Beruflich Dokumente
Kultur Dokumente
Install and configure Samba as a primary domain controller with LDAP on Linux
Skill Level: Intermediate Keith Robertson (keithrob@us.ibm.com) Advisory software engineer IBM
31 Jan 2006 This tutorial demonstrates how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism. It also describes how to configure the LDAP server, OpenLDAP, for PAM-based authentication and how to secure the link between Samba and OpenLDAP with Transport Layer Security (TLS). The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Windows clients are able to logon to your Samba server which acts as a primary domain controller and have shared drives automatically mounted for them based on their group membership.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 1 of 30
developerWorks
ibm.com/developerWorks
Go through the steps of configuring LDAP, including installing OpenLDAP and the IDEALX LDAP Samba toolkit; configuring OpenLDAP necessities, the slapd.conf file, the /etc/ldap.conf file, and the Pluggable Authentication Modules (PAM); and explain how to start OpenLDAP Next, show you how to configure Samba, including installing and starting Samba and the Logon Profile Generator; creating the required directories and the shared drives; configuring the smb.conf file and setting the LDAP database-access password; populating the database; adding the PAM and other users and adding Windows workstations to the domain; and debugging the Samba installation in case it didn't work Finally, cover security issues and talk about how to enable security for this system, including enabling the Transport Layer Security for OpenLDAP, PAM, and Samba and how to test the security of your system The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Microsoft Windows clients are able to logon to your Samba server which acts as a primary domain controller and have shared drives automatically mounted for them based on their group membership. This tutorial is best suited for readers with moderate UNIX or Linux familiarity and experience with basic IP networking concepts. The author used Fedora Core 3 as the Linux distribution, but other Linux distributions or UNIX variants, such as AIX, Solaris, or HP-UX, would also work for the setup described in the tutorial. All applications and utilities used in this tutorial are open source and are available from either your Linux vendor or the application vendor's homepage.
Prerequisites
The Linux distribution is Fedora Core 3; however, there is no reason why the setup described here would not work on other Linux distributions or UNIX variants such as AIX, Solaris, or HP-UX. The software is free and obtained in a number of ways. I recommend that you get a precompiled version (such as an RPM) from your Linux vendor's ftp mirror. Here is a list of software used in this tutorial. There is no need to get the list beforehand as the tutorial describes how to download and install them. OpenSSL. OpenLDAP. Samba.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 2 of 30
ibm.com/developerWorks
developerWorks
Perl module Crypt::SmbHash. Perl module Digest::SHA1. Perl module IO::Socket::SSL. Perl module Net::SSLeay. IDEALX Samba LDAP tools. Note: This tutorial identifies the specific versions of the various software components tested. You might have success with earlier versions of the software, but I cannot guarantee that they will work. In general, software that is newer than the versions described in this tutorial should work.
This Microsoft Windows network contains three classes of users -- marketing, engineering, and management. Engineering and marketing each have a shared drive where users from each group may place files for others in that same group to see; however, members from one group cannot see files on the other group's shared drive. For example, a marketing employee may not view a file on the engineering drive. Management also has a shared drive that is visible only to managers. In addition, we give managers special privileges so that they can see files from both engineering and marketing.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 3 of 30
developerWorks
ibm.com/developerWorks
ibm.com/developerWorks
developerWorks
use flat file, LDAP, or some other mechanism for authentication. The third integration point involves a set of tools that aid in the management of Samba's LDAP directory information tree. This toolkit is produced by a third-party; however, it is covered under the GNU Public License.
Security
A key strength of LDAP is its ability to be used as an authentication mechanism for software applications that could be scattered across a network. A side effect of this strength is that passwords may flow across the network during the authentication phase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL (Secure Sockets Layer) and TLS. In this tutorial, the LDAP server is running on the same physical server as Samba; thus, there isn't much need for encryption. However, I will demonstrate how to encrypt the channel between LDAP and Samba because it is relatively simple and necessary for the reader who hosts Samba and LDAP on different machines. This tutorial proceeds in two phases. The first phase details how to configure Samba and LDAP in an unsecured mode. Once the first phase is complete, encryption is enabled to secure the channel between Samba and the LDAP server. I am proceeding in a two-phase approach because in general, it is usually easier to install, configure, and diagnose problems in an unsecured mode.
2.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
developerWorks
ibm.com/developerWorks
Fedora's mirror list and downloaded openldap-2.2.13-2.i386.rpm. Then I issued the following command: rpm -Uvh openldap-2.2.13-2.i386.rpm.
4. 5.
6.
The IDEALX toolkit requires some additional Perl modules that may not be installed on your system. This section demonstrates how to download and install them. 1. The first thing you need to do is to download all of the requisite Perl
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 6 of 30
ibm.com/developerWorks
developerWorks
modules from CPAN.org. Go to CPAN.org and type the following search strings into the search box. Search for Perl module: Crypt::SmbHash Search for Perl module: Digest::SHA1 Search for Perl module: IO::Socket::SSL Search for Perl module: Net::SSLeay Hopefully, you will be able to navigate from the results of each search directly to each module's homepage. On each of the four module's homepage you will find a link to download the associated Perl module. 2. The next step is to un-tar and un-zip the downloaded Perl modules. Issue the following command in the directory where you saved the four downloaded modules: tar -zxvf *.gz. The final step is to build and install each of the four modules. Change into each of the newly created directories and issue the following commands as root. 1. 2. perl Makefile.PL make install
3.
Create the directory for our LDAP database. In this tutorial, we give this directory the
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 7 of 30
developerWorks
ibm.com/developerWorks
same name as our domain name. 1. 2. 3. Type: mkdir -p /var/lib/ldap/somedomain.com. Set the correct permissions: chmod 700 /var/lib/ldap/somedomain.com. Set the correct ownership. Fedora users should already have the user LDAP defined in /etc/passwd. If you are installing on a different distribution you may need to create that user. Type: chown ldap:ldap /var/lib/ldap/somedomain.com.
Finally, we create the encryption keys that OpenLDAP uses for TLS. To do this you need OpenSSL. The vast majority of Linux distributions ship with OpenSSL; however, if you do not have it installed, get a copy from your vendor or http://www.openssl.org/. This tutorial assumes that the user will not be using a commercial certificate authority (CA) such as Verisign, Thawte, etc. As such, we will need to become our own CA and sign the certificates used by our LDAP server. The steps below demonstrate how to become a CA and sign certificates. 1. 2. If you haven't already done so, edit openssl.cnf to match your particular needs. Find the openssl.cnf file and type: locate openssl.cnf. In the same directory as openssl.cnf issue the following commands as root. Listing 1. Step to become CA
CA/private
mkdir -p CA/certs CA/crl CA/newcerts chmod 700 CA/private touch CA/index.txt echo 01 > CA/serial
3.
Open openssl.cnf in your favorite editor and change the following parameters to match your particular situation. Listing 2. Step to become CA
# The dir parameter is important because it tells # openssl where to find all necessary files used to # generate keys. dir = ./ # default_days defines the length of time your key is valid for. default_days = 3650 # default_bits is an indicator of the strength of your key. I elected # 1024 but you can choose more or less.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 8 of 30
ibm.com/developerWorks
developerWorks
default_bits = # The following parameters should # organization. countryName_default = stateOrProvinceName_default = localityName_default = 0.organizationName_default =
4.
Create your CA certificate and key pair with the following command: openssl req -nodes -config openssl.cnf -new -x509 -keyout CA/private/cakey.pem -out CA/cacert.pem -days 3650. Create the key pair for OpenLDAP with the following commands: 1. openssl req -config openssl.cnf -nodes -new -keyout /etc/openldap/slapd-key.pem -out slapd.csr openssl ca -config openssl.cnf -out /etc/openldap/slapd-cert.pem -in slapd.csr chown root:ldap /etc/openldap/slapd-key.pem chmod 640 /etc/openldap/slapd-key.pem chmod 644 /etc/openldap/slapd-cert.pem
5.
2. 3. 4. 5. 6.
Copy your CA's certificate to the openldap configuration directory so that various applications can access it. 1. 2. cp CA/cacert.pem /etc/openldap/ chmod 644 /etc/openldap/cacert.pem
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 9 of 30
developerWorks
ibm.com/developerWorks
Note: Choose a password that is different from your Linux server's root password. 1. 2. From the command line type: slappasswd -h {SSHA} -s <your password here>. Save the output from this command, as you will need it next. It could look like: {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/.
If you installed a binary version of OpenLDAP on Fedora, slapd.conf it should exist as /etc/openldap/slapd.conf. Modify it to suit your particular situation. The contents of /etc/openldap/slapd.conf looks like this: Listing 3. Contents of slapd.conf
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # -1 is all messages 296 is a good compromise for most debugging #loglevel -1 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args # The following three lines are related to security. Leave them commented out now. # We uncomment them and enable security *after* we have successfully tested Samba with # LDAP in an unsecured configuration. Debugging is infinitely easier without encryption # enabled. #TLSCipherSuite HIGH #TLSCertificateFile /etc/openldap/slapd-cert.pem #TLSCertificateKeyFile /etc/openldap/slapd-key.pem database bdb # MODIFY # Modify suffix and rootdn to match your domain name. suffix "dc=somedomain,dc=com" rootdn "cn=Manager,dc=somedomain,dc=com" # MODIFY # Use the following to generate: # slappasswd -h {SSHA} -s <your password here> rootpw {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/ # MODIFY # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended with an owner of ldap and a group of ldap directory /var/lib/ldap/somedomain.com # Indices to maintain for this database index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 10 of 30
ibm.com/developerWorks
developerWorks
pres,sub,eq eq eq eq eq eq eq sub
# Access Control Entries # Note these ACEs are duplicated from the IDEALX smbldap usermanual with one exception # users can authenticate and change their password access to attrs=userPassword, sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn, memberUid by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by * read # somme attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by self write by * read # some attributes need to be writable for samba (this ACE modified from original to allow some unix commands to work) access to attrs=cn,sambaLMPassword,sambaNTPassword, sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange, sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive, sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID, sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid, sambaAlgorithmicRidBase,sambaLogonScript,loginShell by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by self read by * none # samba need to be able to create the samba domain account access to dn.base="dc=somedomain,dc=com" by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by * none # samba need to be able to create new users account access to dn="ou=Users,dc=somedomain,dc=com" by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by * none # samba need to be able to create new groups account access to dn="ou=Groups,dc=somedomain,dc=com" by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by * none # samba need to be able to create new computers account access to dn="ou=Computers,dc=somedomain,dc=com" by dn="uid=samba,ou=Users,dc=somedomain,dc=com" write by * none # this can be omitted but we leave it: there could be other branch # in the directory access to * by self read by * none
developerWorks
ibm.com/developerWorks
Sometimes there are multiple instances of ldap.conf on your system. Locate the one that PAM has been configured to use. To do this type: strings /lib/libnss_ldap.so.2 | grep conf. Usually, the returned value is /etc/ldap.conf. Edit ldap.conf in your favorite editor and insert the following text. Modify the sections denoted with a "# MODIFY" comment. The contents of /etc/ldap.conf look like this: Listing 4. Contents of /etc/ldap.conf
## ## ## ## ## ## IMPORTANT The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in /etc/openldap. The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch. If you intend to use those tools you will need to add a TLS_CACERT directive to that file also.
# Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. host 127.0.0.1 # MODIFY # The distinguished name of the search base. base dc=somedomain,dc=com # MODIFY # The distinguished name to bind to the server with. # We will use the root dn until we can create a lesser privileged user. binddn cn=Manager,dc=somedomain,dc=com bindpw < use the password you created for Manager in "Step 4: Configure slapd.conf"> # MODIFY # Note: "ou=Users" and "ou=Groups" should match what # you entered in smb.conf for "ldap group suffix" # and "ldap user suffix" nss_base_passwd ou=Users,dc=somedomain,dc=com?one nss_base_passwd ou=Computers,dc=somedomain,dc=com?one nss_base_shadow ou=Users,dc=somedomain,dc=com?one nss_base_group ou=Groups,dc=somedomain,dc=com?one ssl no pam_password md5 # We need to tell PAM where the certificate used to authenticate the LDAP # server (i.e. is the LDAP server the one we think it is). tls_cacertfile /etc/openldap/cacert.pem # # # # # If you experience difficulty authenticating after enabling TLS, try uncommenting the next line. You will know that you are having problems if you issue "getent group" and do not see any of the MS Windows groups that have been created in your LDAP database. tls_checkpeer no
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 12 of 30
ibm.com/developerWorks
developerWorks
Linux vendor to do all of the dirty work for me. Fedora provides a command line utility called authconfig that knows how to modify all of PAM's configuration files. Other Linux vendors have similar configuration utilities, so consult the documentation if you're not using Fedora. 1. 2. Launch authconfig from the command line. Type: authconfig. Edit the first screen as shown. Figure 2. authconfig screen 1
3.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 13 of 30
developerWorks
ibm.com/developerWorks
2.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 14 of 30
ibm.com/developerWorks
developerWorks
our Microsoft Windows network and we add hooks to make Samba aware of the LDAP backend. The file is shown below with comments. Change all sections a denoted by a "# MODIFY" comment to fit your particular situation. Also, all of the directives in this configuration file are described in the Samba manual. You can view it by typing man smb.conf. The contents of /etc/samba/smb.conf look like this: Listing 5. Contents of /etc/samba/smb.conf
# Global parameters [# Global parameters [global] # MODIFY workgroup = BIGTIME # MODIFY netbios name = linus # MODIFY server string = Linus Samba Server passdb backend = ldapsam:ldap://127.0.0.1/ # By default run with minimal logging. However, if you need to debug # 5 is a fairly verbose logging level. #log level = 5 log file = /var/log/samba/log.%m max log size = 50 time server = Yes add user script = /var/lib/samba/sbin/smbldap-useradd -a '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod -m '%u''%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd -w '%u' # Personally, I do not like roaming profiles because they take up too # much space on my server. As such, I disable roaming profiles by # setting the following two variables to null logon path = logon home = logon drive = H: domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes # MODIFY ldap admin dn = cn=Manager,dc=somedomain,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes # MODIFY ldap suffix = dc=somedomain,dc=com ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 # The next three blocks define the shared drives that we will be exposing. They are all # nearly identical. The important thing to note is that all files on these drives are # readable and writeable by any user in that group. [netlogon]
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 15 of 30
developerWorks
ibm.com/developerWorks
path = /var/lib/samba/netlogon/scripts browseable = No root preexec = /var/lib/samba/netlogon/scripts/logon.pl %U %I # MODIFY [marketing] comment = Marketing material path = /home/marketing # Any files written to this drive will have this user group. Since this is a # *shared* drive all users should have permission to read/write/remove any file. # If you do not agree you will probably want to remove the "force group" line force group = marketing read only = No create mask = 0770 directory mask = 0770 browseable = No # MODIFY [engineering] comment = Common material path = /home/engineering path = /home/marketing # Any files written to this drive will have this user group. Since this is a # *shared* drive all users should have permission to read/write/remove any file. # If you do not agree you will probably want to remove the "force group" line force group = engineering read only = No create mask = 0770 directory mask = 0770 browseable = No # MODIFY [management] comment = Management Data path = /home/management path = /home/marketing # Any files written to this drive will have this user group. Since this is a # *shared* drive all users should have permission to read/write/remove any file. # If you do not agree you will probably want to remove the "force group" line force group = management read only = No create mask = 0770 directory mask = 0770
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 16 of 30
ibm.com/developerWorks
developerWorks
Our Samba server is configured to be a Microsoft Windows domain controller and as such, it can control what actions a Windows client takes when it logs on to our domain. These actions can include things like retrieving a stored roaming profile, mounting drives, and synchronizing with a time server. Our Samba server does not be store roaming profiles because these can take up quite a bit of space; however, we force each Microsoft Windows client that logs in to our domain to mount drives and synchronize with a time server. In this step we create a Perl script that generates a Windows batch file that is executed each time a user logs in to the BIGTIME domain. The batch file causes the user's Windows machine to automatically mount the drives that their security profile grants them access to. This action is useful for large organizations with many common drives and a diverse security policy. The location and execution of this batch script are defined by two parameters in the netlogon section of smb.conf, they are path and root preexec. The Perl script is shown following. Perform these actions to install the Perl logon script: 1. 2. 3. cd /var/lib/samba/netlogon/scripts Create a file called logon.pl and fill it with the contents shown below. chmod 755 /var/lib/samba/netlogon/logon.pl
Following is the Perl logon script. The contents of /var/lib/samba/netlogon/logon.pl looks like: Listing 6. Contents of Perl logon script
#!/usr/bin/perl use strict; # Set the permissions on any file we create to 640 (i.e. -rw-r--r--) umask(022); my my my ## my $NETLOGON_DIR = "/var/lib/samba/netlogon/scripts"; $LOG_DIR = "/var/log/samba"; $SERVERNAME = "linus"; You will need to modify this hash to match your mountpoints. %MOUNTPOINTS = ( "engineering" => "NET USE W: \\\\$SERVERNAME\\engineering \/YES\r\n", "marketing" => "NET USE W: \\\\$SERVERNAME\\marketing \/YES\r\n", "management" => "NET USE W: \\\\$SERVERNAME\\management \/YES\r\n" );
## Make sure that there is a user name and that it contains a valid ## user name string (i.e. no invalid chars). if ($#ARGV != 1 || $ARGV[0] =~ /[^a-zA-Z0-9-_]/) { exit(1);
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 17 of 30
developerWorks
ibm.com/developerWorks
} # Make sure that the user exists and log attempts with invalid IDs my $uid = getpwnam($ARGV[0]); if ($uid == /[^0-9]/){ my $now = localtime; open LOG, ">>$LOG_DIR/log.netlogon"; print LOG "$now"; print LOG " - Error: Unknown user $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n"; close LOG; exit(1); } # Log the logon attempt my $now = localtime; open LOG, ">>$LOG_DIR/log.netlogon"; print LOG "$now"; print LOG " - User $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n"; close LOG; ## Create a custom logon batch file. open FH, ">$NETLOGON_DIR/$ARGV[0].cmd"; # Turn echo off print FH "\@ECHO OFF\r\n"; # Synchronize time between Windows client and Linux server. print FH "NET TIME \\\\$SERVERNAME \/SET \/YES\r\n"; foreach my $key (keys(%MOUNTPOINTS)) { if (isMember($ARGV[0], $key)) { # Put mount points in file print FH "$MOUNTPOINTS{$key}"; } } close FH; # Checks to see if the given user is a member of # the given group. # Returns 1 if true and 0 otherwise. sub isMember{ my ($user, $group) = @_; my ($name, $passwd, $gid, $members) = getgrnam($group); my @members = split /\s+/, $members; for(@members){ if ($user eq $_) { return 1; } } return 0; }
ibm.com/developerWorks
developerWorks
Now it is time to populate the LDAP database with our Samba schema and some initial values. For this task use the handy IDEALX scripts. We begin by executing a configuration script, /var/lib/samba/sbin/configure.pl. The configuration script creates two files, smbldap_bind.conf and smbldap.conf, which contain important environment variables used by all of the scripts in the IDEALX toolkit. 1. 2. First type: cd /var/lib/samba/sbin/. Edit smbldap_tools.pm and make the following changes to the variables smbldap_conf and smbldap_bind_conf. my $smbldap_conf="/var/lib/samba/sbin/smbldap.conf"; my $smbldap_bind_conf="/var/lib/samba/sbin/smbldap_bind.conf"; 3. 4. Next, launch the configuration utility by typing: ./configure.pl You will now be prompted with a series of questions and I have provided a sample listing. In general, you should be able to simply press the return key to the queries; however, here are some important things to know. The password hash is case sensitive and should match the hash algorithm you specified in ldap.conf's pam_password variable (see Step 5: Configure /etc/ldap.conf). In this tutorial there is no LDAP slave server, so we will use the same information as the master server. The bind password requested by this script is the same password you used for the rootdn in Step 4: Configure slapd.conf. The output from the configure.pl script looks like: Listing 7. Output from the Perl configure script
[root@linus sbin]# ./configure.pl If you need to change this, enter the full directory path, then press enter to continue. Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] > /var/lib/samba/sbin -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's start configuring the smbldap-tools scripts ... . workgroup name: name of the domain Samba act as a PDC workgroup name [BIGTIME] > . netbios name: netbios name of the samba controler netbios name [linus] > . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > . logon home: home directory location (for Win95/98 or NT Workstation).
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 19 of 30
developerWorks
ibm.com/developerWorks
(use %U as username) Ex:'\\linus\%U' logon home (press the "." character if you don't want homeDirectory) [\\linus\%U] > . . logon path: directory where roaming profiles are stored. Ex:'\\linus\profiles\%U' logon path (press the "." character if you don't want roaming profile) [\\linus\profiles\%U] > . . home directory prefix (use %U as username) [/home/%U] > . default users' homeDirectory mode [700] > . default user netlogon script (use %U as username) [%U.cmd] > "" default password validation time (time in days) [45] > . ldap suffix [dc=somedomain,dc=com] > . ldap group suffix [ou=Groups] > . ldap user suffix [ou=Users] > . ldap machine suffix [ou=Computers] > . Idmap suffix [ou=Idmap] > . sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=BIGTIME] > . ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [127.0.0.1] > . ldap master port [389] > . ldap master bind dn [cn=Manager,dc=somedomain,dc=com] > . ldap master bind password [] > . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [127.0.0.1] > . ldap slave port [389] > . ldap slave bind dn [cn=Manager,dc=somedomain,dc=com] > . ldap slave bind password [] > . ldap tls support (1/0) [0] > 1 . How to verify the server's certificate (none, optional or require) [require] > . CA certificate file [/var/lib/samba/sbin//ca.pem] > /etc/openldap/cacerts/cacert.pem . certificate to use to connect to the ldap server [/var/lib/samba/sbin//smbldap-tools.pem] > . key certificate to use to connect to the ldap server [/var/lib/samba/sbin//smbldap-tools.key] > . SID for domain BIGTIME: SID of the domain (can be obtained with 'net getlocalsid linus') SID for domain BIGTIME [S-1-5-21-1030832020-2822878261-2997333186] > . unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 . default user gidNumber [513] > . default computer gidNumber [515] > . default login shell [/bin/bash] > . default skeleton directory [/etc/skel] > . default domain name to append to mail adress [] > somedomain.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= backup old configuration files: /var/lib/samba/sbin/smbldap.conf->/var/lib/samba/sbin/smbldap.conf.old /var/lib/samba/sbin/smbldap_bind.conf->/var/lib/samba/sbin/smbldap_bind.conf.old writing new configuration file: /var/lib/samba/sbin/smbldap.conf done. /var/lib/samba/sbin/smbldap_bind.conf done.
5.
For those of you who do not want password expiration enabled, I will demonstrate how to disable it. Edit smbldap.conf and comment out the following line: defaultMaxPasswordAge="45". Execute the following three commands to set the proper permissions and ownership: 1. chown root:root smbldap.conf smbldap_bind.conf
6.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 20 of 30
ibm.com/developerWorks
developerWorks
2. 3. 7.
Now it is time to initialize our Samba schema in the LDAP database. We will execute the IDEALX script, smbldap-populate, which will create a domain administrator, some necessary groups, and various other important schema elements. When you execute this script you may notice warnings about uninitialized variables. If you do not want to see these warnings you can edit all of the IDEALX scripts and replace all instances of "#!/usr/bin/perl -w" with "#!/usr/bin/perl". The following code is sample output from smbldap-populate. (Note: smbldap-populate may prompt you for a password for the domain administrator which is by default is named root. You should give this user a password that is different from the one used for the rootdn in Step 4: Configure slapd.conf and that is different from you Linux machine's root user.
dc=somedomain,dc=com ou=Users,dc=somedomain,dc=com ou=Groups,dc=somedomain,dc=com ou=Computers,dc=somedomain,dc=com uid=root,ou=Users,dc=somedomain,dc=com uid=nobody,ou=Users,dc=somedomain,dc=com cn=Domain Admins,ou=Groups,dc=somedomain,dc=com cn=Domain Users,ou=Groups,dc=somedomain,dc=com cn=Domain Guests,ou=Groups,dc=somedomain,dc=com cn=Domain Computers,ou=Groups,dc=somedomain,dc=com cn=Administrators,ou=Groups,dc=somedomain,dc=com cn=Account Operators,ou=Groups,dc=somedomain,dc=com cn=Print Operators,ou=Groups,dc=somedomain,dc=com cn=Backup Operators,ou=Groups,dc=somedomain,dc=com cn=Replicators,ou=Groups,dc=somedomain,dc=com cn=NextFreeUnixId,dc=somedomain,dc=com
Please provide a password for the domain root: LDAP config host: 127.0.0.1 port: 389 version: 3 timeout: 60 Changing password for root New password : Retype new password :
developerWorks
ibm.com/developerWorks
To create a shared drive for each of our three user groups (engineering, marketing, and management) we use the smbldap-useradd utility. This utility will create a directory in /home that serves as a shared drive. We will also create an associated UNIX user group that we use later to grant ordinary users permissions to the shared drive. Execute the following commands as root: Listing 9. Creating UNIX group for permissions to shared drive
cd /var/lib/samba/sbin ./smbldap-groupadd engineering ./smbldap-groupadd marketing ./smbldap-groupadd management ./smbldap-useradd -s /sbin/nologin -m -g engineering engineering ./smbldap-useradd -s /sbin/nologin -m -g marketing marketing ./smbldap-useradd -s /sbin/nologin -m -g management management
Note: The option "-s /sbin/nologin" is a security measure used to prevent someone from logging into your Linux box with one of the three IDs.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 22 of 30
ibm.com/developerWorks
developerWorks
each user: 1. 2. Create the user ID on the system. Set the Samba password.
By default the smbldap-useradd script will attempt to create a home directory on your Linux system for each user, we will disable this with the -a option. Issue the following commands as root: Listing 10. Disabling the -a option
cd /var/lib/samba/sbin ./smbldap-useradd -a -G "Domain ./smbldap-passwd dilbert ./smbldap-useradd -a -G "Domain ./smbldap-passwd wally ./smbldap-useradd -a -G "Domain ./smbldap-passwd catbert ./smbldap-useradd -a -G "Domain ./smbldap-passwd boss
6.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 23 of 30
developerWorks
ibm.com/developerWorks
domain members we created in Step 9a: Add the PAM user, we should decide where they fit in this workstation's local security hierarchy. In this tutorial, we will add all Domain Users in the BIGTIME domain to the Power Users local group on this workstation. Follow these steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. From the logon screen, select the option for (this computer) from the Log on to: selection box. Now log on as a user with administrative privileges for this workstation. After logging in, select Start. Select Control Panel. Select Administrative Tools. Select Computer Management. Navigate to Local Users and Groups. Click on Groups. Click on Power Users.
10. Click the Add button and make sure the box From this Location contains BIGTIME. 11. Click the Advanced button. 12. Click Find Now. 13. You will be prompted for the domain administrator's id and password. Enter root and the password from Step 7: Populate the LDAP database. 14. Select Domain Users and click OK until you are returned to the Computer Management window. 7. 8. 9. Next, enter any of the users you configured (boss, wally, catbert, or dilbert) and log on to that workstation. The workstation should automatically mount the drives that the user is allowed to access based on their security profile. Repeat steps 1-6 on every workstation in your network.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 24 of 30
ibm.com/developerWorks
developerWorks
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 25 of 30
developerWorks
ibm.com/developerWorks
Here is a listing of ldap.conf with TLS enabled. Listing 12. ldap.conf with TLS enabled
## IMPORTANT ## The /etc/ldap.conf file is used by PAM.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 26 of 30
ibm.com/developerWorks
developerWorks
## ## ## ##
/etc/openldap. The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch. If you intend to use those tools you will need to add a TLS_CACERT directive to that file also.
# Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. host 127.0.0.1 # MODIFY # The distinguished name of the search base. base dc=somedomain,dc=com # MODIFY # The distinguished name to bind to the server with. # We will not be using the root dn. Instead we will create # lesser privileged user. binddn uid=samba,ou=Users,dc=somedomain,dc=com bindpw <your password here> # MODIFY # Note: "ou=Users" and "ou=Groups" should match what # you entered in smb.conf for "ldap group suffix" # and "ldap user suffix" nss_base_passwd ou=Users,dc=somedomain,dc=com?one nss_base_passwd ou=Computers,dc=somedomain,dc=com?one nss_base_shadow ou=Users,dc=somedomain,dc=com?one nss_base_group ou=Groups,dc=somedomain,dc=com?one ssl start_tls pam_password md5 # We need to tell PAM where the certificate used to authenticate the LDAP # server (i.e. is the LDAP server the one we think it is). tls_cacertfile /etc/openldap/cacert.pem # If you experience difficulty authenticating after enabling TLS, try uncommenting # the next line. You will know that you are having problems if you # issue "getent group" and do not see any of the MS Windows groups # that have been created in your LDAP database. tls_checkpeer no
You may have noticed that there are other options in the smbldap.conf file for
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 27 of 30
developerWorks
ibm.com/developerWorks
authentication, clientcert and client key. These two options are there for the truly paranoid and would allow the LDAP server to authenticate the client.
To test a TLS security between Samba and LDAP try the following: 1. Execute /var/lib/samba/sbin/smbldap-usershow dilbert. This should cause the IDEALX scripts to communicate with the LDAP server over a TLS connection and return all of the information the LDAP server has about the user dilbert. Next, try to log in to the BIGTIME domain from a Windows workstation.
2.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 28 of 30
ibm.com/developerWorks
developerWorks
Resources
Learn Linux-powered networking, Part 3: Integrate Linux and Windows with Samba (developerWorks, December 2004) is a tutorial that shows how to use Samba to integrate your Linux and Windows networks with sample code and configuration files. Common threads: Samba domain controller support (developerWorks, August 2000) demonstrates how to use Samba's domain controller function to control a Windows NT domain. Common threads: Introduction to Samba, Part 1 (developerWorks, June 2000), Part 2 (July 2000), and Part 3 (July 2000) is an excellent guide to installing and configuring Samba. Find more resources for Linux developers in the developerWorks Linux zone. Get products and technologies Samba provides print and file services for SMB/CIFS clients. OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol. Pick up the Samba LDAP toolkit. Access the UNIX man pages for Samba. Build your next development project on Linux with IBM trial software, available for download directly from developerWorks. Discuss Get involved in the developerWorks community by participating in developerWorks blogs.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 29 of 30
developerWorks
ibm.com/developerWorks
He is also skilled at C/C++ and the Java programming language. You can contact Keith at keithrob@us.ibm.com.
Trademarks
Linux is a trademark of Linus Torvalds in the United States, other countries, or both. DB2, Lotus, Rational, Tivoli, and WebSphere are trademarks of IBM Corporation in the United States, other countries, or both. Intel is a trademark of Intel Corporation or its subsidiaries in the United States and other countries.
LDAP-based authentication for Samba Copyright IBM Corporation 2006. All rights reserved.
Trademarks Page 30 of 30