[Samba] Initial samba + ldap howto
A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to /etc/openldap/ldap.conf): TLS_CACERT /etc/ssl/certs/ca.pem Maybe the documentation that exists mentions it, but I couldn't find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually fairly helpful to get things right, including the initial populating of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains the same info as those config files.I moved the /etc/smbldap-tools away and everything still worked correctly with the parameters from /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm. Allso , I don't think pam_ldap is neccessary if you don't have linux users. Anyways, if the following example would have been in the howto, I wouldn't have wasted 4 days, figuring out what was wrong/incomplete with the current example in the howto book, but could have spent that time figuring out what it all means. Everything comes from various websites, but there is no site where it is complete in one place. -slackware 9.1 standard installation without samba and ldap etc. only basic + compiler +cups. -openssl-0.9.7d ./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install -perl-5.8.3 built with prefix=/usr , defaults accepted. perl -MCPAN -e 'shell' install Bundle::CPAN (chose follow for dependencies) install Net::LDAP install Net::SSLeay install IO::Socket::SSL Net::SSLeay failed because of ou of memory during tcp tests (I built everything on a dual P233 MMX with 104Mb of edo-ram), but manually it installed fine. -Linux-PAM-0.77 ./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \ --localstatedir=/var --infodir=/usr/share/info --sharedstatedir=/usr/share/com make install. /etc/pam.d/passwd : passwordrequired pam_cracklib.so passwordsufficientpam_ldap.so passwordsufficientpam_unix.so passwordrequired pam_deny.so /etc/pam.d/login authrequired pam_nologin.so authsufficientpam_ldap.so authsufficientpam_unix.so shadow use_first_pass authrequired pam_deny.so account sufficient
Re: [Samba] Initial samba + ldap howto
Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. When I searched for the word Linux on Amazon, I came up with 3,735 books. I wish one of them specifically outlined how to do what I want done, that is a book the helps me configure a SBS (microsoft small business server) replacement. I may be missing something, but in essence it would be a series of books: Replacing SBS with Linux (second edition): 1. Download install Fedora 2. Install LDAP and configure for use with SAMBA postfix 3. Download install Samba 4. Download install postfix/courier/squirrelmail 5. Download install ClamAV/Spam Assassin/TDMA 6. Download install Apache 7. Keeping system up to date with YUM 8. Appendix 1 - Updating first edition of this book Replacing linksys with Linux 1. Configuring netfilter 2. Configuring VPN - Server 3. Configuring VPN - Client 4. Download install dansguardian. 5. Configure PPPOE There could be different books for different distributions. Most people reading (myself included) don't care about many of the decisions. For example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. John Wim Bakker wrote: A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to /etc/openldap/ldap.conf): TLS_CACERT /etc/ssl/certs/ca.pem Maybe the documentation that exists mentions it, but I couldn't find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually fairly helpful to get things right, including the initial populating of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by the
Re: [Samba] Initial samba + ldap howto
On Monday 12 April 2004 18:33, you wrote: Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. The By Example book is most likely much better information to get samba + ldap running , only I couldn't get my hands on it in the short term. i suppose books have to be verbose about all kinds of different posibilities but than forget to be detailed enough for a specific setup , which leaves you with still not enough information to get the job done. example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. I found the acl support in 2.6 series not completely compatible . I still have to look into it deeper, but I had problems with the desired behaviour of acl support under 2.6.x. For now I stick with 2.4.x because I allso need ipsec on the same box , and ipsec on 2.6.x is quite different from 2.4.x. And 2.6.4 and higher had a funny way of dealing with , at least, intel e1000 drivers, maybe other drivers too. Good luck WB -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Initial samba + ldap howto
Check out... http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html for starters. Unless LDAP is configured properly nothing else will work. Then go to this one http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html Marcus O. On Mon, 2004-04-12 at 12:33, John Schmerold wrote: Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. When I searched for the word Linux on Amazon, I came up with 3,735 books. I wish one of them specifically outlined how to do what I want done, that is a book the helps me configure a SBS (microsoft small business server) replacement. I may be missing something, but in essence it would be a series of books: Replacing SBS with Linux (second edition): 1. Download install Fedora 2. Install LDAP and configure for use with SAMBA postfix 3. Download install Samba 4. Download install postfix/courier/squirrelmail 5. Download install ClamAV/Spam Assassin/TDMA 6. Download install Apache 7. Keeping system up to date with YUM 8. Appendix 1 - Updating first edition of this book Replacing linksys with Linux 1. Configuring netfilter 2. Configuring VPN - Server 3. Configuring VPN - Client 4. Download install dansguardian. 5. Configure PPPOE There could be different books for different distributions. Most people reading (myself included) don't care about many of the decisions. For example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. John Wim Bakker wrote: A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to
