A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread "Re: [Samba] Samba and LDAP backend - howto docs problems?" I decided to buy the Official Samba-3 HowTo and Reference guide", (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz
I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile /etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to /etc/openldap/ldap.conf): TLS_CACERT /etc/ssl/certs/ca.pem Maybe the documentation that exists mentions it, but I couldn't find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually fairly helpful to get things right, including the initial populating of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains the same info as those config files.I moved the /etc/smbldap-tools away and everything still worked correctly with the parameters from /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm. Allso , I don't think pam_ldap is neccessary if you don't have linux users. Anyways, if the following example would have been in the howto, I wouldn't have wasted 4 days, figuring out what was wrong/incomplete with the current example in the howto book, but could have spent that time figuring out what it all means. Everything comes from various websites, but there is no site where it is complete in one place. -slackware 9.1 standard installation without samba and ldap etc. only basic + compiler +cups. -openssl-0.9.7d ./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install -perl-5.8.3 built with prefix=/usr , defaults accepted. perl -MCPAN -e 'shell' install Bundle::CPAN (chose follow for dependencies) install Net::LDAP install Net::SSLeay install IO::Socket::SSL Net::SSLeay failed because of ou of memory during tcp tests (I built everything on a dual P233 MMX with 104Mb of edo-ram), but manually it installed fine. -Linux-PAM-0.77 ./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \ --localstatedir=/var --infodir=/usr/share/info --sharedstatedir=/usr/share/com make install. /etc/pam.d/passwd : password required pam_cracklib.so password sufficient pam_ldap.so password sufficient pam_unix.so password required pam_deny.so /etc/pam.d/login auth required pam_nologin.so auth sufficient pam_ldap.so auth sufficient pam_unix.so shadow use_first_pass auth required pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so /etc/pam.d/system-auth: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so -db-4.2.52 ../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-compat185 --enable-cxx make and make install -openldap-2.1.x ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite --enable-ldap --enable-slapd --enable-dnssrv --enable-monitor --enable-shared; make depend ; make ; make install -nss_ldap and pam_ldap ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-shared make install /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap /etc/pam_ldap.conf: uri ldap://smb.ahm.nl/ base dc=ahm,dc=nl pam_password exop ------------------------ TLS certs: % cd /etc/ssl % ./misc/CA.sh -newca CA certificate filename (or enter to create) <enter> etc... ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noordholland Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM Organizational Unit Name (eg, section) []:Suckers from Hell Common Name (eg, YOUR name) []:smb.ahm.nl Email Address []:. % This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key). Make your server certificate signing request (CSR): Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noordholland Locality Name (eg, city) []:Amsterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM Organizational Unit Name (eg, section) []:Suckers from Hell Common Name (eg, YOUR name) []:smb.ahm.nl Email Address []:[EMAIL PROTECTED] % openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem A challenge password []: <pass> An optional company name []:. % etc.... The result is newreq.pem. Have the CA sign the CSR: % ./misc/CA.sh -sign Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: <ca pass> Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: etc.... Signed certificate is in newcert.pem % This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem. Now the certificates can be moved to the desired certificate repository and renamed. % cp demoCA/cacert.pem /etc/ssl/certs/ca.pem % mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem % mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key % chmod 400 /etc/ssl/keys/smb.ahm.nl.key ------------------ slappasswd -v -s secret: {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw /etc/openldap/slapd.conf: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile /etc/ssl/certs/ca.pem TLSCipherSuite EXPORT56 database bdb suffix "dc=ahm,dc=nl" rootdn "cn=Manager,dc=ahm,dc=nl" rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw directory /var/openldap-data cachesize 40000 index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index memberUid eq index objectClass eq access to dn=".*,dc=ahm,dc=nl" by self write by * read ------------------------- /etc/ldap.conf: # LDAP Defaults # host 10.0.0.20 # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=ahm,dc=nl #URI ldap://smb.ahm.nl nss_base_passwd dc=ahm,dc=nl?sub nss_base_shadow dc=ahm,dc=nl?sub nss_base_group dc=ahm,dc=nl?one ssl no pam_passwd md5 TLS_CACERT /etc/ssl/certs/ca.pem ------------------------------ -acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits. Build kernel with acl support etc. and libraries. patched and rebuilt the coreutils after that allso. mount filesystems with acl,user_xattr options to have it work (ext2,ext3). -samba-3.0.2a ./configure --with-automount --with-smbmount --with-acl-support --with-libsmbclient --with-configdir=/etc/samba --with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private --with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups --with-ldap ; make install /etc/samba/smb.conf: [global] workgroup = AHM netbios name = LAVIE server string = Samba PDC running %v passdb backend = ldapsam:ldap://localhost username map = /etc/samba/smbusers encrypt passwords = Yes update encrypted = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 add user script = /usr/local/sbin/smbldap-useradd -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" logon script = logon.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U\.profile domain logons = Yes os level = 255 preferred master = Yes domain master = Yes local master = Yes wins support = Yes ldap suffix = dc=ahm,dc=nl ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=People ldap admin dn = "cn=Manager,dc=ahm,dc=nl" ldap ssl = start_tls ldap passwd sync = yes ldap delete dn = Yes idmap uid = 15000-20000 idmap gid = 15000-20000 winbind separator = + Still not sure what idmap uid and gid now exactly do, but the entries don't seem to be harmfull as up till now.The reference guide and howto explain it(page 151), but I don't understand that explanation or it's implication. It doesn't seem to influence the UID_START GID_START parameters of the smbldap_tools or prevent the correct working of the net command, so I suppose it's ok to have them there. ---------------------- smbldap-tools. extracted to /usr/local/sbin moved smbldap_conf.pm and smbldap_tools.pm to /usr/lib/perl5/site_perl/5.8.3/ built mkntpwd and moved to /usr/local/sbin. ------------------- smbldap_conf.pm variables: $UID_START = 1000; $GID_START = 1000; # to obtain this number do: "net getlocalsid" $SID = "S-1-5-21-4269728302-1655870493-3894479995"; $slaveLDAP = "127.0.0.1"; $slavePort = "389"; # Master LDAP : needed for write operations # Ex: $masterLDAP = "127.0.0.1"; $masterLDAP = "127.0.0.1"; $masterPort = "389"; # Use SSL for LDAP # If set to "1", this option will use start_tls for connection # (you should also used the port 389) $ldapSSL = "1"; $suffix = "dc=ahm,dc=nl"; $usersou = q(People); $usersdn = "ou=People,$suffix"; $computersou = q(Computers); $computersdn = "ou=Computers,$suffix"; $groupsou = q(Groups); $groupsdn = "ou=Groups,$suffix"; $scope = "sub"; $hash_encrypt = "SSHA"; $binddn = "cn=Manager,$suffix"; $bindpasswd = "secret"; $slaveDN = $binddn; $slavePw = $bindpasswd; $masterDN = $binddn; $masterPw = $bindpasswd; $_userLoginShell = q(/bin/false); $_userHomePrefix = q(/shares/home); $_userGecos = q(System User); $_defaultUserGid = 513; $_defaultComputerGid = 553; $_skeletonDir = q(/etc/skel); $_defaultMaxPasswordAge = 45; $_userSmbHome = q(\\\\LAVIE\\homes); $_userProfile = q(\\\\LAVIE\\profiles\\); $_userHomeDrive = q(H:); $_userScript = q(startup.cmd); # make sure script file is edited under dos $with_smbpasswd = 0; $smbpasswd = "/usr/local/samba/bin/smbpasswd"; $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; $slaveURI = "ldap://$slaveLDAP:$slavePort";; $masterURI = "ldap://$masterLDAP:$masterPort";; $ldap_path = "/usr/bin"; if ( $ldapSSL eq "0" ) { $ldap_opts = "-x"; } elsif ( $ldapSSL eq "1" ) { $ldap_opts = "-x -Z"; } else { die "ldapSSL option must be either 0 or 1.\n"; } $ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'"; 1; # - The End #I think the $_userSmbHome and the $_userProfile should be #q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp. #with the lam webinterface that gets correct. ----------------------------------- Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and /usr/local/samba/sbin/smbd. run: %smbpasswd -w secret %Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb running smbldap_populate.pl fills ldap with the first initial entries: dn: sambaDomainName=AHM,dc=ahm,dc=nl sambaDomainName: AHM sambaSID: S-1-5-21-4269728302-1655870493-3894479995 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 41000 sambaNextGroupRid: 41001 structuralObjectClass: sambaDomain entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411144816Z entryCSN: 2004041114:48:16Z#0x0001#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040411144816Z etc... added to /etc/group: wheel:x:512:root,administrator smbusers:x:513: smbguests:x:514: exact:x:1000: net groupmap list: Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact smbldap-groupshow.pl exact: dn: cn=exact,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup,sambaGroupMapping cn: exact gidNumber: 1000 sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001 sambaGroupType: 4 memberUid: gerrit,piet net rpc group LIST global -U administrator Password: Domain Admins Domain Users Domain Guests Administrators users Guests Power Users Account Operators Server Operators Print Operators Backup Operators Replicator Domain Computers smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false -P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage" -C'\\LAVIE\thadeus' thadeus : adds thadeus to the domain admins and the domain users: dn: uid=thadeus,ou=People,dc=ahm,dc=nl objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: Thadeus Hermitage sn: Hermitage uid: thadeus uidNumber: 1004 gidNumber: 513 homeDirectory: /shares/home/thadeus loginShell: /bin/false gecos: System User description: System User structuralObjectClass: inetOrgPerson entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040412125141Z sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008 sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513 sambaHomeDrive: H: sambaLogonScript: startup.cmd sambaProfilePath: \\LAVIE\profiles\thadeus sambaHomePath: \\LAVIE\thadeus sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04 sambaPwdLastSet: 1081774312 sambaPwdMustChange: 1085662312 userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM= entryCSN: 2004041212:51:52Z#0x0002#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040412125152Z and : dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator memberUid: thadeus description: Netbios Domain Administrators sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411143705Z entryCSN: 2004041212:51:42Z#0x0001#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040412125142Z ls -l /shares/home: drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus The only necessity is still to add manually the groups for groupmapping to /etc/group, otherwise the users can't access the shares that are for groups accessible. I thought it would be enough to add the group smbusers to ldap with the same gid as "Domain Users" and that the entry in nsswitch.con: group: files ldap, would do the rest , is not the case, though it is for users. Don't understand why or how. smbldap-groupadd.pl has the option -t , which is the grouptype, apparently this can take the following types, domain, local and builtin, which will be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows types: SID_NAME_USE_NONE = 0,/* NOTUSED */ SID_NAME_USER = 1, /* user */ SID_NAME_DOM_GRP = 2, /* domain group */ SID_NAME_DOMAIN = 3, /* domain: don't know what this is */ SID_NAME_ALIAS = 4, /* local group */ SID_NAME_WKN_GRP = 5, /* well-known group */ SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */ SID_NAME_INVALID = 7, /* invalid account */ SID_NAME_UNKNOWN = 8 /* oops. */ as found on one of the websites. What one should choose when creating a group is not clear to me, I suppose that type 2 is a windows domain group , visible with windows tools and needs to be mapped to a unix group with the same gid to function. Type 4 is a local unixgroup and has no groupmapping but exists in the ldap database and in /etc/group with the same gid. Type 5 is a riddle. Hope this helps getting samba + ldap up and running a little faster than I did. WB -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
