This Blog is intended to collect information of my various Intrests,pen my opinion on the information gathered and not intended to educate any one of the information posted,but are most welcome to share there view on them
Monday, July 26, 2010
Samba Ldap Integration
LDAP (Lightweight Directory Access Protocol) is an application layer protocol that allows access to a directory service ordered and distributed to find different information in a network environment.LDAP can be considered a database (although the storage system may be different) to make inquires. URL: http://es.wikipedia.org/wiki/LDAP
SMB (short for Server Message Block) network protocol that enables file and printer sharing (among other things) between nodes in a network.It is mainly used on computers with Microsoft Windows.SMB was originally invented by IBM, but the most common today is largely modified by Microsoft.Microsoft renamed SMB toCommon Internet File System (CIFS) in 1998 and added more features, including support for symbolic links, hard links (hard links), and larger file sizes. URL: http://es.wikipedia.org/wiki/SMB
OpenLDAP is a free and open source implementation of protoloco Lightweight Directory Access Protocol (LDAP) developed by theOpenLDAP Project.It is released under its own license OpenLDAP Public License.LDAP is a platform independent protoloco.Many Linux distributions include OpenLDAP Software for your support.
SAMBA is a suite of programs originally set up by Andrew Tridgell and currently maintained by The Samba Team under the GNU General Public License, and implemented in UNIX ® systems based on the protocol SMB.Serves as a complete replacement for Windows ® NT, Warp ®, NFS ® and Netware ® servers.
To start using this tutorial assumes could successfully implement the tutorial: a openLDAP as authentication server, and the tutorial: How to configure SAMBA Joel Barrios.Some small fractions and configuration of this document were extracted from the aforementioned manual to provide a better understanding and background of the tutorial.
This manual is an updated version of a pre-requisite for CentOS 4, differ in some obvious details of the update packages.We will also make use of packages from a repository that contains the smbldap-tools in our case the DAG.(While we wait for the AL Desktop) 1.OpenLDAP AUTHENTICATION
We will copy the directory schema samba OpenLDAP schema:
After this edit the file / etc / openldap / slapd.conf and add one more line to support the scheme openldap samba.The file would be as follows:
# # See slapd.conf (5) for details on configuration options. # This file should NOT be world readable. # include / etc / openldap / schema / core.schema include / etc / openldap / schema / cosine.schema include / etc / openldap / schema / inetorgperson.schema include / etc / openldap / schema / nis.schema include / etc / openldap / schema / samba.schema
Add at end of file / etc / openldap / slapd.conf:
database bdb suffix "dc = your-network-local, dc = com" rootdn "cn = Administrator, dc = your-network-local, dc = com" # This password previously obtained by typing slappasswd (SSHA) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX rootpw directory / var / lib / ldap / authentication # Indices to Maintain for this database # Index objectClass eq, pres # Index ou, cn, mail, surname, givenname eq, pres, sub # Index uidNumber, gidNumber, loginShell eq, pres # Index uid, memberUid eq, pres, sub # Index nisMapName, nisMapEntry eq, pres, sub index objectClass eq index cn pres, sub, eq index sn pres, sub, eq index uid pres, sub, eq index displayName pres, sub, eq index uidNumber eq index gidNumber eq memberUid index eq sambaSID index eq sambaPrimaryGroupSID index eq sambaDomainName index eq index default sub
We have to configure the global parameters as client (NSS), the same server localhost in / etc / ldap.conf:
host 127.0.0.1 base dc = your-network-local, dc = com
We also have to configure the LDAP client in / etc / openldap / ldap.conf:
HOST 127.0.0.1 BASE dc = your-network-local, dc = com
We start and configure the LDAP service starts by default:
service ldap start chkconfig ldap on
2.SAMBA and LDAP integration
Now configure Samba in / etc / samba / smb.conf
# Samba PDC openLDAP for CentOS 5 # X Jaime M.Nozawa Tan
# Name Domain might be the name of the company. workgroup = DOMAIN server string = Samba Server netbios name = LINUX # ----- ----- LDAP Parameters
# Who will be the domain administrator user admin users = Administrator @ "Domain Admins" passdb backend = ldapsam: ldap: / / localhost
#? Ldap suffix for all entries following ldap suffix = dc = your-network-local, dc = com
User # OU netbios ldap user suffix = ou = People
OU # netbios Groups ldap group suffix = ou = Group
# The account administrator openLDAP ldap admin dn = cn = Administrator, dc = your-network-local, dc = com
# Synchronization of LDAP accounts, NT and LM ldap passwd sync = yes
# Adding machine accounts automatically add machine script = / usr / sbin / smbldap-useradd-w% u # Here I leave commented on by if necessary or use your own criteria # Ldap ssl = start tls # Add user script = / usr / sbin / smbldap-useradd-m "% u" # Ldap delete dn = Yes # Delete user script = / usr / sbin / smbldap-userdel "% u" # Add group script = / usr / sbin / smbldap-groupadd-p "% g" # Delete group script = / usr / sbin / smbldap-groupdel "% g" # Add user to group script = / usr / sbin / smbldap-groupmod-m "% u" "% g" # Delete user from group script = / usr / sbin / smbldap-groupmod-x "% u" "% g" # Set primary group script = / usr / sbin / smbldap-usermod-g "% g" "% u" # Ldap replication sleep = 1000 # time-server replication # ----- END OF PARAMETERS LDAP
# Make sure you have enabled the following parameters of the siguiete form: security = user encrypt passwords = yes os level = 65 domain master = yes preferred master = yes domain logons = yes # ...other options.
Now we need to know what the samba user's password openLDAP Manager so you can connect to the directory (This was done in CentOS 4, I think now is not necessary):
We aparecererá the message and confirm that samba and openldap to authenticate:
Setting stored password for "cn = Administrator, dc = your-network-local, dc = com" in secrets.tdb
We test and restart samba:
testparm service smb restart
3.Smbldap-tools and repositories extras.
Up to this point will be necessary to use the openldap-tools, for some reason the samba that came with did not work so I decided to use the DAG repository.
NOTE: After you have installed the perl-LDAP-based repository (in my tests Tutorial CentOS 4), gave me conflicts with the perl-ldap from DAG, so I would recommend uninstalling it previously.
We will display a message similar to this and we should write it down or copy:
LINUX for domain SID is: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX
Proceed to configure the smbldap-tools access to the DB openLDAP in / etc / smbldap-tools / smbldap_bind.conf:
# Password is the unencrypted password openLDAP Manager slaveDN = "cn = Administrator, dc = your-network-local, dc = com" slavePw = "password" masterDN = "cn = Administrator, dc = your-network-local, dc = com" masterpw = "password"
And the main settings in / etc / smbldap-tools / smbldap.conf:
# Here we copy the SID SID = "S-1-5-21-XXXXXXXXXXX-XXXXXXX-XXXXXXX" # The name of the SAMBA workgroup = DOMAIN DOMAIN sambaDomain = "DOMAIN" slaveLDAP = "127.0.0.1" slavePort = "389" masterLDAP = "127.0.0.1" masterPort = "389" # To use TLS with LDAP # (Also use port 389) # LdapTLS = "1" # I put optional I do not want the connection is mandatory # Verify = "optional" # Cafile = "/ etc / smbldap-tools / ca.pem" # Clientcert = "/ etc / smbldap-tools / smbldap-tools.pem" # Clientkey = "/ etc / smbldap-tools / smbldap-tools.key" # Suffix by default to all subsequent entries suffix = "dc = your-network-local, dc = com" # Domain Users usersdn = "ou = People, $ (suffix)" # Domain Computers accounts computersdn = "ou = Computers, $ (suffix)" # Accounts Group groupsdn = "ou = Group, $ (suffix)" # If you are a Samba Domain Member Server idmapdn = "ou = idmap, $ (suffix)" # Important: nextUID to calculate the user or group code sambaUnixIdPooldn = "sambaDomainName = DOMAIN, $ (suffix)" scope = "sub" hash_encrypt = "SSHA" crypt_salt_format = "% s" userLoginShell = "/ bin / bash" userHome = "/ home /% U" userHomeDirectoryMode = "700" userGecos = "System User" defaultUserGid = "513" defaultComputerGid = "515" skeletonDir = "/ etc / skel" # The comment to that password expires every 45 days, unless you want otherwise # DefaultMaxPasswordAge = "45" # # LINUX is the NetBIOS name netbios name = LINUX SERVER userSmbHome = "\ \ LINUX \% U" # Profiles userProfile = "\ \ LINUX \ profiles \% U" # Letter of the unit to your personal folder userHomeDrive = "Z" # I discuss why not use a starter bat for my case # User script = "logon.bat" # For the domain attribute for the default email # MailDomain = "your-net-local.com" with_smbpasswd = "0" smbpasswd = "/ usr / bin / smbpasswd" with_slappasswd = "0" slappasswd = "/ usr / sbin / slappasswd"
Now we must create the domain structure in openldap with the command and type the Administrator password is the administrator of the domain: smbldap-populate-a Administrator
With a result like this:
Populating LDAP directory for domain DOMAIN (S-1-5-21-XXXXXXXXXXX-XXXXXXXXXX-XXXXX) (Using builtin directory structure) Adding new entry: dc = your-network-local, dc = com Adding new entry: ou = People, dc = your-network-local, dc = com Adding new entry: ou = Group, dc = your-network-local, dc = com Adding new entry: ou = Computers, dc = your-network-local, dc = com Adding new entry: ou = idmap, dc = your-network-local, dc = com Adding new entry: uid = Administrator, ou = People, dc = your-network-local, dc = com Adding new entry: uid = nobody, ou = People, dc = your-network-local, dc = com Adding new entry: cn = Domain Admins, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Domain Users, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Domain Guests, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Domain Computers, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Administrators, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Account Operators, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Print Operators, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = Backup Operators, ou = Group, dc = your-network-local, dc = com Adding new entry: cn = replicators, ou = Group, dc = your-network-local, dc = com Adding new entry: sambaDomainName = DOMAIN, dc = your-network-local, dc = com Please Provide a password for the domain Administrator: Changing password for Administrator New password: Retype new password:
In this case I do not want to be called root by default, so I changed the parameter-a Administrator.
Now we will see the association of the builtin groups SAMBA domain with openldap groups created: groupmap net list
More detail smbldap-useradd command in the following Annex: Annex 1: smbldap-useradd Restart Samba and OpenLDAP:
service ldap restart service smb restart
Connecting machines to the domain's primary domain controller.
This process is not necessary to create machine accounts because they add to the file / etc / samba / smb.conf the script except possibly for older platforms.
Windows 95/98/ME and Windows XP Home Since systems with Windows 95/98/ME and Windows XP Home does not include a complete implementation as domain members are not required trust accounts.The procedure to join the domain is:
• Access to Start Menu?Settings?Control Panel?Network • Select the Configuration tab • Select "Client for Microsoft Networks" • Click the Properties button • Select Access Windows NT domain and specify the appropriate domain. • Click on all the buttons "OK" and reboot the system • Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins
Windows NT • Access to Start Menu?Settings?Control Panel?Network • Select the tab "Identification". • Click on the button "Change." • Enter the domain name and the name of the system.Select "Create a machine account in the domain. • Click "OK" • Wait a few seconds. • You must display a confirmation popup that says "Welcome to MY-DOMAIN" • Restart the system • Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins
Windows 2000/2003 and Windows XP Professional • Right click on the icon 'My Computer'. • Select "Properties" • Click the tab of "Network ID" or "Name of the system." • Click on the button "Properties". • Click on the button "Domain member" • Enter the domain name and the name of the machine and click the button "OK" • A dialog will ask for an account and password with administrative privileges on the server.Specify the username: Administrator and password that was assigned. • Wait a few seconds. • You must display a confirmation popup that says "Welcome to MY-DOMAIN" • Restart the system • Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins
Findings: To conclude this tutorial proceeds to authenticate to a Windows machine with usuariowin user account created in the previous steps.Once inside your account by pressing CTRL + ALT + DEL and change the password.
If all went well you could change the LDAP password and therefore also the local access (if you have shell: / bin / bash), open a terminal and try to authenticate with any account usuariowin, we should be able to enter the new password. Now try to change your password with smbldap-passwd as root.
Developed from Lima-Peru by: Jaime M.As Nozawa.
Release Notes: (18/06/2007) I have noticed in the places I've installed it takes a lot to start the CentOS Linux.He remains in service "system bus" long, after searching a lot in internet forums, I solved doing this:
In: / etc / ldap.conf
find the line that says: hard bind_policy
and change by: soft bind_policy
Bind_policy The directive is to show that the connection should try it once and in case of failure, not to try, something necessary for each team not too late when you start and before have network connectivity, try to access the LDAP service.
, Or add the user in the Organizational Unit (relative to the user suffix) -A is a Windows User (Otherwise, Posix stuff only) -W is a Windows Workstation (Otherwise, Posix stuff only) -I is a trust account (Windows Workstation) -U uid -G gid -G groups Supplementary comma-separated -N Do Not create a group -D home -S shell -C gecos -M Creates home directory and copy / etc / skel -K skeleton dir (with-m) -T time.Wait 'time' Seconds Before Exiting (when Adding Windows Workstation) -P ends by Invoking smbldap-passwd -A dog change password?0 if no, 1 if yes -B must change password?0 if no, 1 if yes -C sambaHomePath (SMB home share, like 'PDC-SRVhomes') -D sambaHomeDrive (letter Associated with home share, like 'H:') -E sambaLogonScript (DOS script to execute on login) -F sambaProfilePath (profile directory, like 'PDC-SRVprofilesfoo') -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -N canonical name -S surname -M local mailAddress (comma separated) MailToAddress-T (forward address) (comma separated) -? Show this help message