How-To LDAP Samba PDC Support

[xarses]

I've been writing a HowTo on successfully setting up a Samba Primary Domain Controller that uses a LDAP backend over on gentoo-wiki.com it can be found here: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC

It is my intention that this HowTo will help guide Gentoo Admins in Setting up Their Own Primary Domain Controller (PDC) using Samba and OpenLDAP. Setting up, configuring and understanding the arrays of options and their implications can be quite and daunting task.


This thread is intended to be used for support, corrections, gripes and compaints regarding my HowTo. Currently Sections 1-4 are complete and I'm still working on the rest.

[!equilibrium]

i have read the howto very quick, and i have found that you suggest to use '-J3'.
i'ts wrong, on old single cpu without HT can creare broken binary, mainly on AMD cpus.

so is better to remove it, or put the right suggestions.

however, thanks a lot for the HOWTO

[daeghrefn]

One suggestion I thought of... for the use flags, it might be better to have people put the use flags in /etc/portage/package.use rather than in /etc/make.conf, that way they don't mess up their system if they prefer to not have their other packages changed.

[georgemj]

I've been working on a similar document at our company (I guess I won't have to send it up to the gentoo site, now... ) and I ran into a snag recently that I thought you might want to be aware of. Perhaps you can give me some guidance, too, as I don't knowall that much about Samba PDC's.

Rather than making just the changes to nsswitch.conf that you suggest, we were putting nsswitch.ldap from nss_ldap into place and then cut services: and protocols: just down to "files".

This worked fine until a system update about 3-4 week ago. At that time the system could no longer boot right because udev was not able to load the devices correctly and /dev/sdaX were not available (among other problems I'm sure we would have run into).

It turned out that the problem was the hosts entry:
hosts: files dns ldap

If we drop the " ldap" all is fine. If we have it in there udev is broken. (The PDC is the LDAP server, so presumably udev is referencing it, though there is no networking or LDAP running, I don't know how it possibly could.)

In your docs, you only suggest changing passwd: group: and shadow:. Is that all that's necessary? (Remember, I don't know much about PDC's...) If so, I can just change our internal docs to direct those changes and not replace nsswitch.conf with nsswitch.ldap.

[xarses]

georgemj

hosts: files dns ldap

hmm that might be why my udev gaged awhile back as ive had that line in there.

essentualy nsswitch is used for telling the OS where to look when trying to find various peices of information. in this case you are telling your system that hosts (host names) can be translated first by files (usualy /etc/hosts) then by dns (first dns cache, then query) and if thoes two dont return a result ldap is then queried. so if you dont want to use ldap to help resolve name translations (usualy dns services are more effective) then you can resonably leave the line set to

Code: Select all

hosts: files dns

in my docs only passwd, group, and shadow are changed to include ldap because they are the only information parts critical to user authentication. Again these settings are used for local system authentication, dont get me wrong though passwd, group, and shadow resolves must work or samba wont be able to save files on the server's system. as far as im aware all of the other settings are not critical to the purpose of a ldap samba PDC

sorry, i do ramble. in short the answer is YES

Code: Select all

 hosts: files dns

should not affect PDC functionality (your probly not storing hosts information anyway or, have /etc/ldap.conf configured to be able to find hosts information

if you have some doc's that got you to a working point, i would like to examine them and perhapse discuss them with you so that the HowTo may be improved upon

[Po0ky]

http://gentoo-wiki.com/Talk:HOWTO_LDAP_ ... nce_Tuning
http://gentoo-wiki.com/Talk:HOWTO_LDAP_ ... asic_Setup

Some feedback needed... Stuck on myself

[georgemj]

That would be fine with me (dicuss our common findings). I am still putting the final touches on our system and we have to thoroughly test it (it goes into a customer's site, and we *really* don't want it dorked) before I'm confident that it's finalized.

I updated the OS on it (gentoo, and I stepped it through the gcc-3.4 update) and my phpldapadmin is being problematic on it, but prior to the rebuild I did some remedial testing with ssh and Win98 logging in and it seemed to work.

I have my docs in a mediawiki installation. Would you like a PDF of what I have so far, or the mediawiki input for it?

[xarses]

georgemj: either would work find with me, pdf is more portable, ill send you a pm with my email addy

po0ky: awesome when i get a chance and stop working two jobs (end of the week) ill check it out and get and get through it

[Dr.Dran]

@xarses & @Po0ky: very very nice Howto Now I study the integration of Linux in Active Directory Domain, I will hope to obtain the *.schema file that merge the classical inetorgperson.schema with the Active Directory schema, the Novell Directory service and so on...

For case study I will suggest u to watch that howto... is interesting:
http://enterprise.linux.com/enterprise/ ... 01&tid=100

If anyone have experience on it please tell me something.

Best regards

[xarses]

ya, thats my larger goal, get all three to work

[Po0ky]

HOWTO_LDAP_SAMBA_PDC_Security_Upgrade Req4Feedback

There you go... done some more

[Dr.Dran]

So Cool we are in the right version... but I hope that in future I will grab the LDAP schema of Active Directory for the real integration

Thanx and cool

[Po0ky]

Bump!

Is there still some action going on here?

[lkarayan]

It's well organized, however I don't know how many people I share this preference with, but a single HTML page would be nicer IMO.

[bruor]

i recently followed this howto and have come across an issue.

i got to the end of setup and it seems like everything is working except being able to join the domain.
i get an error that the dns SRV record was not returned when searching etc.

what i have read so far seems to point to the fact that the domain i am using resembles a dns resolvable name in smb.conf such as

Code: Select all

workgroup = test.example.org

it says that changing it to something like

Code: Select all

workgroup = test

will keep windows from thinking the PDC is actually AD, and will keep it from looking for SRV records in dns. making it resort to WINS
can anyone confirm that this will keep it from searching DNS for SRV records?

[locovaca]

I'm not able to get PAM/NSS set up... my files:

Code: Select all

caprice pam.d # cat system-auth
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so
account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_ldap.so

Code: Select all

caprice etc # cat nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:      files ldap
shadow:      files ldap
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

Code: Select all

caprice openldap # cat ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=burke,dc=local
HOST    127.0.0.1
nss_base_passwd ou=Computers,dc=burke,dc=local
nss_base_passwd ou=Users,dc=burke,dc=local
nss_base_shadow ou=Users,dc=burke,dc=local
nss_base_group ou-Groups,dc=burke,dc=local

pam_password exop

debug 256
logdir /var/log/nss_ldap
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

This results in...

Code: Select all

caprice etc # getent passwd | grep 0:0
root:x:0:0:root:/root:/bin/bash

Code: Select all

caprice openldap # ldapsearch -b "ou=Users,dc=burke,dc=local"
...
# root, Users, burke.local
dn: uid=root,ou=Users,dc=burke,dc=local
cn: root
sn: root
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\Caprice\root
sambaHomeDrive: H:
sambaProfilePath: \\Caprice\profiles\root
sambaPrimaryGroupSID: S-1-5-21-1253800008-2809828810-751333459-512
sambaSID: S-1-5-21-1253800008-2809828810-751333459-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: hash
sambaAcctFlags: [U]
sambaNTPassword: hash
sambaPwdLastSet: 1138331557
sambaPwdMustChange: 1142219557
userPassword:: hash

...

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

Any thoughts? There's nothing in /var/log/nss_ldap, either...

[locovaca]

NM, figured it out, /etc/ldap.conf isn't the same as /etc/openldap/ldap.conf

[thedd]

I'm having trouble with the samba+ldap after following this HowTo.
Please look at http://forums.gentoo.org/viewtopic-t-427457.html

[butchie3980]

Is there a way to compile the smbk5pwd for use with MIT Kerberos? No success so far, but I'm hopeful.
Thanks

[flipy]

I've followed this how-to and it works great!
However, could someone explain how to add support for a MTA and IMAP?
Thanks

[DiezelMax]

ldap.conf

Code: Select all

nss_base_passwd ou=People,dc=example,dc=net?sub
nss_base_shadow ou=People,dc=example,dc=net?sub

[h0mer`-]

I followed this tutorial but i get an error when running "smbldap-populate"

Code: Select all

Populating LDAP directory for domain test (S-1-5-21-4205727931-4131263253-1851132061)
(using builtin directory structure)

adding new entry: dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 2.
adding new entry: ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 3.
adding new entry: ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 4.
adding new entry: ou=Computers,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 5.
adding new entry: ou=Idmap,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 6.
adding new entry: uid=root,ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 7.
adding new entry: uid=nobody,ou=Users,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Groups,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.
adding new entry: sambaDomainName=test,dc=test,dc=lan
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

Please provide a password for the domain root:
No such object at /usr/sbin//smbldap_tools.pm line 341.

This is my "smbldap_bind.conf"
(I removed my plaintext pw)

Code: Select all

#slaveDN="cn=Manager,dc=test,dc=lan"
#slavePw="secret"
#masterDN="cn=Manager,dc=test,dc=lan"
#masterPw="secret"
rootdn="cn=Manager,dc=test,dc=lan"
rootpw=""

... and the "smbldap.conf"

Code: Select all

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-4205727931-4131263253-1851132061"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="test"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=test,dc=lan"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=test,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=""

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="S:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="test.lan"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
no_banner="1"

[whitetux]

I get the same as above...I tried for a few days trying to get it to work. Eventually have given up trying to use smbldap-tools.

[GoVirtual]

I am just running through the HOW TO without a lot of Gentoo knowledge.
As I was following the instructions step by step I ran into a "warning" when doing the emerge after doing the keyword command.
A module was masked and it did not even start the emerge.
It took me a quick question to a Gentoo guru to get the situation explained and shown how I could get that module added and then get the emerge on the go.

An enhancement of the HOW TO could have a helper on how to take care of such an instance as I just ran into.
Thanks.

[RAPHEAD]

Hi,

I've basically a similar setup like described in this nice howto but I have encountered two problems of which one is not quite resolved:

1.) If you use the nsswitch.conf settings as described in the howto, you will encounter the problem described here: http://bugs.gentoo.org/show_bug.cgi?id=99564
This can be resolved by using a ~x86 udev version -- currently I'm using 087.

2.) A chicken egg problem when starting slapd in the default runlevel.
If slapd starts on system boot, it hangs for quite a while and will even never start if you do not have defined timeouts in /etc/ldap.conf
In /var/log/messages the corresponding logs read:

Code: Select all

Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Oct 30 02:01:06 slapd[5585]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Oct 30 02:01:10 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
...

I guess linux tries to find out something about the user "ldap" but it can't because the ldap backend is just starting.
However, the user ldap IS defined in /etc/shadow and my /etc/nsswitch.conf is:

Code: Select all

passwd:      files ldap
shadow:      files ldap
group:        files ldap
...

I think it should not be neccesary to ask the ldap backend about the user ldap as it can be found in the "files" backend but obviously this is not the way how linux interprets this file.

The same problem is discussed here:
http://lists.freebsd.org/pipermail/free ... 26916.html

Any ideas how this can be fixed? I think switching nsswitch.conf while booting is not a nice solution.