Friday, 2 July 2010

HOWTO: SAMBA + LDAP on 10.04 Lucid Part 1

Wow, it has taken me weeks to get this to the point that it seems to be working. The official documentation is horribly broken, but I have finally got what i think is a working solution. I will probably need to tweak this guide as time goes on (see the end of the post for revision history)

PLATFORM:
* Ubuntu Server 10.04 LTS (Lucid)

PREREQUISITES:
* A standard vanilla Ubuntu 10.04 server install.
* Set your admin user as a system user.
* Mount our user home directories to an NFS server

Network overview;
* domain name: tuxnetworks.com (change this to suit your own)
* ldap-server 10.1.1.5 (change this to suit your own)

Installing Samba

We will start by configuring samba.

Download this samba config file;

~$ wget http://www.tuxnetworks.com/configs/smb.conf

Note:
Edit this file to suit your own network. You need to change the "ldap suffix" & "ldap admin" values, but you will probably also want to change "workgroup" and "netbios name" as well.


Create a samba directory;

sudo mkdir /etc/samba/

Copy the new smb.conf file into place;

~$ sudo cp smb.conf /etc/samba/

Install Samba;

~$ sudo apt-get install samba samba-doc smbclient

Install the LDAP server

Next we want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities;

~$ sudo apt-get install slapd ldap-utils libpam-smbpass smbldap-tools

Notes:
By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.tuxnetworks.com, the default suffix will be dc=tuxnetworks,dc=com.

OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

* For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

Remember to change "dc=tuxnetworks,dc=com" in the following examples to match your LDAP configuration.

First, some additional schema files need to be loaded. In a terminal enter:
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Download this LDIF file

~$ wget http://www.tuxnetworks.com/configs/backend.ldif

Edit the file to change "dc=tuxnetworks,dc=com" and "mypassword" to suit your own domain details.

TIP:
A quick way to do this is to use sed;
sed -i s/dc=tuxnetworks,dc=com/dc=example,dc=net/g backend.ldif

Now add the LDIF to the LDAP directory:

~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

adding new entry "olcDatabase=hdb,cn=config"


Samba needs us to tell it the LDAP admin password which we can do with this command;

~$ sudo smbpasswd -W
Setting stored password for "cn=admin,dc=tuxnetworks,dc=net" in secrets.tdb
New SMB password:
Retype new SMB password:


Note:
Use the password you entered in the backends.ldif file earlier.

And finally, we restart samba again;

~$ sudo service smbd restart

You can test that samba works by using the samba-client (when it asks for roots password just press Enter);

~$ sudo smbclient -L localhost

You should see something like this;
~$ sudo smbclient -L localhost
Enter root's password: 
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]

 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers Share
 shared          Disk      
 archive         Disk      
 IPC$            IPC       IPC Service (Samba 3.4.7)
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]

 Server               Comment
 ---------            -------
 MYSAMBASERVER        Samba 3.4.7

 Workgroup            Master
 ---------            -------
 MYSAMBAWORKGROUP     MYSAMBASERVER

Note:
If you don't see the expected output, then you should stop right now and repeat the process. Having Samba incorrectly configured at this point will cause the rest of the procedure to fail.

OK, now that that we have the basic part done you should proceed to part 2.

42 comments:

Karan Pratap Singh said...

hi nice post

btw have you seen the following post ?
http://georgia.ubuntuforums.org/showthread.php?t=1499753

from
Karan

Anonymous said...

Thank you very much for this guidance. I was lost for days of trial and error and then found this - and it simply works!
Bernhard Seifert

Dan Howell said...

Another big thanks - very accurate and complete; helped me past a few sticking points... cheers!

Chris S said...

Thanks very much I have been trying to setup samba + LDAP for months and have always had one problem. Invalid credentials (49). It has been driving me crazy. Yours is the first how to that works.

It is very much appreciated.

Brett said...

Thanks Chris, I had the exact same problem, did a lot of googling, posted questions in forums and came away with nothing so I'm glad you got something from my effort. Cheers.

Nicholas said...

Does anyone know a good way to backup the LDAP+Samba configuration? I would like to be able to backup the databases just in case it ever got corrupted. The shared files are a no brainer.

lamps said...

Hi, firstly I wanna say Thank You for creating this guide, it's really helping me. =]

Secondly, I wonder if somebody can help me, cuz I'm trying to follow the guide, but after configuring smb.conf, restarting the service and changing the smb root pwd, I can't login. I type smbclient -L localhost, type the password, and the prompt gives me the following message: session setup failed: NT_STATUS_LOGON_FAILURE.

Anybody know what's going on?

Oh, sorry for my broken english, btw. =]

Sean said...

great tutorial... tried many and all failed but this one! any chance of a follow up to create a BDC?

Sean

Bob Tanner said...

root@samba-3-4:~# smbclient -L localhost
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Anyone know how to fix this issue?

I've made sure the password set in the backend.ldif is the same as the password I used for smbpasswd -W

Anonymous said...

You can test that samba works by using the samba-client (when it asks for roots password JUST PRESS ENTER);

sudo smbclient -L localhost

Anonymous said...

May I ask a stupid question? :p
after doing this guide, can I use client windows xp join this domain?

Brett said...

Sorry, I have no idea about joining XP as a domain member. I guess it should work but I don't have any Windows PC's so I have never tried it.

Give it a try and let me know.

Anonymous said...

Actually I tried it, but got an error when joining domain:
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain tat.com:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.tat.com

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child zone:

tat.com
com
. (the root zone)

Would you please help me? thanks so much!

Anonymous said...

Look like you should be look at /var/log/samba/log.smbd for clearly.
Maybe change FQDN to Ip address on smb.conf for help

Huynguyen

Anonymous said...

my /var/log/samba/log.smbd said: "Unable to connect to CUPS server localhost:631"
plz tell me how I can solve this problem.

Psyduck72 said...

For best performance of the LDAP server it's best to add indexes

Create a file called sambaindex.ldif containing the following:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub


and then just load it to the ldap server with the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f sambaindex.ldif


if you don't use indexes you will get errors in /var/log/syslog such as:

Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (uid) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (gidNumber) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (sambaSID) not indexed

Anonymous said...

Nice and very helpfull tut, for users who want to use M$ tools to manage PDC : usrmgr.exe and srvmgr.exe one big remark : The exe files must have version below 5 !!! .The version 4.0.1371.1 working without problems - out of the box, the version from M$ Windows Resource Kit 5.23790.1127 don't work for me.

The joining of M$ Windows XP Pro with SP3 to PDC created with this tut working without problems when You set some options in Your dhcp server :
option domain-name "YourDomainHere";
option netbios-name-servers YourPDCIP;
option netbios-node-type 8;

Br Pepson

Anonymous said...

hi:)
my name is Ilya
i have some prob..
after i had successfully join winxp client to the domain,after reboot,in windows log on menu ,i have error "the system cannot log you on now because the domain SAMBA is not available":(((
any ideas?

Anonymous said...

hi:)
my name is Ilya
i have some prob..
after i had successfully join winxp client to the domain,after reboot,in windows log on menu ,i have error "the system cannot log you on now because the domain SAMBA is not available":(((
any ideas?

Ian said...

Thank you so so so very much! I had been struggling to get LDAP and Samba to work for many many hours now. I was about ready to defenestrate my terminal, and server. Also what ever else I could get my hands on. Your post gave me a few sane moments and I made it work. You Rock!


Thanks again for helping the community!
Best Regards.
//Ian\\

laquichimbox said...

It's ok!!!
Thanks...

He seguido los pasos de este blog.... y funciona correctamente.

Gracias a todos por sus aportes

Anonymous said...

Finally, it's work, thanks a bunch

Jason said...

Finally found some documentation that works!! Thanks so much for taking the time to put all this together!

JL

Tyler said...

THANK YOU!!!!!!!!!!!!!!!!!!

This is a great write-up. I've battled through this on my own a few times without using the cn=config stuff. This just saved me a few hours of pain :)

Anonymous said...

Maybe somewhat of a newbie question, but can the prerequisite NFS server for exporting home directories be located on the same Lucid server as SAMBA + LDAP?

Anonymous said...

Hi I have been struggling to get this to work . My samba log says
[2011/03/29 02:59:31, 0] lib/smbldap.c:1086(smbldap_connect_system)
failed to bind to server ldap://127.0.0.1 with dn="cn=admin,dc=faceless,dc=com" Error: Can't contact LDAP server
(unknown)
[2011/03/29 02:59:31, 1] lib/smbldap.c:1265(another_ldap_try)
Connection to LDAP server failed for the 1 try!
[2011/03/29 02:59:34, 0] smbd/server.c:457(smbd_open_one_socket)
smbd_open_once_socket: open_socket_in: Address already in use

Help would be greatly appreciated.

Anonymous said...

Hi, great tutorial. I echo the sentiments of most of the other posters, I'd been struggling with this for hours (starting w/ the generally-reliable Ubuntu official docs) with no luck, and with this tutorial, I eventually have things working.

One big problem I'm still having though is that after reboot, things are weird with Samba authentication to the LDAP accounts and even to general Unix password login for about 5 - 10 minutes, at which point it magically starts working again.

I was looking into it being a problem with the runlevels on slapd vs. libnss-ldap or winbind, etc., but my /etc/rc2.d looks like this:

S19slapd -> ../init.d/slapd
S20libnss-ldap -> ../init.d/libnss
S20winbind -> ../init.d/winbind
S50rsync -> ../init.d/rsync
...

so I assume that's not the problem. None of the logs I've reviewed seem to offer much help here. Has anyone else suffered this same fate? I basically started from a totally fresh Lucid install (10.04.2) and followed this HOWTO almost verbatim.

Jenn & John said...

Follow up post to my last complaint about things not working normally right after reboot for 5 - 10 minutes and then being fine:

There's a comment in this thread:

http://ubuntuforums.org/archive/index.php/t-727111.html

from 2008 that mentions how slapd must be started *before* the rsyslogd service. I messed around a bit trying to figure out the preferred way of doing this in Lucid, but finally just did what the guy suggested there (post marked "March 18th, 2008, 09:52 AM" by "rickyjones", where he says to change the S19slapd entry in rc2.d to S09slapd.

Once I did this, the next reboot was immediately successful. Good to know, but I wish it was easier to discover -- perhaps my (cross) post will help someone else.

John said...

At one point in the HOWTO, you mention running this command:

sudo pam-auth-update ldap

A curses menu pops up with 4 choices:

Unix authentication
Winbind NT/Active Directory authentication
LDAP Authentication
SMB password synchronization

which ones should we use for a simple Samba setup where we only want to have Samba user entries in LDAP?

Just the last one? I assume you used all of them since by default, I believe all four are checked.

A. Clausen said...

That worked like a charm. One question, has anybody extended this with LDAP replication for creating BDCs as well as a PDC?

vago said...

Hello
Its a very good manual but i have a one doubt, is possible install ldap +samba en ubuntu 10.10 maverick with this guide?

Anthony said...

Hi

what response are you meant to get when you add the schema

i get adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: other implementation specific error (80)
additional info: ilcAttributeTypes: Duplicate attributetype: "0.9.2342.19200300.100.1.2"

Anonymous said...

thanks for this awsome guide.. been ripping my hair for days until now :)..

br,
andy

Unknown said...

Every time I get stuck on the last step of this.

This is the output I get for the last command:

# smbclient -L localhost
Enter root's password:
Anonymous login successful
Domain=[SambaDomain] OS=[Unix] Server=[Samba 3.4.7]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers Share
shared Disk
archive Disk
IPC$ IPC IPC Service (Samba 3.4.7)
Anonymous login successful
Domain=[SambaDomain] OS=[Unix] Server=[Samba 3.4.7]

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP MyServer


I can't figure out what I'm doing wrong, but I can't get anything to show up under the Server Comment line. Any ideas?

Noe Rodriguez Hilario said...

root@samba-3-4:~# smbclient -L localhost
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Anyone know how to fix this issue?

I've made sure the password set in the backend.ldif is the same as the password I used for smbpasswd -W

HELP ME....!!!

Anonymous said...

Stupid question, but why do we need Samba if we are already using NFS (with no windows clients)? In other words, what do we get from Samba+NFS+LDAP that NFS+LDAP doesn't offer?

Tomas said...

i can't acces to this file wget http://www.tuxnetworks.com/configs/backend.ldif

Brett said...

Try it again now Tomas, I was doing some work yesterday and broke a hyperlink.

It should be OK now.

Tomas said...

Thank you !!

Ben said...

Excellent tutorial Brett - every step went smoothly well. Well done indeed :)

Fernando said...

root@laplace:~# smbclient -L localhost
Enter root's password:
Anonymous login successful
Domain=[MYSAMBAWORKGROUP] OS=[Unix] Server=[Samba 3.4.7]
tree connect failed: NT_STATUS_END_OF_FILE

I did exactly what was said in the tutorial, but in the last command i had this issue. Anyone know how to fix it?

Thanks in advance!

Umarzuki Mochlis said...

on debian squeeze, ldiff export seemed to fail and afterwards, anonymous login also failed. Any tips?

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2"

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "1.3.6.1.1.1.1.2"

# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113730.3.1.1"

# ldapadd -Y EXTERNAL -H ldapi:/// -f ~/backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: handler exited with 1

# smbclient -L localhost
Enter root's password:
session setup failed: NT_STATUS_IO_TIMEOUT

smb services seemed to be running

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5169/slapd

tcp6 0 0 :::139 :::* LISTEN 5349/smbd

5349/smbd
tcp6 0 0 :::389 :::* LISTEN 5169/slapd
5345/nmbd
udp 0 0 192.168.69.128:137 0.0.0.0:* 5345/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 5345/nmbd
udp 0 0 192.168.69.255:138 0.0.0.0:* 5345/nmbd
udp 0 0 192.168.69.128:138 0.0.0.0:* 5345/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 5345/nmbd