Samba LDAP in Ubuntu 8.10

[[code]]

asdfasdf
sdafsdaf

[[/code]]

[[/code]]

Preparing: Names

  • The PDC name: dc01-ubuntu
  • domain name: dc01-ubuntu.tbxsolu.com
  • organization name: thxsolu

Clean up the system

  • sudo apt-get —purge remove slapd ldap-utils
  • sudo apt-get —purge remove libnss-ldap
  • sudo apt-get —purge remove ldapscripts
  • sudo apt-get —purge remove samba samba-doc smbldap-tools
  • sudo apt-get autoremove
  • sudo apt-get clean

OpenLDAP: Installation and Authentication setup

Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils

The installation process will prompt you for the LDAP directory admin password and confirmation.

By default the directory suffix will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:

sudo dpkg-reconfigure slapd

You will then be taken through a menu based configuration dialog, allowing you to configure various slapd options.

LDAP Authentication

Once you have a working LDAP server, the auth-client-config and libnss-ldap packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:

sudo apt-get install libnss-ldap

During the install a menu dialog will ask you connection details about your LDAP server.

If you make a mistake when entering your information you can execute the dialog again using:

sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered in the menu edit this file accordingly.

Now that libnss-ldap is configured enable the auth-client-config LDAP profile by entering:

sudo auth-client-config -a -p lac_ldap   (a:modify files for all types (nss and pam)).

The following error is displayed

auth-client-config -a -p lac_ldap
Error in updating the file: 'pam_account' not found
--
Errors found. Aborting (no changes made)

To correct it, follow the following steps: (Bug #295008) 
sudo auth-client-config -t nss -p lac_ldap  
(t:modify files for nss type. p: use profile name lac_ldap) (Change nsswitch.conf for nss type only)
sudo pam-auth-update ldap (update pam)

Back ground information:

Nss Type sample:

nss_base_passwd
nss_base_shadow
nss_base_group

PAM Type sample: 
pam_auth=auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_password=
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so

Checking nsswitch profile:

Edit the NSS control file (/etc/nsswitch.conf) so that the lines that control user and group resolution will obtain information from the normal system files as well as from ldap:

passwd: files ldap
shadow: files ldap
group:  files ldap
hosts:  files dns wins

….It is advisable to comment out the entries passwd_compat and group_compat where they are found in this file.

Samba: Installation and Configuration

Installation

There are three packages needed when integrating Samba with LDAP. samba, samba-doc, and smbldap-tools packages . To install the packages, from a terminal enter:

sudo apt-get install samba samba-doc smbldap-tools

Strictly speaking the smbldap-tools package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed.

OpenLDAP Configuration

In order for Samba to use OpenLDAP as a passdb backend, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes.

  • The Samba attributes are defined in the samba.schema file which is part of the samba-doc package. The schema file needs to be unzipped and copied to /etc/ldap/schema. From a terminal prompt enter:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz
  • The samba schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in the section called “Configuration”.
  • First, create a configuration file named schema_convert.conf, or a similar descriptive name, containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

  • Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

  • Now use slaptest to convert the schema files:

slaptest -f schema_convert.conf -F /tmp/ldif_output

Change the above file and path names to match your own if they are different.

  • Edit the generated /tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config

cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z

The attribute values will vary, just be sure the attributes are removed.

  • Finally, using the ldapadd utility, add the new schema to the directory:

ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif

There should now be a dn: cn={X}misc,cn=schema,cn=config, where "X" is the next sequential schema, entry in the cn=config tree.

  • Copy and paste the following into a file named samba_indexes.ldif:
dn: olcDatabase={1}hdb,cn=config
      changetype: modify
      add: olcDbIndex
      olcDbIndex: uidNumber eq
      olcDbIndex: gidNumber eq
      olcDbIndex: loginShell eq
      olcDbIndex: uid eq,pres,sub
      olcDbIndex: memberUid eq,pres,sub
      olcDbIndex: uniqueMember eq,pres
      olcDbIndex: sambaSID eq
      olcDbIndex: sambaPrimaryGroupSID eq
      olcDbIndex: sambaGroupType eq
      olcDbIndex: sambaSIDList eq
      olcDbIndex: sambaDomainName eq
      olcDbIndex: default sub

Using the ldapmodify utility load the new indexes: 
ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif

If all went well you should see the new indexes using ldapsearch: 
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb
  • Next, configure the smbldap-tools package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
      sudo perl /usr/share/doc/smbldap-tools/configure.pl

Once you have answered the questions, there should be /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately.
  • The smbldap-populate script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with slapcat before executing the command:
sudo slapcat -l backup.ldif
  • Once you have a current backup execute smbldap-populate by entering:
sudo smbldap-populate

Note
You can create an LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct.

Your LDAP directory now has the necessary domain information to authenticate Samba users.

Samba Configuration

There a multiple ways to configure Samba for details on some common configurations see Chapter 15, Windows Networking. To configure Samba to use LDAP, edit the main Samba configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following:

#   passdb backend = tdbsam

# LDAP Settings
   passdb backend = ldapsam:ldap://hostname
   ldap suffix = dc=example,dc=com
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = dc=example,dc=com
   ldap admin dn = cn=admin,dc=example,dc=com
   ldap ssl = start tls
   ldap passwd sync = yes
...
   add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Restart samba to enable the new settings: 
sudo /etc/init.d/samba restart

Now Samba needs to know the LDAP admin password. From a terminal prompt enter: 
sudo smbpasswd -w secret

[Note]

Replacing secret with your LDAP admin password.

If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the samba.schema file. Add the Samba attributes to existing users using the smbpasswd utility, replacing username with an actual user:

sudo smbpasswd -a username

You will then be asked to enter the user's password.

Verify the contents of the smb.conf file:

testparm

Final Checking and Verifying

  • You must now make certain that the NSS resolver can interrogate LDAP also. Execute the following commands:
root#  getent passwd | grep root
root:x:998:512:Netbios Domain Administrator:/home:/bin/false

root#  getent group | grep Domain
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:553:
  • The final validation step involves making certain that Samba-3 can obtain the user accounts from the LDAP ldapsam passwd backend. Execute the following command as shown:
root#  pdbedit -Lv chrisr
Unix username:        chrisr
NT username:          chrisr
Account Flags:        [U          ]
User SID:             S-1-5-21-3504140859-1010554828-2431957765-3004
Primary Group SID:    S-1-5-21-3504140859-1010554828-2431957765-513
Full Name:            System User
Home Directory:       \\MASSIVE\homes
HomeDir Drive:        H:
Logon Script:         scripts\login.cmd
Profile Path:         \\MASSIVE\profiles\chrisr
Domain:               MEGANET2
Account desc:         System User
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
Password last set:    Wed, 17 Dec 2003 17:17:40 GMT
Password can change:  Wed, 17 Dec 2003 17:17:40 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  • The final step we need to validate is that Samba can see all the Windows domain groups and that they are correctly mapped to the respective UNIX group account. To do this, just execute the following command:
root#  net groupmap list
Domain Admins (S-1-5-21-3504140859-...-2431957765-512) -> Domain Admins
Domain Users (S-1-5-21-3504140859-...-2431957765-513) -> Domain Users
Domain Guests (S-1-5-21-3504140859-...-2431957765-514) -> Domain Guests
...
Accounts (S-1-5-21-3504140859-1010554828-2431957765-3001) -> Accounts
Finances (S-1-5-21-3504140859-1010554828-2431957765-3003) -> Finances
PIOps (S-1-5-21-3504140859-1010554828-2431957765-3005) -> PIOps

Share and Permission

In your smb.conf file, you have specified Windows shares. Each has a path parameter. Even though it is obvious to all, one of the common Samba networking problems is caused by forgetting to verify that every such share root directory actually exists and that it has the necessary permissions and ownership.

Here is an example, but remember to create the directory needed for every share:

root#  mkdir -p /data/{accounts,finsvcs,piops}
root#  mkdir -p /apps
root#  chown -R root:root /data
root#  chown -R root:root /apps
root#  chown -R bobj:Accounts /data/accounts
root#  chown -R bobj:Finances /data/finsvcs
root#  chown -R bobj:PIOps /data/piops
root#  chmod -R ug+rwxs,o-rwx /data
root#  chmod -R ug+rwx,o+rx-w /apps

Smb access control:

Example. LDAP Based smb.conf File, Shares Section Part A

[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No

[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No

Example LDAP Based smb.conf File, Shares Section Part B

[apps]
comment = Application Files
path = /apps
admin users = bjordan
read only = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes

[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, chrisr

Logon Script

LDAP Get Member Of with Python

#!/usr/bin/python

#--------------------------------------------------------------------------------------------------
# Notes:
# This script automatically creates zimbra accounts from active directory.
# The user must be enabled, otherwise it will be skipped.
#--------------------------------------------------------------------------------------------------
# Variables can be changed here:
import ldap, string, os, time, sys
# BaseDN to search for user accounts.
base = 'cn=users,dc=quadrian,dc=gob,dc=pa'
scope = ldap.SCOPE_SUBTREE
# We filter for user accounts only, we skip machine and groups
filter = "(&(objectclass=person) (uid=%s))"
# Active Directory Domain Name
domain = "quadrian.gob.pa"
# Active Directory Domain Controller
ldapserver="ancon"
#ldap port usually 389
port="389"
# Email domain to be used in mail applications
emaildomain="quadrian.gob.pa"
# Bind Domain for LDAP user account that will query the AD
ldapbinddomain="organojudicial"
#the account name of the account to bind to ldap and query de AD
ldapbind="zimbrasync"
ldappassword="xxxxxxx"
pathtozmprov="/opt/zimbra/bin/zmprov"
#--------------------------------------------------------------------------------------------------
# Here We list all Zimbra Accounts. So we can compare if the account we read from AD
# is already created in Zimbra or not.
f = os.popen(pathtozmprov +' gaa')
zmprovgaa= []
zmprovgaa = f.readlines()

# Here we initialize the LDAP connection
l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port)
try:
    l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword)
except ldap.INVALID_CREDENTIALS:
    print "Your username or password to bind to LDAP is incorrect."
    sys.exit()
except ldap.LDAPError, e:
    if type(e.message) == dict and e.message.has_key('desc'):
        print e.message['desc']
    else:
        print e
    sys.exit()
# End of LDAP initialization

# Now we look for ENABLED user accounts in AD and get the following values
# sAMAccountName is the username to log on to the domain
# givenName is the first name
# sn is the surname or last name
# example of current usernames in the domain
# 4-982-345
# ericklatam
# memberOf are the groups this user belongs to

try:
    res = l.search_s(base,scope, "(&(ObjectCategory=user)  (userAccountControl=512))",  ['sAMAccountName','givenName','sn','memberOf'])
#userAccountControl  512 = normal , 514 = disabled account
    for (dn, vals) in res:
      accountname = vals['sAMAccountName'][0].lower()
      print "accountname: "+accountname
      try:
        sirname = vals['sn'][0].lower()
      except:
        sirname = vals['sAMAccountName'][0].lower()
      try:
        givenname = vals['givenName'][0]
      except:
        givenname = vals['sAMAccountName'][0].lower()
      try:
        groups = vals['memberOf']
      except:
        groups = 'none'
      initial = givenname[:1].upper()
      sirname = sirname.replace(' ', )
      sirname = sirname.replace('\\', )
      sirname = sirname.replace('-', )
      sirname = sirname.capitalize()
      name = initial + "." + sirname
      accountname = accountname + "@" + emaildomain
      password = "  \'\' "
      sys.stdout.flush()
      # if the account doesn't exist in the output of zmprov gaa create the  account
      if accountname +"\n" not in zmprovgaa:
        print  accountname," exists in active directory but not in zimbra, the   account is being created\n"
        time.sleep(1)
        os.system(pathtozmprov +' ca %s %s displayName %s' %  (accountname,password,name))

l.unbind_s()

The using of ifmember.exe

@echo off
ifmember %1
if not ERRORLEVEL 1 goto next1
echo "yes it is"
goto end
:next1
echo "Not"
:end

page revision: 37, last edited: 24 Feb 2009 23:53
Edit Tags History Files Print Site tools + Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License