Difference between revisions of "Centralized login using LDAP and Samba"
From Maze's wiki
| (23 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial. | + | To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.<br /> |
| − | [LDAP] | + | =Install LDAP and Samba= |
| − | [Samba] | + | [[LDAP Server]]<br /> |
| + | [[Samba Server]]<br /> | ||
=Configure LDAP for Samba= | =Configure LDAP for Samba= | ||
| − | + | Install samba-doc to get the samba schema file and copy the schema to the right location | |
<pre> | <pre> | ||
| + | apt-get install samba-doc | ||
zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema | zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema | ||
</pre> | </pre> | ||
| Line 27: | Line 29: | ||
Change access rules in /etc/ldap/slapd.conf | Change access rules in /etc/ldap/slapd.conf | ||
<pre> | <pre> | ||
| − | access to attrs=userPassword | + | access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet |
| − | + | by dn="cn=admin,dc=example,dc=com" write | |
| − | + | by self write | |
| − | + | by anonymous auth | |
| − | + | by * none | |
| + | |||
| + | access to attrs=shadowLastChange,shadowMax | ||
| + | by dn="cn=admin,dc=example,dc=com" write | ||
| + | by self write | ||
| + | by * read | ||
</pre> | </pre> | ||
Restart de OpenLDAP server | Restart de OpenLDAP server | ||
| Line 37: | Line 44: | ||
/etc/init.d/slapd restart | /etc/init.d/slapd restart | ||
</pre> | </pre> | ||
| − | =Samba= | + | |
| + | =Configure Samba for LDAP= | ||
Create the profile and netlogon directories | Create the profile and netlogon directories | ||
<pre> | <pre> | ||
| Line 153: | Line 161: | ||
[print$] | [print$] | ||
comment = Printer Drivers | comment = Printer Drivers | ||
| − | + | path = /var/lib/samba/printers | |
write list = root | write list = root | ||
create mask = 0664 | create mask = 0664 | ||
| Line 174: | Line 182: | ||
/etc/init.d/samba restart | /etc/init.d/samba restart | ||
</pre> | </pre> | ||
| − | = | + | =smbldap-tools= |
| + | <pre> | ||
| + | apt-get install smbldap-tools | ||
| + | </pre> | ||
Copy the example configfiles | Copy the example configfiles | ||
<pre> | <pre> | ||
cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf | cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf | ||
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf | zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf | ||
| + | </pre> | ||
| + | Retrieve the Samba SID | ||
| + | <pre> | ||
| + | net getlocalsid | ||
</pre> | </pre> | ||
Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration: | Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration: | ||
| + | * #SID= | ||
*sambaDomain | *sambaDomain | ||
*suffix | *suffix | ||
| Line 186: | Line 202: | ||
*userProfile | *userProfile | ||
*mailDomain | *mailDomain | ||
| − | + | ||
| − | |||
| − | |||
| − | |||
Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: | Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration: | ||
<pre> | <pre> | ||
| Line 202: | Line 215: | ||
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf | chmod 0600 /etc/smbldap-tools/smbldap_bind.conf | ||
</pre> | </pre> | ||
| + | |||
| + | =Start the engine= | ||
Now it's time to populate the directory with default samba information | Now it's time to populate the directory with default samba information | ||
<pre> | <pre> | ||
| Line 207: | Line 222: | ||
</pre> | </pre> | ||
*Enter the password for the domain root user (yes also on Windows it's called root now) | *Enter the password for the domain root user (yes also on Windows it's called root now) | ||
| − | |||
Index the OpenLDAP server | Index the OpenLDAP server | ||
<pre> | <pre> | ||
| Line 215: | Line 229: | ||
/etc/init.d/slapd start | /etc/init.d/slapd start | ||
</pre> | </pre> | ||
| − | + | ||
| + | =Make root admin= | ||
| + | Make root part of the Administrators group so they can administer the domain. | ||
<pre> | <pre> | ||
| − | smbldap-useradd -a -m -M | + | smbldap-groupmod -m 'root' 'Administrators' |
| − | + | </pre> | |
| + | |||
| + | =Client authentication= | ||
| + | Follow the [[LDAP Client]] to let the server samba is running on do its authentication via LDAP. | ||
| + | Also use this guide to configure the regular Linux/Unix and Windows clients. | ||
| + | |||
| + | =Add users= | ||
| + | <pre> | ||
| + | smbldap-useradd -a -m -M <local mail part> -P -N <givenname> -S <surname> -c "<Full name>" <username> | ||
</pre> | </pre> | ||
*New password: <password> | *New password: <password> | ||
*Retype new password: <password> | *Retype new password: <password> | ||
| − | + | ||
| − | + | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[[Category: Debian]] | [[Category: Debian]] | ||
[[Category: LDAP]] | [[Category: LDAP]] | ||
[[Category: Samba]] | [[Category: Samba]] | ||
Latest revision as of 12:24, 8 February 2011
To create a centralized authentication system where both Windows and Linux/Unix client can authenticate against follow this tutorial.
Contents
Install LDAP and Samba
Configure LDAP for Samba
Install samba-doc to get the samba schema file and copy the schema to the right location
apt-get install samba-doc zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
Edit /etc/ldap/slapd.conf to add 2 schemas
include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
Add the indexing options in /etc/ldap/slapd.conf
index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres index uniqueMember eq,pres index uid pres,sub,eq index displayName pres,sub,eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
Change access rules in /etc/ldap/slapd.conf
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by dn="cn=admin,dc=example,dc=com" write by self write by anonymous auth by * none access to attrs=shadowLastChange,shadowMax by dn="cn=admin,dc=example,dc=com" write by self write by * read
Restart de OpenLDAP server
/etc/init.d/slapd restart
Configure Samba for LDAP
Create the profile and netlogon directories
mkdir /var/lib/samba/profiles chmod 777 /var/lib/samba/profiles mkdir /var/lib/samba/netlogon
Replace the contents of /etc/samba/smb.conf
[global] # Domain name .. workgroup = EXAMPLE # Server name - as seen by Windows PCs .. netbios name = SERVERNAME # Be a PDC .. domain logons = Yes domain master = Yes # Be a WINS server .. wins support = true obey pam restrictions = Yes dns proxy = No os level = 35 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d pam password change = Yes # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del unix password sync = no ldap passwd sync = yes # Printing from PCs will go via CUPS .. load printers = yes printing = cups printcap name = cups # Use LDAP for Samba user accounts and groups .. passdb backend = ldapsam:ldap://localhost # This must match init.ldif .. ldap suffix = dc=example,dc=com # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb # This is done by running 'sudo smbpasswd -w'. ldap admin dn = cn=admin,dc=example,dc=com # 4 OUs that Samba uses when creating user accounts, computer accounts, etc. # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.) ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap # Samba and LDAP server are on the same server in this example. ldap ssl = no # Scripts for Samba to use if it creates users, groups, etc. add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Script that Samba users when a PC joins the domain .. # (when changing 'Computer Properties' on the PC) add machine script = /usr/sbin/smbldap-useradd -w '%u' # Values used when a new user is created .. # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1) logon drive = logon home = logon path = logon script = # This is required for Windows XP client .. server signing = auto server schannel = Auto [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root guest ok = Yes browseable = No [profiles] comment = Roaming Profile Share # would probably change this to elsewhere in a production system .. path = /var/lib/samba/profiles read only = No profile acls = Yes browsable = No [printers] comment = All Printers path = /var/spool/samba use client driver = Yes create mask = 0600 guest ok = Yes printable = Yes browseable = No public = yes writable = yes admin users = root write list = root [print$] comment = Printer Drivers path = /var/lib/samba/printers write list = root create mask = 0664 directory mask = 0775 admin users = root
Change these lines to match your configuration:
- workgroup = EXAMPLE
- netbios name = SERVERNAME
- ldap suffix = dc=example,dc=com
- ldap admin dn = cn=admin,dc=example,dc=com
Store LDAP password for Samba use (Make sure the password you enter is the same as the one you entered during LDAP setup):
smbpasswd -W
- New SMB password: <password>
- Retype new SMB password: <password>
Restart Samba:
/etc/init.d/samba restart
smbldap-tools
apt-get install smbldap-tools
Copy the example configfiles
cat /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf > /etc/smbldap-tools/smbldap_bind.conf zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
Retrieve the Samba SID
net getlocalsid
Change these line in /etc/smbldap-tools/smbldap.conf to match your configuration:
- #SID=
- sambaDomain
- suffix
- userSmbHome
- userProfile
- mailDomain
Change the lines in /etc/smbldap-tools/smbldap_bind.conf to match you configuration:
slaveDN="cn=admin,dc=example,dc=com" slavePw="the password you entered during ldap configuration" masterDN="cn=admin,dc=example,dc=com" masterPw="the password you entered during ldap configuration"
Set the correct permissions:
chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Start the engine
Now it's time to populate the directory with default samba information
smbldap-populate
- Enter the password for the domain root user (yes also on Windows it's called root now)
Index the OpenLDAP server
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Make root admin
Make root part of the Administrators group so they can administer the domain.
smbldap-groupmod -m 'root' 'Administrators'
Client authentication
Follow the LDAP Client to let the server samba is running on do its authentication via LDAP. Also use this guide to configure the regular Linux/Unix and Windows clients.
Add users
smbldap-useradd -a -m -M <local mail part> -P -N <givenname> -S <surname> -c "<Full name>" <username>
- New password: <password>
- Retype new password: <password>
