Friday, 2 July 2010

HOWTO: SAMBA + LDAP on 10.04 Lucid Part 2

This is Part Two of my SAMBA + LDAP howto. You must successfully complete Part One before attempting this procedure.

OK, with Part one done we must now provide our samba users with profile and netlogon directories, let's create them now;

~$ sudo mkdir -v -m 777 /var/lib/samba/profiles
~$ sudo mkdir -v -p -m 777 /var/lib/samba/netlogon

Next we must add the samba schemas to the LDAP server. These schemas are part of the samba-doc package that we installed in Part One.

Copy the schemas to the appropriate location;
~$ sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
~$ sudo gzip -d /etc/ldap/schema/samba.schema.gz

These schemas must be converted to the "ldif" format before we can use them.

Create a file called schema_convert.conf

~$ vi ~/schema_convert.conf

and paste in the following lines;

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

Next, use slapcat to convert the schemas;

~$ slapcat -f ~/schema_convert.conf -F ~ -n0 -s "cn={12}samba,cn=schema,cn=config" > ~/cn=samba.ldif

slapcat will generate a file "~/cn\=samba.ldif". Edit this file;

~$ vi ~/cn\=samba.ldif

and change the following attributes:

dn: cn={12}samba,cn=schema,cn=config
cn: {12}samba


dn: cn=samba,cn=schema,cn=config
cn: samba

Also, remove all these lines from the bottom of the file.

structuralObjectClass: olcSchemaConfig
entryUUID: 99e797a8-07cb-102f-8c5c-739a8467e607
creatorsName: cn=config
createTimestamp: 20100609043122Z
entryCSN: 20100609043122.188753Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100609043122Z

Add the schema to the server;

~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
adding new entry "cn=samba,cn=schema,cn=config"

You should see the following line with no errors reported.

adding new entry "cn=samba,cn=schema,cn=config"

Let's check how things are going with the following query (use an empty password);
~$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb

You should see a metric shedload of output with this at the end;

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

If you see output like above then your LDAP server is working, but we still need to finish configuring samba.

Unpack the samba-ldap-tools (we downloaded this earlier)
~$ sudo gzip -d /usr/share/doc/smbldap-tools/

Now we are going to execute a perl script which will set up samba for us. For almost every prompt you should just press Enter. There are a few of exceptions however. When asked for "logon home" and "logon path" enter a "." (fullstop) and nothing else. When asked for a password (ldap master/slave bind password) use the password for the "admin" account that you entered earlier. Remember, leave the default value for everything else!

Run the script;

~$ sudo perl /usr/share/doc/smbldap-tools/

Now that the script has created our configuration, we can use it to populate the server;

~$ sudo smbldap-populate
Populating LDAP directory for domain TUXNETWORKS (S-1-5-21-3403240416-131340500-4256605436)
(using builtin directory structure)

adding new entry: dc=tuxnetworks,dc=net
adding new entry: ou=Users,dc=tuxnetworks,dc=net
adding new entry: ou=Groups,dc=tuxnetworks,dc=net
adding new entry: ou=Computers,dc=tuxnetworks,dc=net
adding new entry: ou=Idmap,dc=tuxnetworks,dc=net
adding new entry: uid=root,ou=Users,dc=tuxnetworks,dc=net
adding new entry: uid=nobody,ou=Users,dc=tuxnetworks,dc=net
adding new entry: cn=Domain Admins,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Domain Users,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Domain Guests,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Domain Computers,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Administrators,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Account Operators,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Print Operators,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Backup Operators,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: cn=Replicators,ou=Groups,dc=tuxnetworks,dc=net
adding new entry: sambaDomainName=TUXNETWORKS,dc=tuxnetworks,dc=net

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

The "UNIX and samba passwords for root" can be anything, you don't need to use the LDAP admin password here.

The final touches;

~$ sudo /etc/init.d/slapd stop
~$ sudo slapindex

Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

Ignore the warning!

~$ sudo chown openldap:openldap /var/lib/ldap/*
~$ sudo /etc/init.d/slapd start

Make "root" the domain adminstrator;

~$ sudo smbldap-groupmod -m 'root' 'Administrators'
adding user root to group Administrators

If this returns;

adding user root to group Administrators

with no errors then you are looking good!

Now, we need to allow clients to authenticate via LDAP. To do this we need to install a package.

~$ sudo apt-get --yes install ldap-auth-client

During this process enter the following details;








We also need to tell PAM and the "Name Service Switch" (NSS) service to use LDAP for auth;

~$ sudo auth-client-config -t nss -p lac_ldap
~$ sudo pam-auth-update ldap

If all has gone well, you should now be able to add a user to the database;

~$ sudo smbldap-useradd -a -m -P brettg
Cannot confirm uidNumber 1000 is free: checking for the next one
Changing UNIX and samba passwords for brett
New password:
Retype new password:

You will notice the above command returns "Cannot confirm uidNumber 1000 is free: checking for the next one" and your LDAP user ends up with UID of 1001. If you are an OCD type like me and want all your users on LDAP and starting at 1000, then you might want to consider changing the UID of the default Ubuntu system user to a number below 1000 before issuing this command. If you do that, then make sure that you can log in and get sudo privileges before you go any further of course.

You can check your new user by issuing this command;

~$ ldapsearch -xLLL -b "dc=tuxnetworks,dc=com" uid=brettg
dn: uid=brett,ou=Users,dc=tuxnetworks,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: brett
sn: brett
givenName: brett
uid: brett
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/brett
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: brett
sambaSID: S-1-5-21-3403240416-131340500-4256605436-3002
sambaPrimaryGroupSID: S-1-5-21-3403240416-131340500-4256605436-513
sambaLogonScript: allusers.bat
sambaLMPassword: 157FBB24ACBE1A68AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 8462E3FFE0BA1C8CED841873EC989A29
sambaPwdLastSet: 1308795478
sambaPwdMustChange: 1312683478
shadowLastChange: 15148
shadowMax: 45

If you get output like this then congratulations, you have successfully configured a combined Samba/LDAP server!

Next, you should go ahead and configure a client

13/7/2010- Karan Pratap Singh pointed me to another howto which does some things in a better way than mine did. I have merged the parts that I like into my document (see comments)

23/6/2011- Retested, confirmed the process still works. Some parts were cleaned up and extra output from some of the commands was added. Also I split the post into 2 parts as it was getting quite long.


BellumLeon said...

Hi buddy, why do you put this file in the root directory?

~/cn=samba.ldif.. slapcat created tree files in the root directory


by the way great blog

Brett said...

The ~/ symbol directs it to place the files in your home directory. I suspect you may have missed that and used /

BellumLeon said...
This comment has been removed by the author.
BellumLeon said...

you know Im an asshole, sorry I did not read the (when it asks for roots password just press Enter) part

but when I just press enter I got this

Anonymous login successful
Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.4.7]
tree connect failed: NT_STATUS_END_OF_FILE

sorry again