LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   OpenLDAP+Samba for authentication of both linux and windows clients (http://www.linuxquestions.org/questions/linux-server-73/openldap-samba-for-authentication-of-both-linux-and-windows-clients-782039/)

Blue_Ice 01-13-2010 03:26 PM

OpenLDAP+Samba for authentication of both linux and windows clients
 
Hi all,

For a while now I am looking for a good and simple tutorial with clear examples on how to setup OpenLDAP for authentication of client computers. The clients are installed with linux and windows. I know that you need Samba for the windows clients. I am able to make OpenLDAP work, however I am not really sure what is needed for authentication on both client types. There are many tutorials telling me how to setup the server side, but which attributes are a minimum requirement for windows and linux clients to authenticate.

Something else that is pretty hard to find is a tutorial on how to setup the client side. I haven't yet looked into how to configure Samba to use OpenLDAP. So if you know a good tutorial about that too, then the suggestion is welcome as well.

If this sounds like a newbie question, then that's probably right. Anyway, thank you in advance for helping me out.

kschmitt 01-13-2010 04:06 PM

Honestly, the best simple tutorials are on the samba site.

There are LOADS of tutorials on how to do this, but many of them get more complicated than is strictly speaking, necessary.

This page is really _really_ good for a simple setup, but it can be hard to follow sometimes.

http://wiki.samba.org/index.php/Ldapsam_Editposix

Please read it, then come back and read rest of this message

I wrote this for a friend I was helping awhile ago, and just yanked it form my sent messages, but this is just a more detailed description of what's in that first page I posted.


Apparently there's been this nifty provision in samba called,
"ldapsam:editposix" that's been there since 3.0 was released, but it's
been barely documented on written on. If you do it right, all users
and groups can be added and modified from the samba "net" command.
More or less I'm just sending you my notes (since this is, you know,
for work, I'm being very careful, and blowing away the VM &
re-creating it for each configuration change to make sure it's really
doing what I think it is, so this is pretty accurate.)

If you enable editposix, and if (this second if is very important),
the server samba is on uses ldap for storing it's unix groups, nearly
no work needs to be done inside of ldap. The initial ldif was
actually all I did for direct ldap interaction....

Aside from the normal stuff, (like setting up /etc/ldap.secret and
/etc/ldap.conf) this is how it's done (just ignore the default test
passwords please)

Setup the ldap stuff (/etc/ldap.conf /etc/ldap.secret /etc/openldap/slapd.conf)
Pretty straightforward, the only thing is include the samba.schema
#Current slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=dv,dc=com"
rootdn "cn=admin,dc=dv,dc=com"
rootpw whopdiedoo
directory /var/lib/ldap

#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
#access to *
# by self write
# by users read
# by anonymous auth
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName eq

#End
Copy samba.schema into /etc/openldap/schema

Setup the nssswitch.conf, password shadow and group need to be setup for ldap

load a starting ldif for some samba basics
#This is added with
#ldapadd -x -D "cn=admin,dc=dv,dc=com" -W -f base.ldif
dn: dc=dv,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: dv.com
dc: dv

dn: cn=admin,dc=dv,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: whopdiedoo

dn: ou=users,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: computers
##End

samba setup
I belive this is what is needed
[global]
netbios name = dvpdc01
workgroup = DV
encrypt passwords = true
passdb backend = ldapsam
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap admin dn = cn=admin,dc=dv,dc=com
ldap delete dn = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap suffix = dc=dv,dc=com
ldap idmap suffix = ou=idmap
idmap backend = ldap:"ldap://"
idmap domains = DV
idmap config DV:backend = ldap
idmap config DV:readonly = no
idmap config DV:default = yes
idmap config DV:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap config DV:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap config DV:ldap_url = ldap://localhost
idmap config DV:range = 50000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap alloc config:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
#Templates, important if you want a share created for the user in a normal place
#And you don't want them to be able to log into your unix boxes by default
template homedir = /home/%U
template shell = /bin/false
#End smb.conf

give samba the ldap password, in three ways
#For samba to read ldap
smbpasswd -w <password>
#For samba to add domain users & groups
net idmap secret DOMAIN <password>
#For samba to add mappings in ldap
net idmap secret alloc <password>

start winbind (this is how windows connects)

setup the tree with
net sam provision

Give a password to Administrator
smbpasswd Administrator

Start samba
service smb start

At this point test by joining a machine to this test-domain, and
logging in as Administrator

Now all users are added using
net rpc user add <username> -UAdministrator
And groups are added using
net rpc group add <groupname> -UAdministrator

kschmitt 01-13-2010 04:14 PM

Oops, didn't answer the original question!

Once samba/ldap is configured like that you can have your *nix boxes use LDAP to authenticate & get it's groups, OR you can use winbind.

The LDAP config will be just like any other (the modern GUIs nearly do it for you), but it will be bypassing the samba layer. Depending on what you want, this is either good or bad.

Again for the winbind config, the modern GUIs nearly do all the work for you to connect.

acid_kewpie 01-13-2010 04:22 PM

It's development has ceased and I'm not too aware of any alternatives, but you *might* be interested in considering a different approach of using pGine (or an alternative if there are any) to directly authenticate windows against LDAP and not need to worry about the fake domain stuff with SaMBa.

Blue_Ice 01-14-2010 04:55 AM

Quote:

Originally Posted by kschmitt (Post 3825574)
Oops, didn't answer the original question!

Once samba/ldap is configured like that you can have your *nix boxes use LDAP to authenticate & get it's groups, OR you can use winbind.

The LDAP config will be just like any other (the modern GUIs nearly do it for you), but it will be bypassing the samba layer. Depending on what you want, this is either good or bad.

Again for the winbind config, the modern GUIs nearly do all the work for you to connect.

So if I understand you correctly by setting up Samba like this and create users in Samba, then this is also sufficient to log in to linux using ldap?

kschmitt 01-15-2010 10:13 AM

Quote:

Originally Posted by Blue_Ice (Post 3826139)
So if I understand you correctly by setting up Samba like this and create users in Samba, then this is also sufficient to log in to linux using ldap?

Yes, it's sufficient for linux users to login via LDAP. It's not as detailed or complicated a setup as you can get, but it's enough for authentication and groups.

--Kyle

Blue_Ice 01-23-2010 11:14 AM

When I try to execute 'net sam provision', I get the following error:

Code:

Checking for Domain Users group.
[2010/01/23 18:13:24, 0] lib/smbldap_util.c:smbldap_search_domain_info(286)
  smbldap_search_domain_info: Adding domain info for SERVER failed with NT_STATUS_UNSUCCESSFUL
Adding the Domain Users group.
Unable to allocate a new gid to create Domain Users group!
Checking for Domain Admins group.
Adding the Domain Admins group.
Unable to allocate a new gid to create Domain Admins group!
Check for Administrator account.
Adding the Administrator user.
Can't create Administrator user, Domain Admins group not available!

What does this mean and how do I solve it?

Blue_Ice 01-24-2010 10:33 AM

Fixed the problem... Didn't read carefully and made an assumption...

Although now there has occurred a new problem adding a Windows client to the domain is not working. It is talking about some DNS error. Windows is not able to find the domain name at the DNS server.

Code:

The domain name MYDOMAIN might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain MYDOMAIN:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain.
They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

195.xxx.xxx.xxx
195.xxx.xxx.xxx
10.xxx.xxx.xxx

- One or more of the following zones do not include delegation to its child zone:

MYDOMAIN
. (the root zone)

For information about correcting this problem, click Help.

There is also a second problem, I am not able to add a user using 'net rpc user add <username> -UAdministrator'.
Any ideas?

kschmitt 01-27-2010 11:46 AM

Quote:

Originally Posted by Blue_Ice (Post 3838767)
Fixed the problem... Didn't read carefully and made an assumption...

Although now there has occurred a new problem adding a Windows client to the domain is not working. It is talking about some DNS error. Windows is not able to find the domain name at the DNS server.


First thing is to fix that WINS/DNS error, chances are, that will fix everything else.

Look here, down at the lines about setting up samba as a wins server (It's an easy 2 lines, but I'll let you read form the experts : )
http://oreilly.com/catalog/samba/cha...k/ch07_03.html

Sorry for the delay!

Blue_Ice 01-28-2010 09:12 AM

No problem about the delay, I am already grateful that you are willing to help me...

Unfortunately I have already tried the extra lines on that page. Doesn't seem to work though. Although after starting winbind again (shutdown when configuring LDAP authentication), I get a new error message. Also regarding the DNS. I tried to add the configuration items from o'reilly again, but that didn't solve the issue either. The error message that I get now is:

Code:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain MYDOMAIN:

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN

The following domain controllers were identified by the query:

server.mydomain

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

For information about correcting this problem, click Help.

Could it be that this is caused, because I have one server that does everything? I am running on that server iptables (NAT), openldap, dhcp, bind (ddns), openvpn and samba? Maybe I should virtualize everything... Anyway, I am not sure if that causes the problem.

Thank you for your help.

kschmitt 01-28-2010 01:12 PM

Humm. OK, would you mind posting the output of testparm? I'm interested in taking a look to see if it's something that I've seen before, or something that will pop out at me.

Having the one server that does everything shouldn't be a problem for this per-say. But if you have, say, a drive crash, a problem with an upgrade, etc, that's when you'll have problems with everything on one machine ;)

Blue_Ice 01-29-2010 04:05 AM

There are backups, of course... ;) And it is not such a big problem when the server crashes. It is just a test environment.

Below, as requested, the output of testparm:

Code:

Load smb config files from /etc/samba/smb.conf
Processing section "[public]"
Processing section "[mp3z]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = HULSHOFF.HOME
        passdb backend = ldapsam
        name resolve order = wins lmhosts hosts bcast
        wins support = Yes
        ldap admin dn = cn=Manager,dc=hulshoff,dc=home
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=computers
        ldap suffix = dc=hulshoff,dc=home
        ldap user suffix = ou=users
        idmap domains = HULSHOFF.HOME
        idmap backend = ldap:ldap://
        idmap alloc backend = ldap
        template homedir = /home/%U
        template shell = /bin/bash
        idmap alloc config:range = 50000-500000
        idmap alloc config:ldap_url = ldap://localhost
        idmap alloc config:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
        idmap alloc config:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:range = 50000-500000
        idmap config HULSHOFF.HOME:ldap_url = ldap://localhost
        idmap config HULSHOFF.HOME:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:default = yes
        idmap config HULSHOFF.HOME:readonly = no
        idmap config HULSHOFF.HOME:backend = ldap
        ldapsam:editposix = yes
        ldapsam:trusted = yes

[public]
        comment = Public Share
        path = /opt/samba/public
        read only = No
        guest ok = Yes

[mp3z]
        comment = Music Share
        path = /opt/samba/mp3z
        write list = +domadmins
        guest ok = Yes

I hope you can see something wrong, because it looks fine to me.

Blue_Ice 02-01-2010 05:19 AM

In the meanwhile, I got a bit further. The output of testparm is now:

Code:

Load smb config files from /etc/samba/smb.conf
Processing section "[public]"
Processing section "[mp3z]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[userdata]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = HULSHOFF
        passdb backend = ldapsam
        name resolve order = wins lmhosts hosts bcast
        logon script = logon.cmd
        logon path = \\%N\profiles\%u
        logon drive = H:
        logon home = \\%N\userdata\%u
        domain logons = Yes
        os level = 80
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=hulshoff,dc=home
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=computers
        ldap suffix = dc=hulshoff,dc=home
        ldap user suffix = ou=users
        idmap domains = HULSHOFF.HOME
        idmap backend = ldap:ldap://
        idmap alloc backend = ldap
        template homedir = /home/%U
        template shell = /bin/bash
        idmap alloc config:range = 50000-500000
        idmap alloc config:ldap_url = ldap://ldap.hulshoff.home
        idmap alloc config:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
        idmap alloc config:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:range = 50000-500000
        idmap config HULSHOFF.HOME:ldap_url = ldap://ldap.hulshoff.home
        idmap config HULSHOFF.HOME:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
        idmap config HULSHOFF.HOME:default = yes
        idmap config HULSHOFF.HOME:readonly = no
        idmap config HULSHOFF.HOME:backend = ldap
        ldapsam:editposix = yes
        ldapsam:trusted = yes

[public]
        comment = Public Share
        path = /opt/samba/public
        read only = No
        guest ok = Yes

[netlogon]
        comment = Network Logon Service
        path = /opt/samba/netlogon
        guest ok = Yes
        share modes = No

[profiles]
        path = /opt/samba/profiles
        read only = No
        create mask = 0600
        directory mask = 0700

[userdata]
        path = /opt/samba/userdata
        read only = No
        create mask = 0600
        directory mask = 0700

Nevertheless joining a domain is still not really working.
Although I am getting closer as Windows is getting more cryptic when displaying an error.

The error is now:
Quote:

The following error occurred attempting to join the domain "hulshoff":

A device attached to the system is not functioning.
I guess I am almost there, but as always M$ is not really willing to help... Any ideas what this means?

Blue_Ice 02-01-2010 08:33 AM

Disregard my last message... I found out that winbind wasn't running. Again...

Thanks for the help, just joined to my domain!

kschmitt 02-01-2010 12:49 PM

Quote:

Originally Posted by Blue_Ice (Post 3848313)
Disregard my last message... I found out that winbind wasn't running. Again...

Thanks for the help, just joined to my domain!

Awesome! Heh, glad you posted, I was just about to dig through your testparm output (lunchtime)!

Give a hollar if you run into more issues. It's always interesting to troubleshoot.


All times are GMT -5. The time now is 11:45 PM.