[SOLVED] OpenLDAP+Samba for authentication of both linux and windows clients

Blue_Ice · 01-13-2010, 03:26 PM

Hi all,

For a while now I am looking for a good and simple tutorial with clear examples on how to setup OpenLDAP for authentication of client computers. The clients are installed with linux and windows. I know that you need Samba for the windows clients. I am able to make OpenLDAP work, however I am not really sure what is needed for authentication on both client types. There are many tutorials telling me how to setup the server side, but which attributes are a minimum requirement for windows and linux clients to authenticate.

Something else that is pretty hard to find is a tutorial on how to setup the client side. I haven't yet looked into how to configure Samba to use OpenLDAP. So if you know a good tutorial about that too, then the suggestion is welcome as well.

If this sounds like a newbie question, then that's probably right. Anyway, thank you in advance for helping me out.

kschmitt · 01-13-2010, 04:06 PM

Honestly, the best simple tutorials are on the samba site.

There are LOADS of tutorials on how to do this, but many of them get more complicated than is strictly speaking, necessary.

This page is really _really_ good for a simple setup, but it can be hard to follow sometimes.

http://wiki.samba.org/index.php/Ldapsam_Editposix

Please read it, then come back and read rest of this message

I wrote this for a friend I was helping awhile ago, and just yanked it form my sent messages, but this is just a more detailed description of what's in that first page I posted.

Apparently there's been this nifty provision in samba called,
"ldapsam:editposix" that's been there since 3.0 was released, but it's
been barely documented on written on. If you do it right, all users
and groups can be added and modified from the samba "net" command.
More or less I'm just sending you my notes (since this is, you know,
for work, I'm being very careful, and blowing away the VM &
re-creating it for each configuration change to make sure it's really
doing what I think it is, so this is pretty accurate.)

If you enable editposix, and if (this second if is very important),
the server samba is on uses ldap for storing it's unix groups, nearly
no work needs to be done inside of ldap. The initial ldif was
actually all I did for direct ldap interaction....

Aside from the normal stuff, (like setting up /etc/ldap.secret and
/etc/ldap.conf) this is how it's done (just ignore the default test
passwords please)

Setup the ldap stuff (/etc/ldap.conf /etc/ldap.secret /etc/openldap/slapd.conf)
Pretty straightforward, the only thing is include the samba.schema
#Current slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=dv,dc=com"
rootdn "cn=admin,dc=dv,dc=com"
rootpw whopdiedoo
directory /var/lib/ldap

#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
#access to *
# by self write
# by users read
# by anonymous auth
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDOmainName eq

#End
Copy samba.schema into /etc/openldap/schema

Setup the nssswitch.conf, password shadow and group need to be setup for ldap

load a starting ldif for some samba basics
#This is added with
#ldapadd -x -D "cn=admin,dc=dv,dc=com" -W -f base.ldif
dn: dc=dv,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: dv.com
dc: dv

dn: cn=admin,dc=dv,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: whopdiedoo

dn: ou=users,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=dv,dc=com
objectClass: top
objectClass: organizationalUnit
ou: computers
##End

samba setup
I belive this is what is needed
[global]
netbios name = dvpdc01
workgroup = DV
encrypt passwords = true
passdb backend = ldapsam
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap admin dn = cn=admin,dc=dv,dc=com
ldap delete dn = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap suffix = dc=dv,dc=com
ldap idmap suffix = ou=idmap
idmap backend = ldap:"ldap://"
idmap domains = DV
idmap config DV:backend = ldap
idmap config DV:readonly = no
idmap config DV:default = yes
idmap config DV:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap config DV:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap config DV:ldap_url = ldap://localhost
idmap config DV:range = 50000-500000
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=dv,dc=com
idmap alloc config:ldap_user_dn = cn=admin,dc=dv,dc=com
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
#Templates, important if you want a share created for the user in a normal place
#And you don't want them to be able to log into your unix boxes by default
template homedir = /home/%U
template shell = /bin/false
#End smb.conf

give samba the ldap password, in three ways
#For samba to read ldap
smbpasswd -w <password>
#For samba to add domain users & groups
net idmap secret DOMAIN <password>
#For samba to add mappings in ldap
net idmap secret alloc <password>

start winbind (this is how windows connects)

setup the tree with
net sam provision

Give a password to Administrator
smbpasswd Administrator

Start samba
service smb start

At this point test by joining a machine to this test-domain, and
logging in as Administrator

Now all users are added using
net rpc user add <username> -UAdministrator
And groups are added using
net rpc group add <groupname> -UAdministrator

kschmitt · 01-13-2010, 04:14 PM

Oops, didn't answer the original question!

Once samba/ldap is configured like that you can have your *nix boxes use LDAP to authenticate & get it's groups, OR you can use winbind.

The LDAP config will be just like any other (the modern GUIs nearly do it for you), but it will be bypassing the samba layer. Depending on what you want, this is either good or bad.

Again for the winbind config, the modern GUIs nearly do all the work for you to connect.

acid_kewpie · 01-13-2010, 04:22 PM

It's development has ceased and I'm not too aware of any alternatives, but you *might* be interested in considering a different approach of using pGine (or an alternative if there are any) to directly authenticate windows against LDAP and not need to worry about the fake domain stuff with SaMBa.

Blue_Ice · 01-14-2010, 04:55 AM

Quote:

Originally Posted by kschmitt

Oops, didn't answer the original question!

Once samba/ldap is configured like that you can have your *nix boxes use LDAP to authenticate & get it's groups, OR you can use winbind.

The LDAP config will be just like any other (the modern GUIs nearly do it for you), but it will be bypassing the samba layer. Depending on what you want, this is either good or bad.

Again for the winbind config, the modern GUIs nearly do all the work for you to connect.

So if I understand you correctly by setting up Samba like this and create users in Samba, then this is also sufficient to log in to linux using ldap?

kschmitt · 01-15-2010, 10:13 AM

Quote:

Originally Posted by Blue_Ice

So if I understand you correctly by setting up Samba like this and create users in Samba, then this is also sufficient to log in to linux using ldap?

Yes, it's sufficient for linux users to login via LDAP. It's not as detailed or complicated a setup as you can get, but it's enough for authentication and groups.

--Kyle

Blue_Ice · 01-23-2010, 11:14 AM

When I try to execute 'net sam provision', I get the following error:

Code:

Checking for Domain Users group.
[2010/01/23 18:13:24, 0] lib/smbldap_util.c:smbldap_search_domain_info(286)
  smbldap_search_domain_info: Adding domain info for SERVER failed with NT_STATUS_UNSUCCESSFUL
Adding the Domain Users group.
Unable to allocate a new gid to create Domain Users group!
Checking for Domain Admins group.
Adding the Domain Admins group.
Unable to allocate a new gid to create Domain Admins group!
Check for Administrator account.
Adding the Administrator user.
Can't create Administrator user, Domain Admins group not available!

What does this mean and how do I solve it?

Blue_Ice · 01-24-2010, 10:33 AM

Fixed the problem... Didn't read carefully and made an assumption...

Although now there has occurred a new problem adding a Windows client to the domain is not working. It is talking about some DNS error. Windows is not able to find the domain name at the DNS server.

Code:

The domain name MYDOMAIN might be a NetBIOS domain name.  If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller for domain MYDOMAIN:

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. 
They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

195.xxx.xxx.xxx
195.xxx.xxx.xxx
10.xxx.xxx.xxx

- One or more of the following zones do not include delegation to its child zone:

MYDOMAIN
. (the root zone)

For information about correcting this problem, click Help.

There is also a second problem, I am not able to add a user using 'net rpc user add <username> -UAdministrator'.
Any ideas?

kschmitt · 01-27-2010, 11:46 AM

Quote:

Originally Posted by Blue_Ice

Fixed the problem... Didn't read carefully and made an assumption...

Although now there has occurred a new problem adding a Windows client to the domain is not working. It is talking about some DNS error. Windows is not able to find the domain name at the DNS server.

First thing is to fix that WINS/DNS error, chances are, that will fix everything else.

Look here, down at the lines about setting up samba as a wins server (It's an easy 2 lines, but I'll let you read form the experts : )
http://oreilly.com/catalog/samba/cha...k/ch07_03.html

Sorry for the delay!

Blue_Ice · 01-28-2010, 09:12 AM

No problem about the delay, I am already grateful that you are willing to help me...

Unfortunately I have already tried the extra lines on that page. Doesn't seem to work though. Although after starting winbind again (shutdown when configuring LDAP authentication), I get a new error message. Also regarding the DNS. I tried to add the configuration items from o'reilly again, but that didn't solve the issue either. The error message that I get now is:

Code:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain MYDOMAIN:

The query was for the SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN

The following domain controllers were identified by the query:

server.mydomain

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network or are not running.

For information about correcting this problem, click Help.

Could it be that this is caused, because I have one server that does everything? I am running on that server iptables (NAT), openldap, dhcp, bind (ddns), openvpn and samba? Maybe I should virtualize everything... Anyway, I am not sure if that causes the problem.

Thank you for your help.

kschmitt · 01-28-2010, 01:12 PM

Humm. OK, would you mind posting the output of testparm? I'm interested in taking a look to see if it's something that I've seen before, or something that will pop out at me.

Having the one server that does everything shouldn't be a problem for this per-say. But if you have, say, a drive crash, a problem with an upgrade, etc, that's when you'll have problems with everything on one machine

Blue_Ice · 01-29-2010, 04:05 AM

There are backups, of course...

And it is not such a big problem when the server crashes. It is just a test environment.

Below, as requested, the output of testparm:

Code:

Load smb config files from /etc/samba/smb.conf
Processing section "[public]"
Processing section "[mp3z]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	workgroup = HULSHOFF.HOME
	passdb backend = ldapsam
	name resolve order = wins lmhosts hosts bcast
	wins support = Yes
	ldap admin dn = cn=Manager,dc=hulshoff,dc=home
	ldap delete dn = Yes
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=computers
	ldap suffix = dc=hulshoff,dc=home
	ldap user suffix = ou=users
	idmap domains = HULSHOFF.HOME
	idmap backend = ldap:ldap://
	idmap alloc backend = ldap
	template homedir = /home/%U
	template shell = /bin/bash
	idmap alloc config:range = 50000-500000
	idmap alloc config:ldap_url = ldap://localhost
	idmap alloc config:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
	idmap alloc config:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:range = 50000-500000
	idmap config HULSHOFF.HOME:ldap_url = ldap://localhost
	idmap config HULSHOFF.HOME:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:default = yes
	idmap config HULSHOFF.HOME:readonly = no
	idmap config HULSHOFF.HOME:backend = ldap
	ldapsam:editposix = yes
	ldapsam:trusted = yes

[public]
	comment = Public Share
	path = /opt/samba/public
	read only = No
	guest ok = Yes

[mp3z]
	comment = Music Share
	path = /opt/samba/mp3z
	write list = +domadmins
	guest ok = Yes

I hope you can see something wrong, because it looks fine to me.

Blue_Ice · 02-01-2010, 05:19 AM

In the meanwhile, I got a bit further. The output of testparm is now:

Code:

Load smb config files from /etc/samba/smb.conf
Processing section "[public]"
Processing section "[mp3z]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[userdata]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
	workgroup = HULSHOFF
	passdb backend = ldapsam
	name resolve order = wins lmhosts hosts bcast
	logon script = logon.cmd
	logon path = \\%N\profiles\%u
	logon drive = H:
	logon home = \\%N\userdata\%u
	domain logons = Yes
	os level = 80
	preferred master = Yes
	domain master = Yes
	wins support = Yes
	ldap admin dn = cn=Manager,dc=hulshoff,dc=home
	ldap delete dn = Yes
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=computers
	ldap suffix = dc=hulshoff,dc=home
	ldap user suffix = ou=users
	idmap domains = HULSHOFF.HOME
	idmap backend = ldap:ldap://
	idmap alloc backend = ldap
	template homedir = /home/%U
	template shell = /bin/bash
	idmap alloc config:range = 50000-500000
	idmap alloc config:ldap_url = ldap://ldap.hulshoff.home
	idmap alloc config:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
	idmap alloc config:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:range = 50000-500000
	idmap config HULSHOFF.HOME:ldap_url = ldap://ldap.hulshoff.home
	idmap config HULSHOFF.HOME:ldap_user_dn = cn=Manager,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:ldap_base_dn = ou=idmap,dc=hulshoff,dc=home
	idmap config HULSHOFF.HOME:default = yes
	idmap config HULSHOFF.HOME:readonly = no
	idmap config HULSHOFF.HOME:backend = ldap
	ldapsam:editposix = yes
	ldapsam:trusted = yes

[public]
	comment = Public Share
	path = /opt/samba/public
	read only = No
	guest ok = Yes

[netlogon]
	comment = Network Logon Service
	path = /opt/samba/netlogon
	guest ok = Yes
	share modes = No

[profiles]
	path = /opt/samba/profiles
	read only = No
	create mask = 0600
	directory mask = 0700

[userdata]
	path = /opt/samba/userdata
	read only = No
	create mask = 0600
	directory mask = 0700

Nevertheless joining a domain is still not really working.
Although I am getting closer as Windows is getting more cryptic when displaying an error.

The error is now:

Quote:

The following error occurred attempting to join the domain "hulshoff":

A device attached to the system is not functioning.

I guess I am almost there, but as always M$ is not really willing to help... Any ideas what this means?

Blue_Ice · 02-01-2010, 08:33 AM

Disregard my last message... I found out that winbind wasn't running. Again...

Thanks for the help, just joined to my domain!

kschmitt · 02-01-2010, 12:49 PM

Quote:

Originally Posted by Blue_Ice

Disregard my last message... I found out that winbind wasn't running. Again...

Thanks for the help, just joined to my domain!

Awesome! Heh, glad you posted, I was just about to dig through your testparm output (lunchtime)!

Give a hollar if you run into more issues. It's always interesting to troubleshoot.