OpenLDAP + Samba Domain Controller On Ubuntu 7.10 - Page 2

Step 5: Configure SAMBA

Now we need to configure SAMBA. This includes configuring the /etc/samba/smb.conf file.

# Open up the SAMBA directory.

cd /etc/samba/

# Backup the samba configuration file.

cp smb.conf smb.conf.original

# Open the samba configuration file for editing.

vim smb.conf

# Make the following changes throughout the file:

workgroup = EXAMPLE
security = user
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = no
#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
#######################################################################
#
#	Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=example,dc=local
ldap suffix = dc=example, dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
#	End: Custom LDAP Entries
#
#####################################################
#STOP COPYING HERE! 
#####################################################

# Comment out the line:

invalid users = root

# Add the following line:

logon path =

# Restart SAMBA.

/etc/init.d/samba restart

# Give SAMBA the "admin" password to the LDAP tree.

smbpasswd -w 12345

 

Step 6: Configure the SMBLDAP-TOOLS package.

We will be using the smbldap-tools package to populate our directory, add users, add workstations, etc... But, the tools need to be configured first!

# Open up the examples directory.

cd /usr/share/doc/smbldap-tools/examples/

# Copy the configuration files to /etc/smbldap-tools:

cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/

# Unzip the configuration file.

gzip -d /etc/smbldap-tools/smbldap.conf.gz

# Open up the /etc/smbldap-tools directory.

cd /etc/smbldap-tools/

# Get the SID (Security ID) for your SAMBA domain.

net getlocalsid

This results in (example): SID for domain DC01-UBUNTU is: S-1-5-21-949328747-3404738746-3052206637

# Open the /etc/smbldap-tools/smbldap.conf file for editing.

vim smbldap.conf

# Edit the file so that the following information is correct (according to your individual setup):

SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=local"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="example.local"

# Open the /etc/smbldap-tools/smbldap_bind.conf file for editing.

vim smbldap_bind.conf

# Edit the file so that the following information is correct (according to your individual setup):

slaveDN="cn=admin,dc=example,dc=local"
slavePw="12345"
masterDN="cn=admin,dc=example,dc=local"
masterPw="12345"

# Set the correct permissions on the above files:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

 

Step 7: Populate LDAP using smbldap-tools

Now we need to populate our LDAP directory with some necessary SAMBA and Windows entries.

# Execute the command to populate the directory.

smbldap-populate -u 30000 -g 30000

# At the password prompt assign your root password:

12345

# Verify that the directory has information in it by running the command:

ldapsearch -x -b dc=example,dc=local | less

 

Step 8: Add an LDAP user to the system

It is time for us to add an LDAP user. We will use this user account to verify that LDAP authentication is working.

# Add the user to LDAP

smbldap-useradd -a -m -M ricky -c "Richard M" ricky

# Here is an explanation of the command switches that we used.

-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access
-M sets up the username part of their email address
-c specifies their full name

# Set the password the new account.

smbldap-passwd ricky
# Password will be: 12345

 

Step 9: Configure the server to use LDAP authentication.

The basic steps for this section came from the Ubuntu Forums (http://ubuntuforums.org/showthread.php?t=597056). Thanks to all who contributed to that thread! Basically we need to tell our server to use LDAP authentication as one of its options. Be careful with this! It can cause your server to break! This is why we always have a backup around.

# Install the necessary software for this to work.

apt-get install auth-client-config libpam-ldap libnss-ldap

# Answer the prompts on your screen with the following:

Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://127.0.0.1
Distinguished name of the search base: dc=example,dc=local
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=local
LDAP root account password: 12345

# Open the /etc/ldap.conf file for editing.

vim /etc/ldap.conf

# Configure the following according to your setup:

host 127.0.0.1
base dc=example,dc=local
uri ldap://127.0.0.1/
rootbinddn cn=admin,dc=example,dc=local
bind_policy soft

# Copy the /etc/ldap.conf file to /etc/ldap/ldap.conf

cp /etc/ldap.conf /etc/ldap/ldap.conf

# Create a new file /etc/auth-client-config/profile.d/open_ldap:

vim /etc/auth-client-config/profile.d/open_ldap

# Insert the following into that new file:

[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth       required     pam_env.so
 auth       sufficient   pam_unix.so likeauth nullok
 auth       sufficient   pam_ldap.so use_first_pass
 auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
 account    sufficient   pam_ldap.so
 account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
 password   sufficient   pam_ldap.so use_first_pass
 password   required     pam_deny.so
pam_session=session    required     pam_limits.so
 session    required     pam_mkhomedir.so skel=/etc/skel/
 session    required     pam_unix.so
 session    optional     pam_ldap.so

# Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

# Backup the /etc/pam.d/ files:

cd /etc/pam.d/
mkdir bkup
cp * bkup/

# Enable the new LDAP Authentication Profile by executing the following command:

auth-client-config -a -p open_ldap

# Reboot the server and test to ensure that you can still log in using SSH and LDAP.

reboot
Share this page:

8 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By:
Reply  

It seems like there is a problem when trying to complete step 9 to configure the server to use LDAP authentication.

When running the command:
"apt-get install auth-client-config libpam-ldap libnss-ldap"

The following error is generated:
"Couldn't find package auth-client-config"

Based on doing some research it seems that auth-client-config is rather new and has not been included in many packages. Does anyone know where this could be found? Any help would be greatly appreciated.

Thanks,
Aaron

By: Anonymous
Reply  

Better yet would be how to set it up using the pam.d directory.

By: sony
Reply  

Hi,

 if you get something like this when adding groups etc. to ldap:

failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 55.

 --> new openldap has its config inside ldap for replication purpose

you have to backup your slapd.d directory, create a new one and execute:

 slaptest -f slapd.conf -F slapd.d
chown -R openldap:openldap slapd.d

 this will read the smb schemas and put it into config

greetz

sony

By: pebcomputing
Reply  

I am in the process of adapting this howto to debian lenny and ran into the same problem.  I fixed it by downloading the source from here: https://launchpad.net/auth-client-config/+distributions , untarring it, changing directory into the untarred package root, and running "./install.py --prefix=/usr --config-prefix=/etc" as was suggested in the package's README.

By: ilkay karadam
Reply  

i completed installation step by step but i cannot connect to samba domain from xp client. it s giving unknow user or password. (i am trying to connect with root acount and it s password). what is the problem.

 

By: Xavier Normand
Reply  

Same problem with me! i'm only getting access denied when trying to add client xp to domain.

 Please help.

By:
Reply  

Thank you for the excellent post. It was very useful. I already have the Samba and Ldap working together and I’m trying to make a slave server. The idea is have a second sever if my PDC server broke. I have search in many places and until now I did not find useful information. Have someone already did something like this or has any idea how i can do it.

Thanks a lot.

By: timjdavey
Reply  

Had some troubles with this In the instructions for step 9 it says DAP server Uniform Resource Identifier: ldapi://127.0.0.1 when it should be ldap://127.0.0.1/ Minor bug but thought I would flag it incase anyone else stumbled into this