OpenLDAP+Samba for authentication of both linux and windows clients
For a while now I am looking for a good and simple tutorial with clear examples on how to setup OpenLDAP for authentication of client computers. The clients are installed with linux and windows. I know that you need Samba for the windows clients. I am able to make OpenLDAP work, however I am not really sure what is needed for authentication on both client types. There are many tutorials telling me how to setup the server side, but which attributes are a minimum requirement for windows and linux clients to authenticate.
Something else that is pretty hard to find is a tutorial on how to setup the client side. I haven't yet looked into how to configure Samba to use OpenLDAP. So if you know a good tutorial about that too, then the suggestion is welcome as well.
If this sounds like a newbie question, then that's probably right. Anyway, thank you in advance for helping me out.
Honestly, the best simple tutorials are on the samba site.
There are LOADS of tutorials on how to do this, but many of them get more complicated than is strictly speaking, necessary.
This page is really _really_ good for a simple setup, but it can be hard to follow sometimes.
Please read it, then come back and read rest of this message
I wrote this for a friend I was helping awhile ago, and just yanked it form my sent messages, but this is just a more detailed description of what's in that first page I posted.
Apparently there's been this nifty provision in samba called,
"ldapsam:editposix" that's been there since 3.0 was released, but it's
been barely documented on written on. If you do it right, all users
and groups can be added and modified from the samba "net" command.
More or less I'm just sending you my notes (since this is, you know,
for work, I'm being very careful, and blowing away the VM &
re-creating it for each configuration change to make sure it's really
doing what I think it is, so this is pretty accurate.)
If you enable editposix, and if (this second if is very important),
the server samba is on uses ldap for storing it's unix groups, nearly
no work needs to be done inside of ldap. The initial ldif was
actually all I did for direct ldap interaction....
Aside from the normal stuff, (like setting up /etc/ldap.secret and
/etc/ldap.conf) this is how it's done (just ignore the default test
Setup the ldap stuff (/etc/ldap.conf /etc/ldap.secret /etc/openldap/slapd.conf)
Pretty straightforward, the only thing is include the samba.schema
#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
#access to *
# by self write
# by users read
# by anonymous auth
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName eq
Copy samba.schema into /etc/openldap/schema
Setup the nssswitch.conf, password shadow and group need to be setup for ldap
load a starting ldif for some samba basics
#This is added with
#ldapadd -x -D "cn=admin,dc=dv,dc=com" -W -f base.ldif
description: LDAP administrator
I belive this is what is needed
netbios name = dvpdc01
workgroup = DV
encrypt passwords = true
passdb backend = ldapsam
ldap admin dn = cn=admin,dc=dv,dc=com
ldap delete dn = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap suffix = dc=dv,dc=com
ldap idmap suffix = ou=idmap
idmap backend = ldap:"ldap://"
idmap domains = DV
idmap config DV:backend = ldap
idmap config DV:readonly = no
idmap config DV:default = yes
idmap config DV:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap config DV:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap config DV:ldap_url = ldap://localhost
idmap config DV:range = 50000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap alloc config:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
#Templates, important if you want a share created for the user in a normal place
#And you don't want them to be able to log into your unix boxes by default
template homedir = /home/%U
template shell = /bin/false
give samba the ldap password, in three ways
#For samba to read ldap
smbpasswd -w <password>
#For samba to add domain users & groups
net idmap secret DOMAIN <password>
#For samba to add mappings in ldap
net idmap secret alloc <password>
start winbind (this is how windows connects)
setup the tree with
net sam provision
Give a password to Administrator
service smb start
At this point test by joining a machine to this test-domain, and
logging in as Administrator
Now all users are added using
net rpc user add <username> -UAdministrator
And groups are added using
net rpc group add <groupname> -UAdministrator
Oops, didn't answer the original question!
Once samba/ldap is configured like that you can have your *nix boxes use LDAP to authenticate & get it's groups, OR you can use winbind.
The LDAP config will be just like any other (the modern GUIs nearly do it for you), but it will be bypassing the samba layer. Depending on what you want, this is either good or bad.
Again for the winbind config, the modern GUIs nearly do all the work for you to connect.
It's development has ceased and I'm not too aware of any alternatives, but you *might* be interested in considering a different approach of using pGine (or an alternative if there are any) to directly authenticate windows against LDAP and not need to worry about the fake domain stuff with SaMBa.
When I try to execute 'net sam provision', I get the following error:
Fixed the problem... Didn't read carefully and made an assumption...
Although now there has occurred a new problem adding a Windows client to the domain is not working. It is talking about some DNS error. Windows is not able to find the domain name at the DNS server.
First thing is to fix that WINS/DNS error, chances are, that will fix everything else.
Look here, down at the lines about setting up samba as a wins server (It's an easy 2 lines, but I'll let you read form the experts : )
Sorry for the delay!
No problem about the delay, I am already grateful that you are willing to help me...
Unfortunately I have already tried the extra lines on that page. Doesn't seem to work though. Although after starting winbind again (shutdown when configuring LDAP authentication), I get a new error message. Also regarding the DNS. I tried to add the configuration items from o'reilly again, but that didn't solve the issue either. The error message that I get now is:
Thank you for your help.
Humm. OK, would you mind posting the output of testparm? I'm interested in taking a look to see if it's something that I've seen before, or something that will pop out at me.
Having the one server that does everything shouldn't be a problem for this per-say. But if you have, say, a drive crash, a problem with an upgrade, etc, that's when you'll have problems with everything on one machine ;)
There are backups, of course... ;) And it is not such a big problem when the server crashes. It is just a test environment.
Below, as requested, the output of testparm:
In the meanwhile, I got a bit further. The output of testparm is now:
Although I am getting closer as Windows is getting more cryptic when displaying an error.
The error is now:
Disregard my last message... I found out that winbind wasn't running. Again...
Thanks for the help, just joined to my domain!
Give a hollar if you run into more issues. It's always interesting to troubleshoot.
|All times are GMT -5. The time now is 03:00 PM.|