Monday, July 26, 2010

Samba Ldap Integration

LDAP (Lightweight Directory Access Protocol) is an application layer protocol that allows access to a directory service ordered and distributed to find different information in a network environment. LDAP can be considered a database (although the storage system may be different) to make inquires.
SMB (short for Server Message Block) network protocol that enables file and printer sharing (among other things) between nodes in a network. It is mainly used on computers with Microsoft Windows. SMB was originally invented by IBM, but the most common today is largely modified by Microsoft. Microsoft renamed SMB toCommon Internet File System (CIFS) in 1998 and added more features, including support for symbolic links, hard links (hard links), and larger file sizes.
OpenLDAP is a free and open source implementation of protoloco Lightweight Directory Access Protocol (LDAP) developed by theOpenLDAP Project. It is released under its own license OpenLDAP Public License. LDAP is a platform independent protoloco. Many Linux distributions include OpenLDAP Software for your support.

SAMBA is a suite of programs originally set up by Andrew Tridgell and currently maintained by The Samba Team under the GNU General Public License, and implemented in UNIX ® systems based on the protocol SMB. Serves as a complete replacement for Windows ® NT, Warp ®, NFS ® and Netware ® servers.
 Software required
Installing via yum.

 yum-y install openldap openldap-clients openldap-servers authconfig authconfig-gtk-client samba samba samba-common 


To start using this tutorial assumes could successfully implement the tutorial: a openLDAP as authentication server, and the tutorial: How to configure SAMBA Joel Barrios. Some small fractions and configuration of this document were extracted from the aforementioned manual to provide a better understanding and background of the tutorial.  

This manual is an updated version of a pre-requisite for CentOS 4, differ in some obvious details of the update packages. We will also make use of packages from a repository that contains the smbldap-tools in our case the DAG. (While we wait for the AL Desktop)


We will copy the directory schema samba OpenLDAP schema:

cp / usr/share/doc/samba- * / LDAP / samba.schema / etc / openldap / schema /

After this edit the file / etc / openldap / slapd.conf and add one more line to support the scheme openldap samba. The file would be as follows:

# # See slapd.conf (5) for details on configuration options. 
# This file should NOT be world readable. 

include / etc / openldap / schema / core.schema 
include / etc / openldap / schema / cosine.schema 
include / etc / openldap / schema / inetorgperson.schema 
include / etc / openldap / schema / nis.schema
include / etc / openldap / schema / samba.schema

Add at end of file / etc / openldap / slapd.conf: 

database bdb 
suffix "dc = your-network-local, dc = com"
rootdn "cn = Administrator, dc = your-network-local, dc = com"
# This password previously obtained by typing slappasswd
directory / var / lib / ldap / authentication 
# Indices to Maintain for this database
# Index objectClass eq, pres
# Index ou, cn, mail, surname, givenname eq, pres, sub
# Index uidNumber, gidNumber, loginShell eq, pres
# Index uid, memberUid eq, pres, sub
# Index nisMapName, nisMapEntry eq, pres, sub
index objectClass eq
index cn pres, sub, eq
index sn pres, sub, eq
index uid pres, sub, eq
index displayName pres, sub, eq
index uidNumber eq
index gidNumber eq
memberUid index eq
sambaSID index eq
sambaPrimaryGroupSID index eq
sambaDomainName index eq
index default sub

We have to configure the global parameters as client (NSS), the same server localhost in / etc / ldap.conf:

base dc = your-network-local, dc = com

We also have to configure the LDAP client in / etc / openldap / ldap.conf:

BASE dc = your-network-local, dc = com

We start and configure the LDAP service starts by default:

service ldap start 
chkconfig ldap on
2. SAMBA and LDAP integration

Now configure Samba in / etc / samba / smb.conf

 # Samba PDC openLDAP for CentOS 5
 # X Jaime M. Nozawa Tan

 # Name Domain might be the name of the company.
 workgroup = DOMAIN
 server string = Samba Server
 netbios name = LINUX
 # ----- ----- LDAP Parameters

 # Who will be the domain administrator user
 admin users = Administrator @ "Domain Admins" 
 passdb backend = ldapsam: ldap: / / localhost

 #? Ldap suffix for all entries following
 ldap suffix = dc = your-network-local, dc = com

 User # OU netbios
 ldap user suffix = ou = People

 OU # netbios Groups
 ldap group suffix = ou = Group 

 # Accounts machines netbios
 ldap machine suffix = ou = Computers

 # The account administrator openLDAP 
 ldap admin dn = cn = Administrator, dc = your-network-local, dc = com

 # Synchronization of LDAP accounts, NT and LM   
 ldap passwd sync = yes

 # Adding machine accounts automatically
 add machine script = / usr / sbin / smbldap-useradd-w% u
 # Here I leave commented on by if necessary or use your own criteria 
 # Ldap ssl = start tls
 # Add user script = / usr / sbin / smbldap-useradd-m "% u"
 # Ldap delete dn = Yes
 # Delete user script = / usr / sbin / smbldap-userdel "% u"
 # Add group script = / usr / sbin / smbldap-groupadd-p "% g"
 # Delete group script = / usr / sbin / smbldap-groupdel "% g"
 # Add user to group script = / usr / sbin / smbldap-groupmod-m "% u" "% g"
 # Delete user from group script = / usr / sbin / smbldap-groupmod-x "% u" "% g"
 # Set primary group script = / usr / sbin / smbldap-usermod-g "% g" "% u"
 # Ldap replication sleep = 1000 # time-server replication 

 # Make sure you have enabled the following parameters of the siguiete form: 
 security = user
 encrypt passwords = yes
 os level = 65
 domain master = yes
 preferred master = yes
 domain logons = yes
 # ... other options.

Now we need to know what the samba user's password openLDAP Manager so you can connect to the directory (This was done in CentOS 4, I think now is not necessary): 

smbpasswd-w password

We aparecerer√° the message and confirm that samba and openldap to authenticate:  

Setting stored password for "cn = Administrator, dc = your-network-local, dc = com" in secrets.tdb

We test and restart samba:

service smb restart

3. Smbldap-tools and repositories extras.

Up to this point will be necessary to use the openldap-tools, for some reason the samba that came with did not work so I decided to use the DAG repository. 

NOTE: After you have installed the perl-LDAP-based repository (in my tests Tutorial CentOS 4), gave me conflicts with the perl-ldap from DAG, so I would recommend uninstalling it previously.

In our case we installed the RPM
rpm-Uvh rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Now we can check in / etc / yum.repos.d / rpmforge.repo:

name = Red Hat Enterprise $ releasever - - dag
# Baseurl = $ basearch / dag
mirrorlist =
# Mirrorlist = file: / / / etc / yum.repos.d / mirrors-rpmforge
enabled = 0
Protect = 0
gpgkey = file: / / / etc / pki / rpm-gpg / RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1

I leave the default repository disabled (enabled = 0).

Now you can install the smbldap-tools:

yum install smbldap-tools - enablerepo = rpmforge

With the following final result of dependencies, I put in bold those of the "extra repository"

Installed: 0:0.9.1-1.2 smbldap-tools.noarch. El5.rf
Dependency Installed: perl-Compress-Zlib.i386 0:1.42-1. Fc6 perl-Convert-ASN1.noarch 0:0.20-1.1 perl-Crypt-SmbHash.noarch 0:0.12-1.2. El5.rf perl-Digest-SHA1 . 0:2.11-1.2.1 i386 perl-HTML-Parser.i386 0:3.55-1. fc6 perl-HTML-Tagset.noarch 0:3.10-2.1.1 perl-IO-Socket-SSL.noarch 0:1.01 - 1.fc6 perl-Net-SSLeay.i386 0:1.30-4. fc6 perl-URI.noarch 0:1.35-3 perl-XML-NamespaceSupport.noarch 0:1.09-1.2.1 perl-XML-SAX.noarch 0: ldap.noarch 0:0.33-1 perl-0.14-5. el5.rf perl-libwww-perl.noarch 0:5.805-1.1.1

Now we find out the SID of the Samba server:

net getlocalsid

We will display a message similar to this and we should write it down or copy: 

    LINUX for domain SID is: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX 

Proceed to configure the smbldap-tools access to the DB openLDAP in / etc / smbldap-tools / smbldap_bind.conf:

# Password is the unencrypted password openLDAP Manager
slaveDN = "cn = Administrator, dc = your-network-local, dc = com"
slavePw = "password"
masterDN = "cn = Administrator, dc = your-network-local, dc = com"
masterpw = "password"

And the main settings in / etc / smbldap-tools / smbldap.conf:

# Here we copy the SID
# The name of the SAMBA workgroup = DOMAIN DOMAIN
sambaDomain = "DOMAIN"
slaveLDAP = ""
slavePort = "389"
masterLDAP = ""
masterPort = "389"
# To use TLS with LDAP
# (Also use port 389)
# LdapTLS = "1"
# I put optional I do not want the connection is mandatory
# Verify = "optional"
# Cafile = "/ etc / smbldap-tools / ca.pem"
# Clientcert = "/ etc / smbldap-tools / smbldap-tools.pem"
# Clientkey = "/ etc / smbldap-tools / smbldap-tools.key"
# Suffix by default to all subsequent entries
suffix = "dc = your-network-local, dc = com"
# Domain Users
usersdn = "ou = People, $ (suffix)"
# Domain Computers accounts
computersdn = "ou = Computers, $ (suffix)"
# Accounts Group
groupsdn = "ou = Group, $ (suffix)"
# If you are a Samba Domain Member Server
idmapdn = "ou = idmap, $ (suffix)"
# Important: nextUID to calculate the user or group code
sambaUnixIdPooldn = "sambaDomainName = DOMAIN, $ (suffix)"
scope = "sub"
hash_encrypt = "SSHA"
crypt_salt_format = "% s"
userLoginShell = "/ bin / bash"
userHome = "/ home /% U"
userHomeDirectoryMode = "700"
userGecos = "System User"
defaultUserGid = "513"
defaultComputerGid = "515"
skeletonDir = "/ etc / skel"
# The comment to that password expires every 45 days, unless you want otherwise
# DefaultMaxPasswordAge = "45"
# LINUX is the NetBIOS name netbios name = LINUX SERVER
userSmbHome = "\ \ LINUX \% U"
# Profiles
userProfile = "\ \ LINUX \ profiles \% U"
# Letter of the unit to your personal folder
userHomeDrive = "Z"
# I discuss why not use a starter bat for my case
# User script = "logon.bat"
# For the domain attribute for the default email
# MailDomain = ""
with_smbpasswd = "0"
smbpasswd = "/ usr / bin / smbpasswd"
with_slappasswd = "0"
slappasswd = "/ usr / sbin / slappasswd"

Now we must create the domain structure in openldap with the command and type the Administrator password is the administrator of the domain:
smbldap-populate-a Administrator

With a result like this:

Populating LDAP directory for domain DOMAIN (S-1-5-21-XXXXXXXXXXX-XXXXXXXXXX-XXXXX)
(Using builtin directory structure)
Adding new entry: dc = your-network-local, dc = com
Adding new entry: ou = People, dc = your-network-local, dc = com
Adding new entry: ou = Group, dc = your-network-local, dc = com
Adding new entry: ou = Computers, dc = your-network-local, dc = com
Adding new entry: ou = idmap, dc = your-network-local, dc = com
Adding new entry: uid = Administrator, ou = People, dc = your-network-local, dc = com
Adding new entry: uid = nobody, ou = People, dc = your-network-local, dc = com
Adding new entry: cn = Domain Admins, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Domain Users, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Domain Guests, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Domain Computers, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Administrators, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Account Operators, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Print Operators, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = Backup Operators, ou = Group, dc = your-network-local, dc = com
Adding new entry: cn = replicators, ou = Group, dc = your-network-local, dc = com
Adding new entry: sambaDomainName = DOMAIN, dc = your-network-local, dc = com
Please Provide a password for the domain Administrator:
Changing password for Administrator
New password:
Retype new password:

In this case I do not want to be called root by default, so I changed the parameter-a Administrator.

Now we will see the association of the builtin groups SAMBA domain with openldap groups created:
groupmap net list

With a result like this:

Domain Admins (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512) -> Domain Admins
Domain Users (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-513) -> Domain Users
Domain Guests (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-514) -> Domain Guests
Domain Computers (S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> replicators

Now we can create a Windows user account (-a), you create your home directory (-m), specifying that does not have a route Profile (option-F) and assign it a password:

 smbldap-useradd-a-m-F "" usuariowin
 smbldap-passwd usuariowin

More detail smbldap-useradd command in the following Annex: Annex 1: smbldap-useradd
Restart Samba and OpenLDAP: 

service ldap restart
service smb restart

Connecting machines to the domain's primary domain controller.

This process is not necessary to create machine accounts because they add to the file / etc / samba / smb.conf the script except possibly for older platforms. 

Windows 95/98/ME and Windows XP Home
Since systems with Windows 95/98/ME and Windows XP Home does not include a complete implementation as domain members are not required trust accounts.The procedure to join the domain is:

• Access to Start Menu? Settings? Control Panel? Network
• Select the Configuration tab
• Select "Client for Microsoft Networks"
• Click the Properties button
• Select Access Windows NT domain and specify the appropriate domain.
• Click on all the buttons "OK" and reboot the system
• Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins

Windows NT
• Access to Start Menu? Settings? Control Panel? Network
• Select the tab "Identification".
• Click on the button "Change."
• Enter the domain name and the name of the system. Select "Create a machine account in the domain.
• Click "OK"
• Wait a few seconds.
• You must display a confirmation popup that says "Welcome to MY-DOMAIN"
• Restart the system
• Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins

Windows 2000/2003 and Windows XP Professional
• Right click on the icon 'My Computer'.
• Select "Properties"
• Click the tab of "Network ID" or "Name of the system."
• Click on the button "Properties".
• Click on the button "Domain member"
• Enter the domain name and the name of the machine and click the button "OK"
• A dialog will ask for an account and password with administrative privileges on the server. Specify the username: Administrator and password that was assigned. 
• Wait a few seconds.
• You must display a confirmation popup that says "Welcome to MY-DOMAIN"
• Restart the system
• Access to a user that has been created with smbldap-useradd in the LDAP directory or a user account that belongs to the OU = Domain Admins

To conclude this tutorial proceeds to authenticate to a Windows machine with usuariowin user account created in the previous steps. Once inside your account by pressing CTRL + ALT + DEL and change the password.

If all went well you could change the LDAP password and therefore also the local access (if you have shell: / bin / bash), open a terminal and try to authenticate with any account usuariowin, we should be able to enter the new password.
Now try to change your password with smbldap-passwd as root. 

Developed from Lima-Peru by: 
Jaime M. As Nozawa. 

Release Notes: (18/06/2007)
I have noticed in the places I've installed it takes a lot to start the CentOS Linux. He remains in service "system bus" long, after searching a lot in internet forums, I solved doing this:

In: / etc / ldap.conf   

find the line that says:  
hard bind_policy

and change by: 
soft bind_policy

Bind_policy The directive is to show that the connection should try it once and in case of failure, not to try, something necessary for each team not too late when you start and before have network connectivity, try to access the LDAP service.

Annex 1: smbldap-useradd

/ Usr / sbin / smbldap-useradd [-awmugdsckABCDEFGHMNPST?] Username

  , Or add the user in the Organizational Unit (relative to the user suffix)
  -A is a Windows User (Otherwise, Posix stuff only)
  -W is a Windows Workstation (Otherwise, Posix stuff only)
  -I is a trust account (Windows Workstation)
  -U uid
  -G gid
  -G groups Supplementary comma-separated
  -N Do Not create a group
  -D home
  -S shell
  -C gecos
  -M Creates home directory and copy / etc / skel
  -K skeleton dir (with-m)
  -T time. Wait 'time' Seconds Before Exiting (when Adding Windows Workstation)
  -P ends by Invoking smbldap-passwd
  -A dog change password? 0 if no, 1 if yes
  -B must change password? 0 if no, 1 if yes
  -C sambaHomePath (SMB home share, like 'PDC-SRVhomes')
  -D sambaHomeDrive (letter Associated with home share, like 'H:')
  -E sambaLogonScript (DOS script to execute on login)
  -F sambaProfilePath (profile directory, like 'PDC-SRVprofilesfoo')
  -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
  -N canonical name
  -S surname
  -M local mailAddress (comma separated)
  MailToAddress-T (forward address) (comma separated)
  -? Show this help message