Difference between revisions of "Centralized login using LDAP and Samba"

From Maze's wiki
Jump to: navigation, search
Line 184: Line 184:
 
*ldap suffix = dc=example,dc=com
 
*ldap suffix = dc=example,dc=com
 
*ldap admin dn = cn=admin,dc=example,dc=com
 
*ldap admin dn = cn=admin,dc=example,dc=com
Store LDAP password for Samba use (Make sure the password you enter is the same as the onde you entered during LDAP setup):
+
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
 
<pre>
 
<pre>
 
smbpasswd -W
 
smbpasswd -W

Revision as of 11:32, 4 May 2010

To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.

LDAP Server

apt-get install slapd samba samba-doc smbldap-tools
  • Administrator password: <password>
  • Confirm password: <password>
  • Workgroup/Domain Name: <EXAMPLE.COM>
  • Modify smb.conf to use WINS settings from DHCP? <No>

Remove the database that was created during installation: 

rm -rf /var/lib/ldap/*

Run 

dpkg-reconfigure slapd
  • Omit OpenLDAP server configuration? <No>
  • DNS domain name: <example.com>
  • Organization name: <Example Organization>
  • Administrator password: <password>
  • Confirm password: <password>
  • Database backend to use: <HDB>
  • Do you want the database to be removed when slapd is purged? <No>
  • Move old database? <Yes>
  • Allow LDAPv2 protocol? <No>

Edit /etc/ldap/slapd.conf to add 2 schemas 

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

Replace the indexing options in /etc/ldap/slapd.conf 

# Indexing options for database #1
index ou,cn,sn,mail,givenname           eq,pres,sub
index uidNumber,gidNumber,memberUid     eq,pres
index loginShell                        eq,pres
index uniqueMember                      eq,pres
index uid                               pres,sub,eq
index displayName                       pres,sub,eq
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index default                           sub

Change access rules in /etc/ldap/slapd.conf 

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=com"  write
        by anonymous auth
        by self write
        by * none

Samba

Create the profile and netlogon directories 

mkdir /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon

Replace the contents of /etc/samba/smb.conf 

[global]
 # Domain name ..
 workgroup = EXAMPLE
 # Server name - as seen by Windows PCs ..
 netbios name = SERVERNAME
 # Be a PDC ..
 domain logons = Yes
 domain master = Yes
 # Be a WINS server ..
 wins support = true

 obey pam restrictions = Yes
 dns proxy = No
 os level = 35
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
 pam password change = Yes

 # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
 unix password sync = no
 ldap passwd sync = yes

 # Printing from PCs will go via CUPS ..
 load printers = yes
 printing = cups
 printcap name = cups

 # Use LDAP for Samba user accounts and groups ..
 passdb backend = ldapsam:ldap://localhost

 # This must match init.ldif ..
 ldap suffix = dc=example,dc=com
 # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
 # This is done by running 'sudo smbpasswd -w'.
 ldap admin dn = cn=admin,dc=example,dc=com

 # 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
 # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
 ldap machine suffix = ou=Computers
 ldap user suffix = ou=Users
 ldap group suffix = ou=Groups
 ldap idmap suffix = ou=Idmap
 # Samba and LDAP server are on the same server in this example.
 ldap ssl = no

 # Scripts for Samba to use if it creates users, groups, etc.
 add user script = /usr/sbin/smbldap-useradd -m '%u'
 delete user script = /usr/sbin/smbldap-userdel %u
 add group script = /usr/sbin/smbldap-groupadd -p '%g'
 delete group script = /usr/sbin/smbldap-groupdel '%g'
 add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
 set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

 # Script that Samba users when a PC joins the domain ..
 # (when changing 'Computer Properties' on the PC)
 add machine script = /usr/sbin/smbldap-useradd -w '%u'

 # Values used when a new user is created ..
 # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
 logon drive =
 logon home =
 logon path =
 logon script =

 # This is required for Windows XP client ..
 server signing = auto
 server schannel = Auto

[homes]
 comment = Home Directories
 valid users = %S
 read only = No
 browseable = No

[netlogon]
 comment = Network Logon Service
 path = /var/lib/samba/netlogon
 admin users = root
 guest ok = Yes
 browseable = No

[profiles]
 comment = Roaming Profile Share
 # would probably change this to elsewhere in a production system ..
 path = /var/lib/samba/profiles
 read only = No        profile
 acls = Yes
 browsable = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 use client driver = Yes
 create mask = 0600
 guest ok = Yes
 printable = Yes
 browseable = No
 public = yes
 writable = yes
 admin users = root
 write list = root

[print$]
 comment = Printer Drivers
 share path = /var/lib/samba/printers
 write list = root
 create mask = 0664
 directory mask = 0775
 admin users = root

Change these lines to match your configuration:

  • workgroup = EXAMPLE
  • netbios name = SERVERNAME
  • ldap suffix = dc=example,dc=com
  • ldap admin dn = cn=admin,dc=example,dc=com

Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup): 

smbpasswd -W
  • New SMB password: <password>
  • Retype new SMB password: <password>

Restart Samba: 

/etc/init.d/samba restart

SMBLDAP-TOOLS

Copy the example configfiles 

cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Get the SID for your domain 

net getlocalsid
  • Copy the SID

Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:

  • SID
  • sambaDomain
  • suffix
  • userSmbHome
  • userProfile
  • mailDomain

Change the following in /etc/smbldap-tools/smbldap.conf:

  • defaultUserGid="5000"
  • defaultComputerGid="2000"

Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: 

slaveDN="cn=admin,dc=example,dc=com"
slavePw="the password you entered during ldap configuration"
masterDN="cn=admin,dc=example,dc=com"
masterPw="the password you entered during ldap configuration"

Set the correct permissions: 

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now it's time to populate the directory with default samba information 

smbldap-populate
  • Enter the password for the domain root user (yes also on Windows it's called root now)

Start the engine

Index the OpenLDAP server 

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add a user 

smbldap-useradd -a -m -M martijn.zeedijk martijn.zeedijk
smbldap-passwd martijn.zeedijk
  • New password: <password>
  • Retype new password: <password>
Retrieved from "https://www.zeedijk.net/wiki/index.php?title=Centralized_login_using_LDAP_and_Samba&oldid=14"