Ubuntu Bloke: HOWTO: SAMBA + LDAP on 10.04 Lucid
Ubuntu Bloke: HOWTO: SAMBA + LDAP on 10.04 Lucid: "- Sent using Google Toolbar"
Looks like the blog this was on is no longer available so I'm putting the contents here.
Wow, it has taken me weeks to get this to the point that it seems to be working. The official documentation is horribly broken, but I have finally got what i think is a working solution. I will probably need to tweak this guide as time goes on (see the end of the post for revision history)
PLATFORM:
* Ubuntu Server 10.04 LTS (Lucid)
PREREQUISITES:
* A standard vanilla Ubuntu 10.04 server install.
* An NFS server exporting the users home directorys
Network overview;
* domain name: tuxnetworks.com
* ldap-server 10.1.1.5
Install The Packages
We want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities. While we are at it we will also install samba related packages:
Populating the server
First, some additional schema files need to be loaded. In a terminal enter:
Next, create an LDIF file
With the following contents;
Now add the LDIF to the directory:
Download this samba config file;
Edit it to suit your network and then copy the new smb.conf file into place;
Samba needs us to tell it the LDAP admin password
And finally, we restart samba;
You can test that samba works by using the samba-client (when it asks for roots password just press Enter);
You should see something like this;
Our samba users require profile and netlogon directories, let's create them now;
Next we must add the samba schemas to the LDAP server. These schemas are part of the samba-doc package that we installed earlier.
These schemas must be converted to the "ldif" format before we can use them.
Create a file called schema_convert.conf
and paste in the following lines;
Next, use slapcat to convert the schemas;
slapcat will generate a file "~/cn\=samba.ldif". Edit this file;
and change the following attributes:
to
Also, remove all these lines at the bottom of the file.
Add the schema to the server;
This should return the following lines with no errors.
Let's check how things are going with the following query;
You should see a metric shedload of output with this at the end;
If you see output like above then your LDAP server is working, but we still need to finish configuring samba.
Unpack the samba-ldap-tools (we downloaded this earlier)
Now we are going to execute a perl script which will set up samba for us. For almost every prompt you should just press Enter. There are a few of exceptions however.
When asked for "logon home" and "logon path" enter a "." (fullstop) and nothing else. When asked for a password (ldap master/slave bind password) use the password for the "admin" account that you entered earlier. Remember, leave the default value for everything else!
Run the script;
Now that the script has created our configuration, we can use it to populate the server;
The final touches;
Make "root" the domain adminstrator;
If this returns
Now, we need to allow clients to authenticate via LDAP. To do this we need to install a package.
We also need to tell PAM and the Name Service Switch service to use LDAP for auth;
If all has gone well, you should now be able to add a user to the database;
You can check your new user by issuing this command;
Next, you should go ahead and install phpLDAPadmin or configure a client
Revisions:
13/7/2010- Karan Pratap Singh pointed me to another howto which does some things in a better way than mine did. I have merged the parts that I like into my document (see comments)
Looks like the blog this was on is no longer available so I'm putting the contents here.
Wow, it has taken me weeks to get this to the point that it seems to be working. The official documentation is horribly broken, but I have finally got what i think is a working solution. I will probably need to tweak this guide as time goes on (see the end of the post for revision history)
PLATFORM:
* Ubuntu Server 10.04 LTS (Lucid)
PREREQUISITES:
* A standard vanilla Ubuntu 10.04 server install.
* An NFS server exporting the users home directorys
Network overview;
* domain name: tuxnetworks.com
* ldap-server 10.1.1.5
Install The Packages
We want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities. While we are at it we will also install samba related packages:
sudo apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools
Notes:
By default slapd is configured with minimal options needed to run the slapd daemon.
The configuration tuxnetworks in the following sections will match the domain name of the server. For tuxnetworks, if the machine's Fully Qualified Domain Name (FQDN) is ldap.tuxnetworks.com, the default suffix will be dc=tuxnetworks,dc=com.
Populating the server
Notes:
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.
The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.
* For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.
* Remember to change dc=tuxnetworks,dc=com in the following examples to match your LDAP configuration.
First, some additional schema files need to be loaded. In a terminal enter:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
Next, create an LDIF file
vi ~/backend.ldif
With the following contents;
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=tuxnetworks,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=tuxnetworks,dc=com
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=tuxnetworks,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=tuxnetworks,dc=com" write by * read
* Don't forget to change dc=tuxnetworks,dc=com and olcrootPW to suit your own domain details.
Now add the LDIF to the directory:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
Download this samba config file;
wget http://www.tuxnetworks.com/configs/smb.conf
Edit it to suit your network and then copy the new smb.conf file into place;
sudo cp smb.conf /etc/samba/
Samba needs us to tell it the LDAP admin password
sudo smbpasswd -W
And finally, we restart samba;
sudo service smbd restart
You can test that samba works by using the samba-client (when it asks for roots password just press Enter);
sudo smbclient -L localhost
You should see something like this;
operator@callisto:~$ sudo smbclient -L localhost
Enter root's password:
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers Share
shared Disk
archive Disk
IPC$ IPC IPC Service (Samba 3.4.7)
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]
Server Comment
--------- -------
CALLISTO Samba 3.4.7
Workgroup Master
--------- -------
SAMBA CALLISTO
Our samba users require profile and netlogon directories, let's create them now;
sudo mkdir -v -m 777 /var/lib/samba/profiles
sudo mkdir -v -p -m 777 /var/lib/samba/netlogon
Next we must add the samba schemas to the LDAP server. These schemas are part of the samba-doc package that we installed earlier.
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz
These schemas must be converted to the "ldif" format before we can use them.
Create a file called schema_convert.conf
vi ~/schema_convert.conf
and paste in the following lines;
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
Next, use slapcat to convert the schemas;
slapcat -f ~/schema_convert.conf -F ~ -n0 -s "cn={12}samba,cn=schema,cn=config" > ~/cn=samba.ldif
slapcat will generate a file "~/cn\=samba.ldif". Edit this file;
vi ~/cn\=samba.ldif
and change the following attributes:
dn: cn={12}samba,cn=schema,cn=config
...
cn: {12}samba
to
dn: cn=samba,cn=schema,cn=config
...
cn: samba
Also, remove all these lines at the bottom of the file.
structuralObjectClass: olcSchemaConfig
entryUUID: 99e797a8-07cb-102f-8c5c-739a8467e607
creatorsName: cn=config
createTimestamp: 20100609043122Z
entryCSN: 20100609043122.188753Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100609043122Z
Add the schema to the server;
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif
This should return the following lines with no errors.
adding new entry "cn=samba,cn=schema,cn=config"
Let's check how things are going with the following query;
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
You should see a metric shedload of output with this at the end;
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
If you see output like above then your LDAP server is working, but we still need to finish configuring samba.
Unpack the samba-ldap-tools (we downloaded this earlier)
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
Now we are going to execute a perl script which will set up samba for us. For almost every prompt you should just press Enter. There are a few of exceptions however.
When asked for "logon home" and "logon path" enter a "." (fullstop) and nothing else. When asked for a password (ldap master/slave bind password) use the password for the "admin" account that you entered earlier. Remember, leave the default value for everything else!
Run the script;
sudo perl /usr/share/doc/smbldap-tools/configure.pl
Now that the script has created our configuration, we can use it to populate the server;
sudo smbldap-populate
The final touches;
sudo /etc/init.d/slapd stop
sudo slapindex
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd start
Make "root" the domain adminstrator;
sudo smbldap-groupmod -m 'root' 'Administrators'
If this returns
adding user root to group Administrators
with no errors then you are looking good!Now, we need to allow clients to authenticate via LDAP. To do this we need to install a package.
sudo apt-get --yes install ldap-auth-client
We also need to tell PAM and the Name Service Switch service to use LDAP for auth;
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update ldap
If all has gone well, you should now be able to add a user to the database;
sudo smbldap-useradd -a -m -P brettg
You can check your new user by issuing this command;
ldapsearch -xLLL -b "dc=tuxnetworks,dc=com" uid=brettg
Next, you should go ahead and install phpLDAPadmin or configure a client
Revisions:
13/7/2010- Karan Pratap Singh pointed me to another howto which does some things in a better way than mine did. I have merged the parts that I like into my document (see comments)
Comments
Create a file called sambaindex.ldif containing the following:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
and then just load it to the ldap server with the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// -f sambaindex.ldif
if you don't use indexes you will get errors in /var/log/syslog such as:
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (sambaDomainName) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (uid) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (gidNumber) not indexed
Dec 23 17:05:17 ldap**** slapd[726]: <= bdb_equality_candidates: (sambaSID) not indexed