# # http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC # # 27-Jul-06 amo Extract sample samba conf # # HOWTO LDAP SAMBA PDC/Basic Setup Configure LDAP first thing first is to ensure the proper ownership of some key directories # chown ldap:ldap /var/lib/openldap-* [edit ] /etc/openldap/slapd.conf You can edit the /etc/openldap/slapd.conf file that ships with openldap or we can just create a new one either way we want it to resemble something similar to the following The *include* statements include various schema's into our LDAP tree include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema The slapd gentoo init script doesn't make the *pidfile* or *argsfile* correctly so we specify them here. pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args *Note:* 06/08/06 net-nds/openldap-2.2.28-r3 has the two previous lines present in /etc/openldap/slapd.conf by default. evilshenaniganz You should set *loglevel* to 256 initially, this will give you some good hints when debugging problems. Read man slapd.conf for more information on what the *loglevel* directive will give you loglevel 256 for *database* you can either use "bdb" or "ldbm". bdb is generally favoured by the openldap project as it is faster and more stable, it is somewhat difficult to setup when your server is under high load. Hint: create a DB_CONFIG file in your data directory (/var/lib/openldap-data/) and read the berkeley db documentation at sleepycat.com. *suffix* is the suffix for the root of our LDAP tree. The field names here must be all caps, or Windows will turn up its nose when asked to join your domain, with an error stating "User account not found." It will be very frustrating. *directory* designates the data directory for our LDAP database. *rootdn* is the hardcoded super-user of the database. *rootpw* is the hardcoded root password. To generate a 'secret' you can use # slappasswd -h {MD5} New password: Re-enter new password: {MD5}s+JROT6YmCR/KFfL3N9o4w== {MD5} indicates the scheme we will be using to encrypt the password. For more information about using different schemes: slappasswd () The *index* directives define optional indexes that are used to help speed up searches aginst common LDAP data. database ldbm suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw {MD5}s+JROT6YmCR/KFfL3N9o4w== directory /var/lib/openldap-data/ index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial [edit ] /etc/openldap/ldap.conf You should also have a file called /etc/openldap/ldap.conf. This file tells the client programs from the openldap package (ldapsearch, ldapadd, ...) which server it should connect to. Don't confuse this one with /etc/ldap.conf which is for the pam_ldap and nss_ldap packages from padl.com. to configure conectivity for the OpenLDAP tools we only need to define the *HOST* and *BASE* settings to match our slapd settings HOST 127.0.0.1 BASE dc=example,dc=net [edit ] /etc/conf.d/slapd we need to make sure the *OPTS*= line in /etc/conf.d/slapd looks similar to the following. If it dosen't we may have issues starting it through the gentoo scripts. also it wont start a ssl port with out it. OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" [edit ] Finalizing openldap We should allways do a sanity check on /etc/openldap/slapd.conf every time we change it. We can accomplish this with *slaptest* # slaptest Next we can attempt to start *slapd*. Also dont forget to add *slapd* to the default runlevel. # /etc/init.d/slapd start # rc-update add slapd default hopefully *slapd* started [ok], if it didn't ([!!]) skip down to the troubleshooting section, otherwise continue with the testing section to make sure everything's running correctly. [edit ] Configure PAM PAM, short for Plugable Authentication Module(s) is a system that allows us to define the modules used for system authentication. redefining pam.d/system-auth along with nsswitch.conf will allow us to authenticate against our LDAP directory. You should also have a file called /etc/pam.d/system-auth. We need to edit the file to resemble something like this: *File:* /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_ldap.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type= password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so [edit ] Configure NSS_LDAP [edit ] /etc/nsswitch.conf You should also have a file called /etc/nsswitch.conf.we need to modify the lines pretaining to *passwd:*, *group*, and *shadow* to resemble the following. passwd: files ldap group: files ldap shadow: files ldap [edit ] /etc/ldap.conf Next we want to configure /etc/ldap.conf this file sets directives pretaining to the /ldap/ we specified in nsswitch.conf above. again we use *host* and *base* to refer to our ldap server address and context of our ldap tree respectively. host 127.0.0.1 base dc=example,dc=net the *nss_base_** specify the context in ldap to look for the suffix config item where refering to. make sure to have two nss_base_passwd sections to cover users and computers so you don't get a nasty "user name could not be found error" when joining computers to the domain. nss_base_passwd ou=Computers,dc=example,dc=net?sub nss_base_passwd ou=Users,dc=example,dc=net?sub nss_base_shadow ou=Users,dc=example,dc=net?sub nss_base_group ou=Groups,dc=example,dc=net?one Here we use *debug* to specify the output message complexity, during testing this value should be 256 to help track down problems. the *logdir* directive tells us where we store the logs that the *debug* directive produces. debug 256 logdir /var/log/nss_ldap The *ssl* directive is used to identify weather or not where using and encrypted conversation. *pam_password* ... tbe ... ssl no pam_password md5 *Note:* You can also use the following. This will let the ldap server do the encrypting and storing of the password. This plays well with the smbk5pwd overlay. Po0ky pam_password exop Dont forget to create the folder(s) refrenced in the *logdir* directive. we can accomplish this with the following command. # mkdir -p /var/log/nss_ldap [edit ] Configure Samba Next we're going to try to tackle the big item, Samba. Configuring Samba can become quite a complex task on its own right. As such where going to keep our samba config to the minimum nesscary for us to get a PDC running, with a LDAP backend. The following is mostly cut and pasted out of the HOWTO Implement Samba as your PDC and modified for our needs.The following is /etc/samba/smb.conf The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria. [edit ] The [global] service section = *netbios name* sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. *workgroup* controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one *server string* controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. * o IMPORTANT** make sure that your workgroup(domain) name is not a full DNS name in the samba setup. using a name such as domainexample.com here will make an xp client search your DNS server for AD SRV records when you try to join a domain. setting it to "domainexample" is the best bet. [global] netbios name = COMPUTER_NAME workgroup = YOUR_DOMAIN server string = LDAP PDC [on Gentoo :: Samba server %v] *hosts allow* is a comma, space, or tab delimited set of hosts which are permitted to access a service. *security* affects how clients respond to Samba and is one of the most important settings in the smb.conf file. *encrypt passwords* controls whether encrypted passwords will be negotiated with the client. *socket options* allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. *interfaces* allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. *bind interfaces* allows the Samba admin to limit what interfaces on a machine will serve SMB requests. hosts allow = 192.168.4.0/24 127.0.0.0/8 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth0 bind interfaces only = yes To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. *local master* allows nmbd to try and become a local master browser on a subnet. *os level* controls what level Samba advertises itself as for browse elections. *domain master* enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. *preferred master* controls if nmbd is a preferred master browser for its workgroup. local master = yes os level = 65 domain master = yes preferred master = yes *null passwords* allows or disallows client access to accounts that have null passwords. *hide unreadable* prevents clients from seeing the existance of files that cannot be read. *hide dot files* controls whether files starting with a dot appear as hidden files. null passwords = no hide unreadable = yes hide dot files = yes *domain logons* dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. *logon script* specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. *logon path* specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. *logon drive* specifies the local path to which the home directory will be connected and is only used by NT Workstations. *logon home* specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables %L and %U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client. For logon script, I personally use a static file name. Using %U will require a batch file for each user as %U == the username establishing the connection. domain logons = yes ;logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U IMPORTANT NOTE: This may sound pretty obvious, but will save you a ton of headaches and Windows-cursing. You really want to have your logon drive as Z:, just in case. Why, you ask? Take a look at the following example: you have a computer with three HDD partitions (C:, D:, and E:), as well as a DVD reader (F:) and a CD-RW (G:). And, yes, your logon drive at H:. Common sense would suggest that, should you connect any removable media to this computer (say, a USB drive, an external DVD burner, etc.), it would get allocated as I:, right? The first mistake here is that you assumed that Microsoft would use any common sense. Let me explain what happened to me in such a case. Apparently, the recently-inserted media tries to get H: and the only result is that it becomes unaccessible. Another example would be a computer that doesn't have such a heavily partitioned HDD, but is filled with removable media bays, just as any VAIO or HP you can find out there. --Demiurgo 00:49, 23 June 2006 (UTC) *wins support* controls if the nmbd process in Samba will act as a WINS server. *name resolve order* is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. *dns proxy* specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no *time server* determines if nmbd advertises itself as a time server to Windows clients. *log file* option allows you to override the name of the Samba log file (also known as the debug file). *max log size* specifies the max size the log file should grow to. time server = yes log file = /var/log/samba/log.%m max log size = 50 The following are parameters to assist you in adding/deleting users/machines from a client. *Note*: That using these peramaters that refrence the smbldap-tools means that you must install it when presented later in this HowTo add user script = /usr/sbin/smbldap-useradd -m "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" ...tbe... passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = Yes ldap ssl = no The following settings refer to the positions of various LDAP objects in our directory. *ldap suffix* is the same one we entered in slapd.conf and is the root of our LDAP tree. *ldap admin dn* is the distunguished name of your rootdn previously named in slapd.conf. *ldap xxxx suffix* is the suffix of each of the containers you see, where xxxx = group, user, machine, idmap. ldap suffix = dc=example,dc=net ldap admin dn = cn=Manager,dc=example,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=People [edit ] The [SHARE_NAME] services section This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it! *netlogon* is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755). [netlogon] path = /var/lib/samba/netlogon guest ok = Yes browseable = no write list = root *profiles* is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 1757). Inside this directory is where you user profiles are located. [profiles] path = /var/lib/samba/profiles writable = yes browsable = no create mode = 0644 directory mode = 0755 guest ok = yes *homes* defines the users home directory. Nothing special needs to be done to this directive or directory. [homes] path = /home/%U browseable = no valid users = %S read only = no create mask = 0664 directory mask = 0775 *public* is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public]. [public] comment = Public Stuff path = /public public = yes read only = yes browseable = yes write list = @users [edit ] Finishing up Samba Now that we have configured smb.conf with the rootdn, we need to store the password for it. we can accomplish this with the following command. *Note:* your secret password will have to be typed at the command line # smbpasswd -w secret Before we will be able to start samba we need to do a quick sanity check. * check to make sure all folders refrenced in /etc/samba/smb.conf actualy exist * ensure the proper permissions are on the folder referenced by *netlogon* and *profiles* (usualy they dont) we can fix them with a chmod 0755 /path/to/folder You should also use testparm to run a sanity check against smb.conf. You can do this by executing the following command. # testparm Make sure to add samba to the default runlevel # rc-update add samba default now that its time to start up samba # /etc/init.d/samba start now with fingers crossed we should have had a successfull start [edit ] Configure smbldap-tools Next you will need to edit the two smbldap-tools config files /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf the editing of these files is straightforward and mostly needs to reflect settings you have specifed previously. With the execption of the lines noted below edit the config files to suit your needs. [edit ] /etc/smbldap-tools/smbldap.conf the directives *ldapTLS*, *verify*, and *hash_encypt* have to be set as follows. any of the other directives should be changed to match settings we have previously set in other files. if you dont know what a directive does, it should be safe to skip it. ldapTLS="0" verify="none" hash_encrypt="MD5" # Other configuration should be altered too!!! [edit ] /etc/smbldap-tools/smbldap_bind.conf this file need only to be updated with the rootdn that you have previously specified as well as the secret password of the rootdn in plain text. after editing the above files feel free to move onto the next section. [edit ] Using Smbk5pwd overlay I'm still working on this subject, you can take a peak by checking out the Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup - Po0ky Previous page Top Next Page [edit ] Common errors and fixes *I have |"I have no name!@"| as my prompt.* This happens when pam can't access the ldap server. Caused because it can't read the /etc/ldap.conf file. Make it world readable (don't put any passwords in the file!! The password goes into /etc/ldap.secret) chmod +r /etc/ldap.conf With OpenLDAP 2.3 / nss_ldap-239+ a readable /etc/ldap.conf may not be enough. Use nscd (Name Service Cache Daemon) /etc/init.d/nscd start rc-update add nscd default *I am unable to use su* Even when I have the user in the wheel group (ldap) I'm unable to use su. Only when I add the user to the wheel group (/etc/group) I'm able to su. There seems to be a problem with the include system-auth thing in /etc/pam.d/su. Add the following to the file: auth sufficient pam_rootok.so auth sufficient pam_ldap.so ## add this line Retrieved from "http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC/Basic_Setup" # # # End of file