how to samba with ldap authentication
[~] yum
install samba samba-clients smbldap-tools openldap openldap-servers
openldap-clients phpldapadmin -y
[~] cp
-r /etc/openldap /etc/openldap.bkp
[~] vi
/etc/openldap/slapd.conf ----- New file
#
create new
pidfile
/var/run/openldap/slapd.pid
argsfile
/var/run/openldap/slapd.args
[~] cp
/etc/openldap/slapd.d /etc/openldap/slapd.d_bkp
[~] rm
-rf /etc/openldap/slapd.d/*
[~] slaptest
-f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
[~] cp
-r /usr/share/doc/samba-3.*.*/LDAP/samba.ldif /etc/openldap/schema
[~] cp
-r /usr/share/doc/samba-3.*.*/LDAP/samba.schema /etc/opeldap/schema
[~] vi
/etc/openldap/slapd.d/cn=config/olcDatabase\={0}config.ldif
#
line 4: change
olcAccess:
{0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
[~]
vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif
#
create new
dn:
olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase:
{1}monitor
olcAccess: {1}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
olcAddContentAcl: FALSE
olcLastMod:
TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring:
FALSE
structuralObjectClass: olcDatabaseConfig
creatorsName:
cn=config
modifiersName: cn=config
[~]chown
-R ldap. /etc/openldap/slapd.d
[~/etc/init.d/slapd
start
[~chkconfig
slapd on
[~]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
SASL/EXTERNAL
authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF:
0
adding new entry "cn=core,cn=schema,cn=config"
[~]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL
authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF:
0
adding new entry "cn=cosine,cn=schema,cn=config"
[~]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL
authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF:
0
adding new entry "cn=nis,cn=schema,cn=config"
[~]
ldapadd -Y EXTERNAL -H ldapi:/// -f
/etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL
authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF:
0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[~] ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif
[~] slappasswd
New
password:
Re-enter
new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[~]
vi backend.ldif
#
create new
#
replace the section "dc=***,dc=***" to your own suffix
#
replace the section "olcRootPW: ***" to your own password
generated by slappasswd above
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: dc=server,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=server,dc=com
olcRootPW: {SSHA}QDzMAHRnhnq9A3b43kqMcg2vCQoha/xv
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=server,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=server,dc=com" write by * read
$]
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
SASL/EXTERNAL
authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF:
0
adding new entry "cn=module,cn=config"
adding
new entry "olcDatabase=hdb,cn=config"
[~]
vi frontend.ldif
#
create new
#
replace the section "dc=***,dc=***" to your own suffix
#
replace the section "userPassword: ***" to your own
password generated by slappasswd above
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=admin,dc=server,dc=world
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: ou=people,dc=server,dc=world
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=server,dc=world
objectClass: organizationalUnit
ou: groups
[~]
ldapadd -x -D cn=admin,dc=server,dc=world -W -f frontend.ldif
Enter LDAP Password:
#
password you set
adding
new entry "dc=server,dc=world"
adding
new entry "cn=admin,dc=server,dc=world"
adding
new entry "ou=people,dc=server,dc=world"
adding
new entry "ou=groups,dc=server,dc=world"
[~] /etc/init.d/slapd
restart
[~] yum
install phpldapadmin -y ( to install phpldapadmin from you need to
install epel repository.)
[~] vi
/etc/phpldapadmin/config/config.php
#edit
line No. 397 and 398, This will allow login as dn in phpldap admin
$servers->setValue('login','attr','dn');
////$servers->setValue('login','attr','uid');
##Now
edit some lines in samab
[~] yum
install samba samba-clients smbldap-tools -y
[~] cat
/etc/samba/smb.conf > /etc/samba/smb.conf.bkp
[~] vi
/etc/samba/smb.conf
74
workgroup = SAMBA
75
server string = Samba Server Version %v
#
----------------------- Standalone Server Options
------------------------
94
#
95
# Scurity can be set to user, share(deprecated) or
server(deprecated)
96
#
97
# Backend to store user information in. New installations should
98
# use either tdbsam or ldapsam. smbpasswd is available for backwards
99
# compatibility. tdbsam requires no further configuration.
100
101
security = user
102
; passdb backend = tdbsam
103
passdb backend = ldapsam:ldap://192.168.202.10
104
ldap suffix = dc=server,dc=world
105
ldap machine suffix = ou=machines
106
ldap user suffix = ou=users
107
ldap group suffix = ou=groups
108
ldap idmap suffix = ou=Idmap
109
ldap admin dn = cn=admin,dc=server,dc=com
110
ldap ssl = no
111
ldap passwd sync = yes
#--------------------------------------------------------------------------
$] perl
/usr/share/doc/smbldap-tools-0.9.6/configure.pl <--configure it
for samba to access ldap server to create and delete user
[~]# perl /usr/share/doc/smbldap-tools-0.9.6/configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba acts as a PDC for
workgroup name [SAMBA] >
. netbios name: netbios name of the samba controller
netbios name [] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\\%U'
logon home (press the "." character if you don't want homeDirectory) [\\\%U] >
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
logon path (press the "." character if you don't want roaming profiles) [\\\profiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [] >
default password validation time (time in days) [45] >
. ldap suffix [dc=server,dc=com] >
. ldap group suffix [ou=groups] >
. ldap user suffix [ou=users] >
. ldap machine suffix [ou=machines] >
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SAMBA] >
. ldap master server: IP address or DNS name of the master (writable) ldap server
ldap master server [192.168.202.10] >
. ldap master port [389] >
. ldap master bind dn [cn=admin,dc=server,dc=com] >
. ldap master bind password [] >
. ldap slave server: IP address or DNS name of the slave ldap server: can also be the master one
ldap slave server [192.168.202.10] >
. ldap slave port [389] >
. ldap slave bind dn [cn=admin,dc=server,dc=com] >
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain SAMBA: SID of the domain (can be obtained with 'net getlocalsid ')
SID for domain SAMBA [S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail address [] > server.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
$] smbpasswd -w secret
$] smbldap-populate
Populating LDAP directory
for domain SAMBA (S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx)
(using builtin directory
structure)
entry dc=server,dc=com
already exist.
adding new entry:
ou=users,dc=server,dc=com
entry
ou=groups,dc=server,dc=com already exist.
adding new entry:
ou=machines,dc=server,dc=com
adding new entry:
ou=Idmap,dc=server,dc=com
adding new entry:
uid=root,ou=users,dc=server,dc=com
adding new entry:
uid=nobody,ou=users,dc=server,dc=com
adding new entry:
cn=Domain Admins,ou=groups,dc=server,dc=com
adding new entry:
cn=Domain Users,ou=groups,dc=server,dc=com
adding new entry:
cn=Domain Guests,ou=groups,dc=server,dc=com
adding new entry:
cn=Domain Computers,ou=groups,dc=server,dc=com
adding new entry:
cn=Administrators,ou=groups,dc=server,dc=com
adding new entry:
cn=Account Operators,ou=groups,dc=server,dc=com
adding new entry: cn=Print
Operators,ou=groups,dc=server,dc=com
adding new entry:
cn=Backup Operators,ou=groups,dc=server,dc=com
adding new entry:
cn=Replicators,ou=groups,dc=server,dc=com
entry
sambaDomainName=SAMBA,dc=server,dc=com already exist. Updating it...
Please provide a password
for the domain root:
Changing UNIX and samba
passwords for root
New password:
Retype new password:
$] smbldap-useradd -a -m
test.user
$] smbldap-passwd
test.user
Changing UNIX and samba
passwords for test.user
New password:
Retype new password:
Now ready to accept smb
connetion from windows.
enter uid and password
#####################Errors
and
Solutions#############################################################
error1: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "0.9.2342.19200300.100.1.2
slution: it is because, while run slaptest you have alteady definde this ldif in slapd.conf file so you may ingnore this error and go ahead.
error
2: "make_server_info_sam() failed with NT_STATUS_UNSUCCESSFUL"
solution:
To fix- check samba domain sid and user provided sid in phpldapadmin,
then check user sid it would be in for digit.