Centralized login using LDAP and Samba

From Maze's wiki
Jump to: navigation, search

To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.

Install LDAP and Samba

LDAP Server
Samba Server

Configure LDAP for Samba

Install samba-doc to get the samba schema file and copy the schema to the right location 

apt-get install samba-doc
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

Edit /etc/ldap/slapd.conf to add 2 schemas 

include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema

Add the indexing options in /etc/ldap/slapd.conf 

index ou,cn,sn,mail,givenname           eq,pres,sub
index uidNumber,gidNumber,memberUid     eq,pres
index loginShell                        eq,pres
index uniqueMember                      eq,pres
index uid                               pres,sub,eq
index displayName                       pres,sub,eq
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index default                           sub

Change access rules in /etc/ldap/slapd.conf 

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
	by dn="cn=admin,dc=example,dc=com" write
	by self write
	by anonymous auth
	by * none

access to attrs=shadowLastChange,shadowMax
	by dn="cn=admin,dc=example,dc=com" write
	by self write
	by * read

Restart de OpenLDAP server 

/etc/init.d/slapd restart

Configure Samba for LDAP

Create the profile and netlogon directories 

mkdir /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir /var/lib/samba/netlogon

Replace the contents of /etc/samba/smb.conf 

[global]
 # Domain name ..
 workgroup = EXAMPLE
 # Server name - as seen by Windows PCs ..
 netbios name = SERVERNAME
 # Be a PDC ..
 domain logons = Yes
 domain master = Yes
 # Be a WINS server ..
 wins support = true

 obey pam restrictions = Yes
 dns proxy = No
 os level = 35
 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog = 0
 panic action = /usr/share/samba/panic-action %d
 pam password change = Yes

 # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
 unix password sync = no
 ldap passwd sync = yes

 # Printing from PCs will go via CUPS ..
 load printers = yes
 printing = cups
 printcap name = cups

 # Use LDAP for Samba user accounts and groups ..
 passdb backend = ldapsam:ldap://localhost

 # This must match init.ldif ..
 ldap suffix = dc=example,dc=com
 # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
 # This is done by running 'sudo smbpasswd -w'.
 ldap admin dn = cn=admin,dc=example,dc=com

 # 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
 # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
 ldap machine suffix = ou=Computers
 ldap user suffix = ou=Users
 ldap group suffix = ou=Groups
 ldap idmap suffix = ou=Idmap
 # Samba and LDAP server are on the same server in this example.
 ldap ssl = no

 # Scripts for Samba to use if it creates users, groups, etc.
 add user script = /usr/sbin/smbldap-useradd -m '%u'
 delete user script = /usr/sbin/smbldap-userdel %u
 add group script = /usr/sbin/smbldap-groupadd -p '%g'
 delete group script = /usr/sbin/smbldap-groupdel '%g'
 add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
 set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

 # Script that Samba users when a PC joins the domain ..
 # (when changing 'Computer Properties' on the PC)
 add machine script = /usr/sbin/smbldap-useradd -w '%u'

 # Values used when a new user is created ..
 # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
 logon drive =
 logon home =
 logon path =
 logon script =

 # This is required for Windows XP client ..
 server signing = auto
 server schannel = Auto

[homes]
 comment = Home Directories
 valid users = %S
 read only = No
 browseable = No

[netlogon]
 comment = Network Logon Service
 path = /var/lib/samba/netlogon
 admin users = root
 guest ok = Yes
 browseable = No

[profiles]
 comment = Roaming Profile Share
 # would probably change this to elsewhere in a production system ..
 path = /var/lib/samba/profiles
 read only = No        profile
 acls = Yes
 browsable = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 use client driver = Yes
 create mask = 0600
 guest ok = Yes
 printable = Yes
 browseable = No
 public = yes
 writable = yes
 admin users = root
 write list = root

[print$]
 comment = Printer Drivers
 path = /var/lib/samba/printers
 write list = root
 create mask = 0664
 directory mask = 0775
 admin users = root

Change these lines to match your configuration:

  • workgroup = EXAMPLE
  • netbios name = SERVERNAME
  • ldap suffix = dc=example,dc=com
  • ldap admin dn = cn=admin,dc=example,dc=com

Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup): 

smbpasswd -W
  • New SMB password: <password>
  • Retype new SMB password: <password>

Restart Samba: 

/etc/init.d/samba restart

smbldap-tools

apt-get install smbldap-tools

Copy the example configfiles 

cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

Retrieve the Samba SID 

net getlocalsid

Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:

  • #SID=
  • sambaDomain
  • suffix
  • userSmbHome
  • userProfile
  • mailDomain

Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: 

slaveDN="cn=admin,dc=example,dc=com"
slavePw="the password you entered during ldap configuration"
masterDN="cn=admin,dc=example,dc=com"
masterPw="the password you entered during ldap configuration"

Set the correct permissions: 

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Start the engine

Now it's time to populate the directory with default samba information 

smbldap-populate
  • Enter the password for the domain root user (yes also on Windows it's called root now)

Index the OpenLDAP server 

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Make root admin

Make root part of the Administrators group so they can administer the domain. 

smbldap-groupmod -m 'root' 'Administrators'

Client authentication

Follow the LDAP Client to let the server samba is running on do its authentication via LDAP. Also use this guide to configure the regular Linux/Unix and Windows clients.

Add users

smbldap-useradd -a -m -M <local mail part> -P -N <givenname> -S <surname> -c "<Full name>" <username>
  • New password: <password>
  • Retype new password: <password>
Retrieved from "https://www.zeedijk.net/wiki/index.php?title=Centralized_login_using_LDAP_and_Samba&oldid=99"