Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. When I searched for the word Linux on Amazon, I came up with 3,735 books. I wish one of them specifically outlined how to do what I want done, that is a book the helps me configure a SBS (microsoft small business server) replacement.
I may be missing something, but in essence it would be a series of books: Replacing SBS with Linux (second edition): 1. Download & install Fedora 2. Install LDAP and configure for use with SAMBA & postfix 3. Download & install Samba 4. Download & install postfix/courier/squirrelmail 5. Download & install ClamAV/Spam Assassin/TDMA 6. Download & install Apache 7. Keeping system up to date with YUM 8. Appendix 1 - Updating first edition of this book Replacing linksys with Linux 1. Configuring netfilter 2. Configuring VPN - Server 3. Configuring VPN - Client 4. Download & install dansguardian. 5. Configure PPPOE
There could be different books for different distributions. Most people reading (myself included) don't care about many of the decisions. For example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager.
John
Wim Bakker wrote:
A couple of days ago I decided that I needed a samba and ldap
setup. After reading the samba mailing list , specifically the
thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
I decided to buy the Official Samba-3 HowTo and Reference guide",
(the Samba-3 By Example mentioned in that thread wasn't available
in my bookstore and they could't order it for me too) expecting
to find a workable example for a setup, as I made out more or less
from the remarks in that thread there would be, chapter 2 specifically.
That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information
of what more is needed, which additional system packages etc. It says
in the beginning that a functioning os is assumed , but that's rather
vague on what implies a functioning os. From page 136 on there are
some more examples of ldap pwdbackend, but hardly sufficient.
http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
info on how to get samba-3 and ldap working, but that document seems
to be incomplete and transitioning from samba-2 to samba-3.
One of the posters on the aforementioned thread remarked that an accurate,
complete into detail, config file is a great help for learning to grasp
what has to be done , and how things work together, I agree and following
are the steps I took to get a working samba-3 + ldap install. I hardly know
anything of linux or samba , let alone ldap , but from the mailling list
I understood that the following is neccessary:
A goal:
get samba + ldap on slackware 9.1 with support for acl's in a usable
state working.
The means:
slackware-9.1
acl-2.2.22.src.tar.gz
attr-2.4.14.src.tar.gz
ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz
linux-2.4.24.tar.gz
coreutils-5.0-attr+acl.tar.gz
nss_ldap.tgz
pam_ldap.tgz
perl-5.8.3.tar.gz
openldap-2.1.19.tgz
ldap-account-manager_0.4.5.tar.gz
Linux-PAM-0.77.tar.bz2
openssl-0.9.7d.tar.gz
db-4.2.52.tar.gz
samba-3.0.2a.tar.gz
smbldap-tools-0.8.4.tgz
I made the following install and configs, I don't know
how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup,
that was usable.It was especially frustrating to get tls connection
working, it kept failing with the following error:
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config
for slapd: (etc/openldap/slapd.conf)
TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem
TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key
TLSCACertificateFile /etc/ssl/certs/ca.pem
quite important it is allso that ldap knows how to verify:
(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
TLS_CACERT /etc/ssl/certs/ca.pem
Maybe the documentation that exists mentions it, but I couldn't
find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
fairly helpful to get things right, including the initial populating
of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by
the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
the same info as those config files.I moved the /etc/smbldap-tools away
and everything still worked correctly with the parameters from
/usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm.
Allso , I don't think pam_ldap is neccessary if you don't have linux users.
Anyways, if the following example would have been in the howto, I wouldn't have
wasted 4 days, figuring out what was wrong/incomplete with the current example
in the howto book, but could have spent that time figuring out what it all
means. Everything comes from various websites, but there is no site where
it is complete in one place.
-slackware 9.1 standard installation without samba and ldap etc. only basic + compiler +cups.
-openssl-0.9.7d ./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install
-perl-5.8.3 built with prefix=/usr , defaults accepted. perl -MCPAN -e 'shell' install Bundle::CPAN (chose follow for dependencies) install Net::LDAP install Net::SSLeay install IO::Socket::SSL
Net::SSLeay failed because of ou of memory during tcp tests (I built everything on a dual P233 MMX with 104Mb of edo-ram), but manually it installed fine.
-Linux-PAM-0.77
./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
--localstatedir=/var --infodir=/usr/share/info --sharedstatedir=/usr/share/com
make install.
/etc/pam.d/passwd : password required pam_cracklib.so password sufficient pam_ldap.so password sufficient pam_unix.so password required pam_deny.so /etc/pam.d/login auth required pam_nologin.so auth sufficient pam_ldap.so auth sufficient pam_unix.so shadow use_first_pass auth required pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so account required pam_deny.so /etc/pam.d/system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
-db-4.2.52
../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-compat185 --enable-cxx make and make install
-openldap-2.1.x
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-passwd --enable-perl --enable-shell --enable-crypt --enable-rewrite --enable-ldap --enable-slapd --enable-dnssrv --enable-monitor --enable-shared; make depend ; make ; make install
-nss_ldap and pam_ldap
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-shared
make install
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
/etc/pam_ldap.conf:
uri ldap://smb.ahm.nl/
base dc=ahm,dc=nl
pam_password exop
------------------------
TLS certs:
% cd /etc/ssl
% ./misc/CA.sh -newca CA certificate filename (or enter to create) <enter>
etc... ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM Organizational Unit Name (eg, section) []:Suckers from Hell Common Name (eg, YOUR name) []:smb.ahm.nl Email Address []:. % This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key).
Make your server certificate signing request (CSR):
Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM Organizational Unit Name (eg, section) []:Suckers from Hell Common Name (eg, YOUR name) []:smb.ahm.nl Email Address []:[EMAIL PROTECTED]
% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
A challenge password []: <pass> An optional company name []:. % etc....
The result is newreq.pem.
Have the CA sign the CSR:
% ./misc/CA.sh -sign Using configuration from /etc/ssl/openssl.cnf Enter PEM pass phrase: <ca pass>
Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: etc....
Signed certificate is in newcert.pem %
This creates newcert.pem (server certificate signed by CA) with private key, newreq.pem. Now the certificates can be moved to the desired certificate repository and renamed.
% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem % mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem % mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key % chmod 400 /etc/ssl/keys/smb.ahm.nl.key
------------------
slappasswd -v -s secret:
{SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
/etc/openldap/slapd.conf: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile /etc/ssl/certs/ca.pem TLSCipherSuite EXPORT56 database bdb suffix "dc=ahm,dc=nl" rootdn "cn=Manager,dc=ahm,dc=nl" rootpw {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw directory /var/openldap-data cachesize 40000 index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index memberUid eq index objectClass eq access to dn=".*,dc=ahm,dc=nl" by self write by * read
------------------------- /etc/ldap.conf: # LDAP Defaults # host 10.0.0.20 # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=ahm,dc=nl #URI ldap://smb.ahm.nl nss_base_passwd dc=ahm,dc=nl?sub nss_base_shadow dc=ahm,dc=nl?sub nss_base_group dc=ahm,dc=nl?one ssl no pam_passwd md5 TLS_CACERT /etc/ssl/certs/ca.pem ------------------------------
-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
Build kernel with acl support etc. and libraries. patched and rebuilt the coreutils after that allso.
mount filesystems with acl,user_xattr options to have it work (ext2,ext3).
-samba-3.0.2a
./configure --with-automount --with-smbmount --with-acl-support --with-libsmbclient --with-configdir=/etc/samba --with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private --with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups --with-ldap ; make install
/etc/samba/smb.conf:
[global]
workgroup = AHM
netbios name = LAVIE
server string = Samba PDC running %v
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
encrypt passwords = Yes
update encrypted = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
ldap suffix = dc=ahm,dc=nl
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=People
ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
ldap ssl = start_tls
ldap passwd sync = yes
ldap delete dn = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
Still not sure what idmap uid and gid now exactly do, but the
entries don't seem to be harmfull as up till now.The reference
guide and howto explain it(page 151), but I don't understand that explanation or it's implication. It doesn't seem to influence
the UID_START GID_START parameters of the smbldap_tools or prevent
the correct working of the net command, so I suppose it's ok to have
them there.
----------------------
smbldap-tools.
extracted to /usr/local/sbin
moved smbldap_conf.pm and smbldap_tools.pm
to /usr/lib/perl5/site_perl/5.8.3/
built mkntpwd and moved to /usr/local/sbin.
-------------------
smbldap_conf.pm variables:
$UID_START = 1000;
$GID_START = 1000;
# to obtain this number do: "net getlocalsid"
$SID = "S-1-5-21-4269728302-1655870493-3894479995";
$slaveLDAP = "127.0.0.1";
$slavePort = "389";
# Master LDAP : needed for write operations # Ex: $masterLDAP = "127.0.0.1"; $masterLDAP = "127.0.0.1"; $masterPort = "389";
# Use SSL for LDAP # If set to "1", this option will use start_tls for connection # (you should also used the port 389) $ldapSSL = "1"; $suffix = "dc=ahm,dc=nl"; $usersou = q(People); $usersdn = "ou=People,$suffix"; $computersou = q(Computers); $computersdn = "ou=Computers,$suffix"; $groupsou = q(Groups); $groupsdn = "ou=Groups,$suffix"; $scope = "sub"; $hash_encrypt = "SSHA"; $binddn = "cn=Manager,$suffix"; $bindpasswd = "secret"; $slaveDN = $binddn; $slavePw = $bindpasswd; $masterDN = $binddn; $masterPw = $bindpasswd; $_userLoginShell = q(/bin/false); $_userHomePrefix = q(/shares/home); $_userGecos = q(System User); $_defaultUserGid = 513; $_defaultComputerGid = 553; $_skeletonDir = q(/etc/skel); $_defaultMaxPasswordAge = 45;
$_userSmbHome = q(\\\\LAVIE\\homes); $_userProfile = q(\\\\LAVIE\\profiles\\); $_userHomeDrive = q(H:); $_userScript = q(startup.cmd); # make sure script file is edited under dos $with_smbpasswd = 0; $smbpasswd = "/usr/local/samba/bin/smbpasswd"; $mk_ntpasswd = "/usr/local/sbin/mkntpwd"; $slaveURI = "ldap://$slaveLDAP:$slavePort";; $masterURI = "ldap://$masterLDAP:$masterPort";;
$ldap_path = "/usr/bin";
if ( $ldapSSL eq "0" ) {
$ldap_opts = "-x";
} elsif ( $ldapSSL eq "1" ) {
$ldap_opts = "-x -Z";
} else {
die "ldapSSL option must be either 0 or 1.\n";
}
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
1;
# - The End #I think the $_userSmbHome and the $_userProfile should be #q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp. #with the lam webinterface that gets correct. -----------------------------------
Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and /usr/local/samba/sbin/smbd.
run: %smbpasswd -w secret %Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb
running smbldap_populate.pl fills ldap with the first initial entries: dn: sambaDomainName=AHM,dc=ahm,dc=nl sambaDomainName: AHM sambaSID: S-1-5-21-4269728302-1655870493-3894479995 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 41000 sambaNextGroupRid: 41001 structuralObjectClass: sambaDomain entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411144816Z entryCSN: 2004041114:48:16Z#0x0001#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040411144816Z etc...
added to /etc/group: wheel:x:512:root,administrator smbusers:x:513: smbguests:x:514: exact:x:1000:
net groupmap list: Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact
smbldap-groupshow.pl exact: dn: cn=exact,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup,sambaGroupMapping cn: exact gidNumber: 1000 sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001 sambaGroupType: 4 memberUid: gerrit,piet
net rpc group LIST global -U administrator Password: Domain Admins Domain Users Domain Guests Administrators users Guests Power Users Account Operators Server Operators Print Operators Backup Operators Replicator Domain Computers
smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false -P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage" -C'\\LAVIE\thadeus' thadeus :
adds thadeus to the domain admins and the domain users:
dn: uid=thadeus,ou=People,dc=ahm,dc=nl
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: Thadeus Hermitage
sn: Hermitage
uid: thadeus
uidNumber: 1004
gidNumber: 513
homeDirectory: /shares/home/thadeus
loginShell: /bin/false
gecos: System User
description: System User
structuralObjectClass: inetOrgPerson
entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040412125141Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
sambaHomeDrive: H:
sambaLogonScript: startup.cmd
sambaProfilePath: \\LAVIE\profiles\thadeus
sambaHomePath: \\LAVIE\thadeus
sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
sambaPwdLastSet: 1081774312
sambaPwdMustChange: 1085662312
userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
entryCSN: 2004041212:51:52Z#0x0002#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040412125152Z
and : dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator memberUid: thadeus description: Netbios Domain Administrators sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411143705Z entryCSN: 2004041212:51:42Z#0x0001#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040412125142Z
ls -l /shares/home: drwx------+ 2 gerrit smbusers 4096 Apr 11 19:01 gerrit drwx------+ 2 hornie smbusers 4096 Apr 12 16:40 hornie drwx------+ 2 krelis smbusers 4096 Apr 11 20:58 krelis drwx------+ 2 thadeus smbusers 4096 Apr 12 14:51 thadeus
The only necessity is still to add manually the groups
for groupmapping to /etc/group, otherwise the users can't access the
shares that are for groups accessible. I thought it would be enough to add the group smbusers to ldap with the same gid as
"Domain Users" and that the entry in nsswitch.con: group: files ldap, would do the rest , is not the case, though it is for users. Don't understand why or how.
smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
this can take the following types, domain, local and builtin, which will
be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
types:
SID_NAME_USE_NONE = 0,/* NOTUSED */
SID_NAME_USER = 1, /* user */
SID_NAME_DOM_GRP = 2, /* domain group */
SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
SID_NAME_ALIAS = 4, /* local group */
SID_NAME_WKN_GRP = 5, /* well-known group */
SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
SID_NAME_INVALID = 7, /* invalid account */
SID_NAME_UNKNOWN = 8 /* oops. */
as found on one of the websites.
What one should choose when creating a group is not clear to me, I suppose
that type 2 is a windows domain group , visible with windows tools and
needs to be mapped to a unix group with the same gid to function. Type 4 is a local unixgroup and has no groupmapping but exists in the ldap database and in /etc/group with the same gid. Type 5 is a riddle.
Hope this helps getting samba + ldap up and running a little faster
than I did.
WB
-- John Schmerold Katy Computer Systems, Inc 20 Meramec Station Rd Valley Park MO 63088 314-316-9000 v 775-227-6947 f
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
