SambaLDAP

From Wiki
Jump to: navigation, search

All these configuration steps have been done in Debian 6.0.

Installed SAMBA and LDAP in the same box, so no securation done.

Contents

Install SAMBA

sudo apt-get install samba samba-doc smbldap-tools

Install LDAP

Run the following from the command line:

sudo apt-get install slapd db4.2-util ldap-utils migrationtools

Enter your password for the admin entry in the LDAP directory when it is prompted. [edit] Initial Configuration

We need to reconfigure slapd anwering:

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? ... No
DNS domain name: ... casa.gg
Name of your organization: ... Whatever & Co
Admin Password: XXXXX
Confirm Password: XXXXX
OK
HDB
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No 

You can check if your server is working by typing:

ldapsearch -x -b dc=casa,dc=gg


Preparing OPENLDAP for SAMBA

In order for Samba to use OpenLDAP as a passdb backend, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes.

The Samba attributes are defined in the samba.schema file which is part of the samba-doc package. The schema file needs to be unzipped and copied to /etc/ldap/schema. From a terminal prompt enter:

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz

The samba schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in the section called “Further Configuration”.

First, create a configuration file named schema_convert.conf, or a similar descriptive name, containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

Now use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

Change the above file and path names to match your own if they are different.

Edit the generated /tmp/cn\=samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config
...
cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z

Finally, using the ldapadd utility, add the new schema to the directory:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif

There should now be a dn: cn={X}misc,cn=schema,cn=config, where "X" is the next sequential schema, entry in the cn=config tree.

Copy and paste the following into a file named samba_indexes.ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

Using the ldapmodify utility load the new indexes:

ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif

If all went well you should see the new indexes using ldapsearch:

ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb

Next, configure the smbldap-tools package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
sudo perl /usr/share/doc/smbldap-tools/configure.pl

Once you have answered the questions, there should be /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately.

The smbldap-populate script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with slapcat before executing the command:


sudo slapcat -l backup.ldif

Once you have a current backup execute smbldap-populate by entering:

sudo smbldap-populate

You can create an LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct.

Your LDAP directory now has the necessary domain information to authenticate Samba users.


Setting LDAP Account MAnager (LAM)

LDAP account mananger is a nice GUI to control your LDAP installation.

It can be downloaded from https://www.ldap-account-manager.org/

We can download a Debian packages that requires to have installed:

aptitude install php5 php5-gd apache2 php-fpdf php5-ldap
dpkg -i ldap-account-manager_3.9-1_all.deb 

Then we need only to point our browser to http://127.0.0.1/lam at the top right corner we can manage the configuration without editing any configuration file. Default password is "lam".

NSS changes

We need to edit /etc/nsswitch.conf

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

SAMBA configuration

There a multiple ways to configure Samba for details on some common configurations see Chapter 17, Windows Networking. To configure Samba to use LDAP, edit the main Samba configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following:

#   passdb backend = tdbsam

# LDAP Settings
        passdb backend = ldapsam:ldap://127.0.0.1
        ldap suffix = dc=casa,dc=gg
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=admin,dc=casa,dc=gg
        ldap ssl = no
        ldap passwd sync = yes
        add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"


 domain logons = yes

[tmp]
   comment = Samba server's CD-ROM
   read only = yes
   locking = no
   path = /tmp
   guest ok = no


Restart samba to enable the new settings:

sudo restart smbd
sudo restart nmbd

Now Samba needs to know the LDAP admin password. From a terminal prompt enter:

sudo smbpasswd -w secret


Resources

This guide was working on my system, most of the information was taken from the following URLS:


I would like to thank the authors of the mentioned sites.

Personal tools
Namespaces
Variants
Actions
Navigation
Content
Toolbox