Friday, April 26, 2013

samba authenticate with external open ldap users


                              
                         how to samba with ldap authentication

[~] yum install samba samba-clients smbldap-tools openldap openldap-servers openldap-clients phpldapadmin -y
[~] cp -r /etc/openldap /etc/openldap.bkp
[~] vi /etc/openldap/slapd.conf ----- New file
# create new
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
[~] cp /etc/openldap/slapd.d /etc/openldap/slapd.d_bkp
[~] rm -rf /etc/openldap/slapd.d/*
[~] slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
[~] cp -r /usr/share/doc/samba-3.*.*/LDAP/samba.ldif /etc/openldap/schema
[~] cp -r /usr/share/doc/samba-3.*.*/LDAP/samba.schema /etc/opeldap/schema
[~] vi /etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
# line 4: change
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
[~] vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
# create new
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName: cn=config
modifiersName: cn=config

[~]chown -R ldap. /etc/openldap/slapd.d

[~/etc/init.d/slapd start

[~chkconfig slapd on

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif

[~] slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

[~] vi backend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "olcRootPW: ***" to your own password generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=server,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=com
olcRootPW: {SSHA}QDzMAHRnhnq9A3b43kqMcg2vCQoha/xv
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=com" write by * read


$] ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
adding new entry "olcDatabase=hdb,cn=config"

[~] vi frontend.ldif
# create new
# replace the section "dc=***,dc=***" to your own suffix
# replace the section "userPassword: ***" to your own password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server

dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups

[~] ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif

Enter LDAP Password:
# password you set

adding new entry "dc=server,dc=world"

adding new entry "cn=admin,dc=server,dc=world"

adding new entry "ou=people,dc=server,dc=world"

adding new entry "ou=groups,dc=server,dc=world"

[~] /etc/init.d/slapd restart

[~] yum install phpldapadmin -y ( to install phpldapadmin from you need to install epel repository.)

[~] vi /etc/phpldapadmin/config/config.php
#edit line No. 397 and 398, This will allow login as dn in phpldap admin

$servers->setValue('login','attr','dn');
////$servers->setValue('login','attr','uid');

##Now edit some lines in samab

[~] yum install samba samba-clients smbldap-tools -y

[~] cat /etc/samba/smb.conf > /etc/samba/smb.conf.bkp

[~] vi /etc/samba/smb.conf

74 workgroup = SAMBA
75 server string = Samba Server Version %v

# ----------------------- Standalone Server Options ------------------------
94 #
95 # Scurity can be set to user, share(deprecated) or server(deprecated)
96 #
97 # Backend to store user information in. New installations should
98 # use either tdbsam or ldapsam. smbpasswd is available for backwards
99 # compatibility. tdbsam requires no further configuration.
100
101 security = user
102 ; passdb backend = tdbsam
103 passdb backend = ldapsam:ldap://192.168.202.10
104 ldap suffix = dc=server,dc=world
105 ldap machine suffix = ou=machines
106 ldap user suffix = ou=users
107 ldap group suffix = ou=groups
108 ldap idmap suffix = ou=Idmap
109 ldap admin dn = cn=admin,dc=server,dc=com
110 ldap ssl = no
111 ldap passwd sync = yes


#--------------------------------------------------------------------------
$] perl /usr/share/doc/smbldap-tools-0.9.6/configure.pl <--configure it for samba to access ldap server to create and delete user

[~]# perl /usr/share/doc/smbldap-tools-0.9.6/configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba acts as a PDC for
  workgroup name [SAMBA] >
. netbios name: netbios name of the samba controller
  netbios name [] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
  logon drive [] >
. logon home: home directory location (for Win95/98 or NT Workstation).
  (use %U as username) Ex:'\\\%U'
  logon home (press the "." character if you don't want homeDirectory) [\\\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
  logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
  default password validation time (time in days) [45] >
. ldap suffix [dc=server,dc=com] >
. ldap group suffix [ou=groups] >
. ldap user suffix [ou=users] >
. ldap machine suffix [ou=machines] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
  and gidNumber available for new users and groups
  sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SAMBA] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
  ldap master server [192.168.202.10] >
. ldap master port [389] >
. ldap master bind dn [cn=admin,dc=server,dc=com] >
. ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
  ldap slave server [192.168.202.10] >
. ldap slave port [389] >
. ldap slave bind dn [cn=admin,dc=server,dc=com] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain SAMBA: SID of the domain (can be obtained with 'net getlocalsid ')
  SID for domain SAMBA [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx] >
. unix password encryption: encryption used for unix passwords
  unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] > server.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.




$] smbpasswd -w secret
$] smbldap-populate
Populating LDAP directory for domain SAMBA (S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx)
(using builtin directory structure)
entry dc=server,dc=com already exist.
adding new entry: ou=users,dc=server,dc=com
entry ou=groups,dc=server,dc=com already exist.
adding new entry: ou=machines,dc=server,dc=com
adding new entry: ou=Idmap,dc=server,dc=com
adding new entry: uid=root,ou=users,dc=server,dc=com
adding new entry: uid=nobody,ou=users,dc=server,dc=com
adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Users,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=com
adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=com
adding new entry: cn=Administrators,ou=groups,dc=server,dc=com
adding new entry: cn=Account Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Print Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Replicators,ou=groups,dc=server,dc=com
entry sambaDomainName=SAMBA,dc=server,dc=com already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

$] smbldap-useradd -a -m test.user
$] smbldap-passwd test.user
Changing UNIX and samba passwords for test.user
New password:
Retype new password:

Now ready to accept smb connetion from windows.

Go to run and enter \\192.168.202.10\
enter uid and password

#####################Errors and Solutions#############################################################
error1: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 adding new entry "cn=cosine,cn=schema,cn=config"
 ldap_add: Other (e.g., implementation specific) error (80)
     additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2
slution: it is because, while run slaptest you have alteady definde this ldif in slapd.conf file so you may ingnore this error and go ahead.




error 2: "make_server_info_sam() failed with NT_STATUS_UNSUCCESSFUL"
solution: To fix- check samba domain sid and user provided sid in phpldapadmin, then check user sid it would be in for digit.


No comments:

Post a Comment