restart servers: # chkconfig smb on
# /etc/init.d/smb restart

-insure server starts automatically. -start Samba service.

©Ron Terry

5

smbldap-tools
Server Setup:
Edit:
FEDORA: /etc/smbldap-tools/smbldap.conf MDK 9.x: /etc/samba/smbldap_conf.pm SLES 9: ?

Edit:
# # General Configuration SID = “<machine SID>” (from net getlocalsid) LDAP Configuration slaveLDAP = “<ldap server hostname/IP address>” masterLDAP = “<ldap server hostname/IP address>” ldapTLS = “0” (or 1) suffix = “<base dn>” usersdn = “ou=users,ou=accounts,$[suffix}” computersdn = “ou=computers,ou=accounts,${suffix}” groupsdn = “ou=groups,${suffix}” idmap = “ou=idmap,ou=accounts,${suffix}” sambaUnixIdPooldn= “sambaDomainName=<your NT domain name>,${suffix}” scope = “sub” hash_encrypt = “MD5” Unix Accounts Configuration userLoginShell = “/bin/bash” userHome = “<path to home dirs>” # i.e. “/home/users/%U” userGecos = “System User” defaultUserGid = “513” defaultComputerGid = “515” skeletonDir = “/etc/skel” defaultMaxPasswordAge = “99999” Samba userSmbHome = “\\<servername>\homes\%U” userProfile = “\\<servername>\profiles\%U” userHomeDrive = “H:” mailDomain = “<your DNS domain>” SMBLDAP-TOOLS smbpasswd = “/usr/bin/smbpasswd”

#

#

#

MDK 9.x: $smbpasswd =

/usr/bin/smbpasswd3

Edit:
FEDORA: /etc/smbldap-tools/smbldap_bind.conf MDK 9.x: ? SLES 9: ?

Edit:
slaveDN= slavePw= masterDN= masterPw= “<your “<root “<your “<root root dn>” # i.e. cn=root,o=mydomain -or- uid=admin,o=mydomain dn password in plain text>” root dn>” # i.e. cn=root,o=mydomain -or- uid=admin,o=mydomain dn password in plain text>”

©Ron Terry

6

Install GUI Administration Tools
Client and/or Server Setup:
Install and configure phpLDAPadmin
• • • • • • • • • To download phpLDAPadmin go to: o http://phpldapadmin.sourceforge.net/download.php o http://pronetworkconsulting.com/linux/docs/phpldapadmin-0.9.6c-1-rct.tgz (pre-patched) Download the latest tarball (i.e. phpldapadmin-0.9.6c.tar.gz). Extract tarball into to /usr/share. Create (or download) a file called /etc/httpd/conf.d/phpldapadmin.conf and add the following line: o Alias /ldapadmin /usr/share/phpldapadmin-<ver> Restart the web server. (service httpd restart or /etc/init.d/httpd restart) Set Apache to start automatically. (chkconfig httpd on) cd into the /usr/share/phpldapadmin-<ver> directory. cp config.php.example config.php. (Or edit config.php if using the pre-patched version) edit the config.php modify these variables to match your install: o [‘name’] = ‘<what you want to call this server>’; o [‘host’] = ‘<IP or Host name/FQDN of LDAP server>’; o [‘base’] = ‘<your base dn>’; o [‘auth_type’] = ‘session’; o [‘login_dn’] = ‘<your root dn>’; # (or ‘uid=NSS,ou=LDAPadmin,<your base dn>’;) o [‘login_pass’] = ‘<empty>’; # (or ‘nsspass’;) o ['default_hash'] = ‘md5’; o [‘login_attr’] = ‘dn’; # (or ‘uid’;) o ['enable_auto_uid_numbers'] = true; o ['auto_uid_number_mechanism'] = ‘search’; o ['auto_uid_number_search_base'] = 'ou=accounts,<your base dn>’; o [‘auto_uid_number_min’] = 1000; o [‘auto_uid_number_search_dn’] = ‘uid=NSS,ou=LDAPadmin,<your base dn>’; o [‘auto_uid_number_search_dn_pass’] = ‘nsspass’; o [‘unique_attrs_dn’] = ‘uid=NSS,ou=LDAPadmin,<your base dn>’; o [‘unique_attrs_dn_pass’] = ‘nsspass’; o [‘unique_attrs_dn’] = ‘uid=unique_attrs,ou=LDAPadmin,0=<your base dn>’ ; o [‘unique_attrs_dn_pass’] = ‘unique’ ; o $enable_mass_delete = true; o $unique_attrs = array(‘uid’,’uidNumber’,’mail’); Edit the default template values (i.e. Samba SID, etc.) in templates/template_config.php. o $base_posix_groups = “ou=groups,<your base dn>”; o $mkntpwdCommand = “/usr/local/bin/mkntpwd”; o $samba3_domains[ ] = array( ‘name’ => ‘<your Samba domain name>’, ‘sid’ => ‘<your samba sid>’); o $samba_base_groups = “ou=groups,<your base dn>”; Edit the language file value for Samba Domain Name in lang/en.php. (optional: for un patched version) o $lang[‘samba_domain_name’] = ‘<your Samba domain name>’; Download or copy “mkntpwd” into /usr/local/bin. (http://pronetworkconsulting.com/linux/docs/utils/mkntpwd) Make the mkntpwd program executable. (chmod a+x /usr/local/bin/mkntpwd) Edit templates/creation/new_sbs_user_template.php o $default_container = “ou=users,ou=accounts”; o $default_home = “/home/users”; o $inet_domain = “<your internet domain>”;

• • • •

©Ron Terry

7

Sample Configuration Files
Samba
#=================================================================# # -=Samba 3.x smb.conf for a PDC with LDAP backend =# # # # This file assumes the following: # # # # -The samba server and LDAP server are on the same machine. # # -netbios name = myserver # # -workgroup/domain = mydomain # # -LDAP base dn = o=mydomain # # -LDAP rootdn = cn=root,o=mydomain # #=================================================================# #============ Global Settings ===================================== [global] #-- Basic Server Options --# netbios name = myserver workgroup = mydomain server string = Samba Server passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #-- PDC and Master Browser Settings --# preferred master = Yes domain master = Yes local master = Yes domain logons = Yes os level = 64 dns proxy = No wins support = Yes #-- LDAP Setings --# ldap suffix = o=mydomain ldap machine suffix = ou=computers,ou=accounts,o=mydomain ldap user suffix = ou=users,ou=accounts,o=mydomain ldap group suffix = ou=groups,o=mydomain ldap idmap suffix = ou=idmap,ou=accounts,o=mydomain ldap admin dn = cn=root,o=mydomain ldap ssl = no ldap passwd sync = Yes #-- User / Group / Machine Scripts --# ldap delete dn = yes add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-usermod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" #-- Profiles and Home Directories --# ;logon script = %m.bat ;logon script = %U.bat ;logon path = \\%L\Profiles\%U ;logon home = \\%L\%U\.profile #================ Share Definitions ============================== ### Standard Shares ####################

©Ron Terry

8

[homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No ############################################ ### PDC Related Shares ################# [netlogon] path = /var/lib/samba/netlogon read only = yes write list = @admins root [profiles] path = /var/lib/samba/profiles browseable = no read only = no create mask = 0600 directory mask = 0700 [print$] path = /var/lib/samba/printers browseable = yes read only = yes write list = @admins root guest ok = yes ############################################ ### Other Shares ####################### [apps] path = /data/apps read only = no force group = +users force create mode = 0664 force directory mode = 0775 comment = Applications

©Ron Terry

9

slapd.access.conf
# slapd.access.conf version 1.3 (5-4-2005) # For use with OpenLDAP 2.1+ # and # full-base.ldif v4.4+ # # note: This file must be readable by the ldap user or ldap group # and should not be readable by anyone else. ### UNIX access to by by by by by by by Password Property Restrictions ### attr=userPassword dn="uid=admin,o=mydomain" write dn="uid=root,ou=users,ou=accounts,o=mydomain" write dn="uid=replicator,ou=LDAPadmin,o=mydomain" read dn="uid=NSS,ou=LDAPadmin,o=mydomain" read anonymous auth self write * none

### NSS Information Properties Restrictions ### access to attrs=uidNumber,uid,gidNumber,loginShell,homeDirectory by dn="uid=admin,o=mydomain" write by dn="uid=root,ou=users,ou=accounts,o=mydomain" write by dn="uid=replicator,ou=LDAPadmin,o=mydomain" read by dn="uid=NSS,ou=LDAPadmin,o=mydomain" read by dn="uid=unique_attrs,ou=LDAPadmin,o=mydomain" read by anonymous auth by self read by users read by * read ### Samba3 Password Properties Restrictions ### access to attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet by dn="uid=admin,o=mydomain" write by dn="uid=root,ou=users,ou=accounts,o=mydomain" write by anonymous auth by self write by * none ### Email Address Property Restrictions ### access to attr=mail by dn="uid=admin,o=mydomain" write by dn="uid=root,ou=users,ou=accounts,o=mydomain" write by dn="uid=unique_attrs,ou=LDAPadmin,o=mydomain" read by anonymous auth by self write by * read ### Email #access to # by # by # by # by # by # by Maildrop Property Restrictions ### attr=maildrop dn="uid=admin,o=mydomain" write dn="uid=root,ou=users,ou=accounts,o=mydomain" write dn="uid=MAIL,ou=LDAPadmin,o=mydomain" read anonymous auth self read * none

### Everything Else ### access to * by dn="uid=admin,o=mydomain" write by dn="uid=root,ou=users,ou=accounts,o=mydomain" write by self write by users read by anonymous auth

©Ron Terry

10

full-base.ldif (v4.4)
### Domain ### dn: o=mydomain objectClass: top objectClass: organization o: mydomain description: mydomain ### OUs ### #-- Top level OUs --# dn: ou=accounts,o=mydomain objectClass: top objectClass: organizationalUnit ou: accounts description: User and Computer Accounts dn: ou=groups,o=mydomain objectClass: top objectClass: organizationalUnit ou: groups description: User and Domain Groups dn: ou=services,o=mydomain objectClass: top objectClass: organizationalUnit ou: services description: Network Services dn: ou=LDAPadmin,o=mydomain objectClass: top objectClass: organizationalUnit ou: LDAPadmin description: LDAP administrative objects #-- Second level OUs --# #- accounts OU -# dn: ou=idmap,ou=accounts,o=mydomain objectClass: top objectClass: organizationalUnit ou: idmap description: Samba IDmap Container dn: ou=computers,ou=accounts,o=mydomain objectClass: top objectClass: organizationalUnit ou: computers description: Samba Computer Accounts dn: ou=users,ou=accounts,o=mydomain objectClass: top objectClass: organizationalUnit ou: users description: Linux and Samba User Accounts dn: ou=addresses,ou=users,ou=accounts,o=mydomain objectClass: top objectClass: organizationalUnit ou: addresses description: Address Book Entries #- groups OU -# dn: ou=samba,ou=groups,o=mydomain objectClass: top objectClass: organizationalUnit ou: samba description: Samba User Groups #- services OU -# dn: ou=DHCP,ou=services,o=mydomain objectClass: top objectClass: organizationalUnit ou: DHCP

©Ron Terry

11

description: DHCP Servers dn: ou=DNS,ou=services,o=mydomain objectClass: top objectClass: organizationalUnit ou: DNS description: DNS Servers dn: ou=automount,ou=services,o=mydomain objectClass: top objectClass: organizationalUnit ou: automount description: Autofs Automount Maps ### Groups ### dn: cn=root,ou=groups,o=mydomain objectClass: posixGroup gidNumber: 0 cn: root description: 'Fake" root UNIX group dn: cn=admins,ou=samba,ou=groups,o=mydomain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 sambaGroupType: 5 SambaSID: S-1-5-21-484461966-3319382440-1790084091-512 displayName: Domain Admins cn: admins memberUID: root description: Sysytem and Domain Administrators dn: cn=users,ou=samba,ou=groups,o=mydomain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 sambaGroupType: 5 SambaSID: S-1-5-21-484461966-3319382440-1790084091-513 displayName: Domain Admins cn: users description: System and Domain Users dn: cn=guests,ou=samba,ou=groups,o=mydomain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 sambaGroupType: 5 SambaSID: S-1-5-21-484461966-3319382440-1790084091-514 displayName: Domain Admins cn: guests description: System and Domain Guests dn: cn=machines,ou=samba,ou=groups,o=mydomain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 sambaGroupType: 5 SambaSID: S-1-5-21-484461966-3319382440-1790084091-515 displayName: Domain Admins cn: machines description: Domain Machines ### Users ### dn: uid=admin,o=mydomain objectClass: top objectClass: account objectClass: simpleSecurityObject uid: admin userPassword: password description: LDAP Administrator Object dn: uid=root,ou=users,ou=accounts,o=mydomain objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount

©Ron Terry

12

cn: root sn: root uid: root gecos: root uidNumber: 0 gidNumber: 0 homeDirectory: /root loginShell: /bin/bash description: 'Fake' root UNIX user dn: uid=guest,ou=users,ou=accounts,o=mydomain objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount cn: guest sn: guest uid: guest gecos: Guest User uidNumber: 99 gidNumber: 514 homeDirectory: /dev/null loginShell: /bin/false ### Other Objects ### dn: uid=MAIL,ou=LDAPadmin,o=mydomain objectClass: top objectClass: account objectClass: simpleSecurityObject uid: MAIL userPassword: nsspass description: MAIL ACL Object dn: cn=unique_attrs,ou=LDAPadmin,o=mydomain objectClass: simpleSecurityObject cn: unique_attrs userPassword: unique description: ACL Object used to ensure unique attributes dn: uid=NSS,ou=LDAPadmin,o=mydomain objectClass: top objectClass: account objectClass: simpleSecurityObject uid: NSS userPassword: nsspass description: LDAP NSS Object dn: uid=replicator,ou=LDAPadmin,o=mydomain objectClass: top objectClass: account objectClass: simpleSecurityObject uid: replicator userPassword: replicator description: LDAP Replication Object

©Ron Terry

13

Diagram of the full-base.ldif
o=mydomain | |-ou=accounts | | | |-ou=idmap | | | |-ou=computers | | | |-ou=users | | | |-ou=addresses | | | |-uid=root | |-uid=guest | |-ou=groups | | | |-ou=samba | | |-cn=admins | | |-cn=users | | |-cn=guests | | |-cn=machines | | | |-cn=root | |-ou=services | | | |-ou=automount | | | |-ou=DHCP | | | |-ou=DNS | |-ou=LDAPadmin | |-uid=MAIL | |-uid=NSS | |-uid=replicator | |-uid=unique_attrs | |-uid=admin

©Ron Terry

14

Sign up to vote on this title
UsefulNot useful