Thursday, August 19, 2010

Samba with Open-Ldap on Ubuntu 10.04 LTS

Now that I finally have made it a successfull primary domain controller which use LDAP to authenticate, it is a greate system and can be deployed in production enviornment, and best off all its free! and yeah No MS headache. I like to share what I did to make it work correctly, Ubuntu official documents about this setup simply do not work, so dont waste your time and resources there. Let get back to what I did.


First of all we want to make sure that our system is up to date with all required updates
sudo apt-get update
sudo apt-get upgrade
It is also a good practice to configure static IP for servers, for this setup you dont have to though. If you like to setup click here
Next we want to install all package required for this setup, few package you have install later, and I think it appropriate to install them when there is need for them
sudo apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools -y
Now we need to load some additional schema files for LDAP
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
Next we need to create an ldif file about our domain setup
nano /tmp/mysetup.ldif
Paste the following information in your mysetup.ldif file, just make sure you change the information according to your setup before you save the file in order to keep things right
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydomain,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydomain,dc=local
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=local" write by * read
Now add this mysetup.ldif file to LDAP directory
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/mysetup.ldif
Now we need to update the smb.conf file, please change thing according to your setup, feel free to download my config file, or view sample file
nano /etc/samba/smb.conf
Next we need to setup samba admin password
sudo smbpasswd -W
Now we are ready to start our samba server
sudo service smbd restart
Now its time to test things, you dont need to provide password for following, it can be test without password
sudo smbclient -L localhost
If your screen hangs or you get the error of not accessible etc, stop, start or restart the samba and you should be okay
Its time to make all directories we to samba in smb.conf file, mainly three directories, directories dont have to be where we will create, but this setup looks neat
mkdir /profiles
mkdir /netlogon
Setup correct permissions for above directories. These permissions are only for testing, change it for production because right now whole world can access your profiles directory
chmod 777 /profiles
chmod 777 /netlogon
Now we are almost done with samba setup, we have already setup the LDAP. Now we need to make samba to use ldap for authentication and tell ldap about new samba attribute, this can be down by using the samba schema, so let go and do that
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz
All schemas has to be converted to ldif format, so we can add them using ldapadd tool
nano /tmp/schema_convert.ldif
Paste the following into schema_convert.ldif
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
Now use slapcat tool covert these schemas
slapcat -f /tmp/schema_convert.ldif -F ~ -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
Now make the following changes to samba.ldif file
nano /tmp/cn\=samba.ldif
Make changes like:
dn: cn={12}samba,cn=schema,cn=config
...
cn: {12}samba
Change above two lines from samba.ldif to the following lines
dn: cn=samba,cn=schema,cn=config
...
cn: samba
And get rid of the following line from samba.ldif as well
structuralObjectClass: olcSchemaConfig
entryUUID: 1050e3c8-4f2e-102f-9979-17b7632aa757
creatorsName: cn=config
createTimestamp: 20100908004504Z
entryCSN: 20100908004504.103442Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100908004504Z
Now add the samba.ldif to ldap database
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif
Now just check how things looks so far
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
If you did not get any error(s), we are in good shape. Now unpack samba-ldap-tools we downloaded earlier
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
Now run a perl scrip which will set things up in ldap database for us, answer each question carefully not that you can not change them later, but just to keep things neat.
sudo perl /usr/share/doc/smbldap-tools/configure.pl
Now populate all the information script has created for us to ldap server, I want to make sure that our ldap user and group would has any conflict so I am setting the starting base for both user and group to 30000
smbldap-populate -u 30000 -g 30000
And finllay
sudo /etc/init.d/slapd stop
sudo slapindex
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd start
Now add root user to Administrator group so it can be used to join workstation to this domain
sudo smbldap-groupmod -m 'root' 'Administrators'
If you dont got any error(s), we are in good shape

Now we need to allow all clients to authenticate via LDAP. Answer each question very carefully and after full understanding, the trick par is ldapi:///, it need to be change to ldap://127.0.0.1
sudo apt-get --yes install ldap-auth-client
Now update pam
sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update ldap
Make sure LDAP along with other services is checked in above update, if you did not got any error(s), things are good so far. So lets try to add your first ldap user
sudo smbldap-useradd -a -m -P rkhan
Now check new user using ldapsearch tool
ldapsearch -xLLL -b "dc=mydomain,dc=local" uid=rkhan
We are all done here, go to XP or Window 7 client and join them to your new samba domain, enjoy it !
Note: There is no guarntee that this will work for you, it work for me like a charm so I am sharing it


Quick commands
sudo service smbd stop
sudo service smbd start
sudo service smbd restart

/etc/init.d/slapd stop
/etc/init.d/slapd start
/etc/init.d/slapd restart

Want to say thank you, buy me a beer, I would appreciate that !

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)