LDAP-SAMBA-PDC on Redhat Enterprise Linux 5
1.
Introducing about LDAP
LDAP protocol (Lightweight Directory Access Protocol)
LDAP protocol (Lightweight Directory Access Protocol)
LDAP
is a standard directory access protocol, or as a client and severs
language to use to communicate with each other.
LDAP is a protocol
"lightweight" means there is a protocol that is effective,
simple and easy to install. while we use high level functions. This
contrasts with the protocol "heavyweight" as the directory
access protocol X.500 (DAP) using the encryption method is too
complicated. LDAP uses a simple set of methods and a protocol
attached to the application layer.
The mode of operation of the LDAPModel of LDAP client / server:
We'll
start looking at LDAP as the communication protocol client /
server.
Protocol client / server:
Model is a protocol between a
client program running on one computer sends a request over the
network to another computer running a server program (to serve), this
program receive the following requirements and implementation then it
returns to the client program. The basic idea of the protocol client
/ server is assigned to work the computer has been optimized to
perform the job.
Typical example for an LDAP server has a lot of
RAM (memory) used to store the contents of folders for quick
implementation and operation of this machine will also need the hard
drive and the processor at high speed .
2.
LDAP Models
LDAP
models represent the services provided by a server, as seen by a
client. They are abstract models that describe the various facets of
an LDAP directory. RFC 2251 divides an LDAP directory into two
components: the protocol model and the data model. However, in
Understanding and Deploying LDAP Directory Services, four models are
defined:
-
Information model
-
Naming model
-
Functional model
-
Security model
Hostname:
ldap-server
Using
OpenLDAP software to configure LDAP Server
IP
Address: 192.168.1.3/24
DNS
server: 192.168.1.2
Hostname:
ubuntu-01
• Windows
XP client:
DNS
server: 192.168.1.2
Hostname:
WS-01
a. Installing the
following Required Packages:
*Openldap packages
*Openldap packages
openldap
openldap-client
openldap-server
openldap-devel
compat-ldap
python-ldap
ldapjdk
php-ldap
nss-ldap
*Samba packages
samba
samba-common
samba-client
* Samba-Ldap-Tools
download at:
http://dag.wieers.com/rpm/packages/
perl-Crypt-SmbHash
perl-Digest-SHA
perl-Jcode
perl-Unicode-Map
perl-Unicode-Map8
perl-Unicode-MapUTF8
perl-Unicode-String
smb-ldap-tools
b. Basic setup
configuration
*Configuring DNS
using domain name is
example.com
*Configuring ldap
(ldap default port is 389, ldaps port is 636)
→ editing
/etc/openldap/sldap.conf with the following contents:
#Adding the schemas:
samba.schema, openldap.schema, nis.schema, core.schema,
# consine.schema,
inetcomperson, msic.schema, ... to the directory
"/etc/openldap/samba"
# Using Samba 3.0.22
and OpenLDAP, We will store:
# • Microsoft
Windows user accounts using sambaSAMAccount object class
(samba.schema)
# • Microsoft
Windows computer accounts (ie. workstations) using object class
# sambaSAMAccount
# • Unix user
accounts using shadowAccount objectclass posixAccount objectclass and
for
# the shadow
password suite (nis.schema)
# • Users and
groups using posixGroup sambaGroupMapping object classes.
# • security
accounts used by software clients (Samba and Linux) using
simpleSecurityObject
#(core.schema)
object class.
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/samba.schema
nclude
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/openldap.schema
include
/etc/openldap/schema/msic.schema
include
/etc/openldap/schema/inetcomperson.schema
...
...
# Define global ACLs
to disable default read access.
# Do not enable
referrals until AFTER you have a working directory
# service AND an
understanding of referrals.
#referral
ldap://root.openldap.com
pidfile
/var/run/openldap/slapd.pid
argsfile
/var/run/openldap/slapd.args
# Sample security
restrictions
# Require integrity
protection (prevent hijacking)
# Require 112-bit
(3DES or better) encryption for updates
# Require 63-bit
encryption for simple bind
# security ssf=1
update_ssf=112 simple_bind=64
# Sample access
control policy:
# Root DSE: allow
anyone to read it
# Subschema
(sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write
access
# Allow
authenticated users read access
# Allow anonymous
users to authenticate
# Directives needed
to implement policy:
# access to
dn.base="" by * read
# access to
dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
## if no access
controls are present, the default policy
# allows anyone and
everyone to read anything but restricts
# updates to rootdn.
(e.g., "access to * by * read")
## rootdn can always
read and write EVERYTHING!
#######################################################################
# BDB database
definitions
#LDAP data types:
ldbm and BDB. ldbm is a local database storage,
#this type of use
GNU Database Manager or Berkerley Sleepycat DB is the most popular.
# BDB is a Backend
Database Storage, this type uses a separate database and
# extensive use of
indexing and caching to speed up performance, it is
# the recommended
backend used on an OpenLDAP server.
#######################################################################
database bdb
suffix "example.com"
rootdn
"cn=admin,dc=example,dc=com" # Cleartext passwords,
especially for the rootdn, should be avoid. See slappasswd and
# slapd.conf for
details. Use of strong authentication encouraged.
# Here we can use
one of the following types of password encryption: SSHA, MD5, ...
# default password
encryption type is SSHA.
# To encrypt
passwords for administrators, use the following command line:
# slappasswd (or
slappasswd-h-s {SSHA} rootpass)
rootpw
{SSHA}GdC7Q5iKdWbS0jzuyzqcTydNfM9nwX8Q
# The database
directory must exist prior to running slapd and should only be
accessible by the # slapd and slap tools.
# Mode 700
recommended.
directory
/var/lib/ldap
# Indices to
maintain
index objectClass eq
index uid
pres,eq,sub
==>saving
configuration file and start LDAP service
• Introduce SAMBASamba is an open source
product using SMB (Server Messenger Block) protocol. It helps to
linux machine can connect to machines using Windows or Unix.
SAMBA
version 3 features:
Join into Active Directory using LDAP or
KerberosUnicode SupportWindows XP can connect to samba server without
a registry hack• Functions of the SAMBAShare your shared folders
and printer sharing for Linux, Windows, UnixAuthentication to login
to your linux machine ADService provider winsMaking primary domain
controllerBackup domain controller doing the Samba Primary Domain
Controller... ....However, SAMBA can not be:- BDC for windows
PDC or reverse- ADC
--> editing
/etc/samba/smb.conf with the following contents:
==============Global
Settings================
--------------------Network Related Options-------------
[global] workgroup = example → xác định tên miền
serverstring = LDAP-SAMBA-PDC
netbiosname = LDAP
interfaces = lo, eth0
hostallow = 127. 192.168.1. 127.
------------------------Logging Options-------------------
log file = /var/log/samba/log.%m #logs split per machine
max log size = 5000 # KB
log level = 0
syslog = 0
--------------------Network Related Options-------------
[global] workgroup = example → xác định tên miền
serverstring = LDAP-SAMBA-PDC
netbiosname = LDAP
interfaces = lo, eth0
hostallow = 127. 192.168.1. 127.
------------------------Logging Options-------------------
log file = /var/log/samba/log.%m #logs split per machine
max log size = 5000 # KB
log level = 0
syslog = 0
# privacy level can be set in the
mode: user, share, server, domain and ADS#for "user level
security" for this mode → clients send a session set directly
following the #protocol negotiations. This request provides a
username and password. Server can be accepted #or rejected the
username and password combination. If the server does not have
any other #request, the client will actually try to
connect.#Domain security mode provides all the technical storage
users, the group in a central and #shared. Centralized
repository account is shared between the DC (Domain Controller).#ADS
security mode → There is a system ADC (Microsoft), if you want to
use the ldap-server #samba AD, meanwhile, need to joint ldap-samba
server as a member of Native AD
security = user
#select user and
group account information storage type
passwd backend
ldapsam:ldap://192.168.1.2
-----------------Domain Controller Options
------------------domain master = yes #Primary Domain
Controllerdomain logons = yes # central role in log on management#
The login script name depends on the machine name; Logon script =%
m.bat# The login script name depends on the unix user used; Logon
script =% u.bat; Logon path = \ \% L \ Profiles \% u# Disables
profiles support by specifing an empty path; Logon path =#Domain
Control Parameters: os level, preferred master, domain master,
security, encrypted #passwords and domain logons → plays a central
role in the control domain.#Environment Parameters: logon path, logon
home, logon and logon script drive → help logging # of client
operations and help provide automatic control for easy network
administration.
----------------Configuring
LDAP--------------------
ldap admin dn = cn = admin, dc = example, dc =
comexample ldap suffix = dc =, dc = comldap user suffix = ou =
Usersldap group suffix = ou = Groupsldap machine suffix = ou =
Computers
add machine script =
/usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
ldap delete dn = Yes
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = No
browseable = No
writable = No
[Profiles]
comment = User profiles
path = /var/lib/samba/profiles
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
browseable = No#really should create user account first and then will create home folder and profile
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = yes
guest ok = yes
writable = no
public = yes
create mode = 0700
--> saving configuration file and launching samba service:
#service smb start
--> testing samba configuration:
#testparm
Administrator's password allows to connect to ldap server is not stored in smb.conf.
Use the "smbpasswd-w password" to install and save it in secrets.tdb file
If the "ldap admin dn" change, it must be reset.
***Configuring smbldap-tools
smbldap-tools is a package containing some useful scripts to manage users/groups when using LDAP as source of users/groups datas (for Unix and for Samba). We used those scripts in this Howto to add/delete/modify users and groups.
#getting SID for domain
#net getlocalsid
SID for domain LDAP is: S-1-5-21-2947593256-2807937743-580805715
-->Editing /etc/smbldap-tools/smbldap.conf the following contents:
SID = "S-1-5-21-2947593256-2807937743-580805715"
comment = Home Directories
valid users = %U
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = No
browseable = No
writable = No
[Profiles]
comment = User profiles
path = /var/lib/samba/profiles
valid users = %U
read only = No
create mask = 0600
directory mask = 0700
browseable = No#really should create user account first and then will create home folder and profile
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = yes
guest ok = yes
writable = no
public = yes
create mode = 0700
--> saving configuration file and launching samba service:
#service smb start
--> testing samba configuration:
#testparm
Administrator's password allows to connect to ldap server is not stored in smb.conf.
Use the "smbpasswd-w password" to install and save it in secrets.tdb file
If the "ldap admin dn" change, it must be reset.
***Configuring smbldap-tools
smbldap-tools is a package containing some useful scripts to manage users/groups when using LDAP as source of users/groups datas (for Unix and for Samba). We used those scripts in this Howto to add/delete/modify users and groups.
#getting SID for domain
#net getlocalsid
SID for domain LDAP is: S-1-5-21-2947593256-2807937743-580805715
-->Editing /etc/smbldap-tools/smbldap.conf the following contents:
SID = "S-1-5-21-2947593256-2807937743-580805715"
#Specify domain name. If not specified, it will take a domain
from the configuration file smb.confsambadomain = "example"#
To stability, fault-tolerant and performance solution, then we should
use the ldap servers #running in parallel. If we only use a ldap
server (standalone LDAP server), then we must #declare it is both a
"master ldap server" and "slave ldap server."
masterLDAP = "ldap.example.com"masterport = "389"slaveLDAP = "ldap.example.com"slaveport = "389"ldapTLS = "0" → default ldap using TLS (set = 1)ldapSSL = "0" → if then use SSL port 636 is standard ldapsuffix = "dc = example, dc = com"usersdn = "ou = Users, $ {suffix}"computersdn = "ou = Computers, $ {suffix}"groupsdn = "ou = Groups, $ {suffix}"sambaUnixIdPooldn = "sambaDomain sambaDomainame = $ {}, $ {suffix}"#default scope used:scope = "sub"#password-hash (Crypt, MD5, SMD5, SSHA, SHA, CLEARTEXT)hash_encrypt = "SSHA"
# Default login shelluserLoginShell = "/ bin / bash"# Home directoriesuserHome = "/ home /% U"# Mode used for user directoriesuserHomeDirectoryMode = "700"# Default user (UNIX and Samba) GIDdefaultUserGid = "513" → corresponds to the "domain users"# Default computer (samba) giddefaultComputerGid = "515"# Default password validation time (time in days)defaultMaxPasswordAge = "45"
# The UNC path to home folder locationuserSmbHome = "\ \
192.168.1.2 \% u" #→ if for null, it will receive value from
the "logon #home" in the smb.conf file# The UNC path to
profiles locationsuserprofile = "\ \ 192.168.1.2 \ profiles \%
u"# The default Home Drive Letter mappingUserHomeDrive = "H"#
Domain appended to the users "mail"-attributemailDomain =
example.com
# ########SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
--> saving configuration file
-->editing /etc/smbldap-tools/smbldap_bind.conf with the following contents:
# this file tells smbldap-tools how to bind LDAP server. It has to be a DN with full write access to #the Samba portion of the Database.
# ########SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
--> saving configuration file
-->editing /etc/smbldap-tools/smbldap_bind.conf with the following contents:
# this file tells smbldap-tools how to bind LDAP server. It has to be a DN with full write access to #the Samba portion of the Database.
slaveDN = “cn=admin,dc=example,dc=com”
slavePwd = “123456” #using "123456" password for testing
masterDN = “cn=admin,dc=example,dc=com”
masterPwd = “123456”
--> saving configuration file
--> using "smbldap-populate" command to populate ldap tree
#smbldap-populate
Populating LDAP directory for domain HITTC (S-1-5-21-2947593256-2807937743-580805715)
(using builtin directory structure)adding new entry: dc=example,dc=com
adding new entry: ou=Users,dc=example,dc=com
adding new entry: ou=Groups,dc=example,dc=com
adding new entry: ou=Computers,dc=example,dc=com
adding new entry: uid=root,ou=Users,dc=example,dc=com
adding new entry: uid=nobody,ou=Users,dc=example,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=example,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=example,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=example,dc=com
adding new entry: sambaDomainName=HITTC,dc=example,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password
--> using ldapsearch command to browse LDAP tree or GUI browser tools as: ldapbrowser,phpldapadmin
ldapbrowser is downloaded at: http://www.ldapadministrator.com/
slavePwd = “123456” #using "123456" password for testing
masterDN = “cn=admin,dc=example,dc=com”
masterPwd = “123456”
--> saving configuration file
--> using "smbldap-populate" command to populate ldap tree
#smbldap-populate
Populating LDAP directory for domain HITTC (S-1-5-21-2947593256-2807937743-580805715)
(using builtin directory structure)adding new entry: dc=example,dc=com
adding new entry: ou=Users,dc=example,dc=com
adding new entry: ou=Groups,dc=example,dc=com
adding new entry: ou=Computers,dc=example,dc=com
adding new entry: uid=root,ou=Users,dc=example,dc=com
adding new entry: uid=nobody,ou=Users,dc=example,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=example,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=example,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=example,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=example,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=example,dc=com
adding new entry: sambaDomainName=HITTC,dc=example,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password
--> using ldapsearch command to browse LDAP tree or GUI browser tools as: ldapbrowser,phpldapadmin
ldapbrowser is downloaded at: http://www.ldapadministrator.com/
4. Creating machine accounts to domain login
- Clients are Linux OS, client accounts information will be added in the configuration process.
- Clients are Windows OS, we will create the following:
#smbldap-useradd -w computer_name
# useradd-d / dev / null-s / sbin / false computer_name$
ex:
#smbldap-useradd -w ws-01
# useradd -d /dev/null -s /sbin/false ws-01$
*Creating user accounts
# smbldap-useradd -m -a username
# useradd username
# smbldap-passwd username
Can use the graphical tools as phpldapadmin, webmin, ldapadmin to create user and computers accounts, ..
5. Configure clients to authenticate LDAP
*Clients are Linux OS
Software packages and utilities to install on a Linux workstation (ubuntu-01) is:
• libpam-ldap: library allow for authentication via LDAP.
• libnss-ldap: library for query session information.
• nss-updatedb: local database of the user name. This database is used to overcome network slowdown or be deactivated because of break-down(outage).
Realize the following steps:
• Update the list of softwares
• When install libpam-ldap library, provide the following parameters:
o LDAP server Uniform Resource Identifier: ldap: //192.168.1.2
o Distinguished name of the search base: dc=example,dc=com
o LDAP version to use: 3
o LDAP account for root: cn= admin,dc=hittc,dc=com
o LDAP root account password: 123456
• When install libnss-ldap libraries, provide the parameters:
o LDAP account for root: cn= admin,dc=hittc,dc=com
o LDAP root account password: 123456
• Configure nsswitch. Determine nsswitch.conf name service that use to query information. This file also shows that the order of the name service that system search order has been established. Edit /etc/nsswitch.conf with the following contents:
passwd: files ldap
group: files ldap
Test configuration by:
#getent passwd
#getent group
• config PAM
There are 4 PAM configuration file is related Ldap:
/etc/pam.d/common-auth
/etc / pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
- Clients are Linux OS, client accounts information will be added in the configuration process.
- Clients are Windows OS, we will create the following:
#smbldap-useradd -w computer_name
# useradd-d / dev / null-s / sbin / false computer_name$
ex:
#smbldap-useradd -w ws-01
# useradd -d /dev/null -s /sbin/false ws-01$
*Creating user accounts
# smbldap-useradd -m -a username
# useradd username
# smbldap-passwd username
Can use the graphical tools as phpldapadmin, webmin, ldapadmin to create user and computers accounts, ..
5. Configure clients to authenticate LDAP
*Clients are Linux OS
Software packages and utilities to install on a Linux workstation (ubuntu-01) is:
• libpam-ldap: library allow for authentication via LDAP.
• libnss-ldap: library for query session information.
• nss-updatedb: local database of the user name. This database is used to overcome network slowdown or be deactivated because of break-down(outage).
Realize the following steps:
• Update the list of softwares
• When install libpam-ldap library, provide the following parameters:
o LDAP server Uniform Resource Identifier: ldap: //192.168.1.2
o Distinguished name of the search base: dc=example,dc=com
o LDAP version to use: 3
o LDAP account for root: cn= admin,dc=hittc,dc=com
o LDAP root account password: 123456
• When install libnss-ldap libraries, provide the parameters:
o LDAP account for root: cn= admin,dc=hittc,dc=com
o LDAP root account password: 123456
• Configure nsswitch. Determine nsswitch.conf name service that use to query information. This file also shows that the order of the name service that system search order has been established. Edit /etc/nsswitch.conf with the following contents:
passwd: files ldap
group: files ldap
Test configuration by:
#getent passwd
#getent group
• config PAM
There are 4 PAM configuration file is related Ldap:
/etc/pam.d/common-auth
/etc / pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
# vi
/etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so
#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
#vi /etc/pam.d/common-pasword
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
#vi /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so
*Clients are Windows OS
right click "My Computer" --> choose "Properties" --> choose "Computer Name" tab --> click "Change" button -->choose "Domain" radio button --> type "hittc" domain name at domain dialog -->ok -->ok -->restart to login domain
account sufficient pam_ldap.so
account required pam_unix.so
#vi /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
#vi /etc/pam.d/common-pasword
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
#vi /etc/pam.d/common-session
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so
*Clients are Windows OS
right click "My Computer" --> choose "Properties" --> choose "Computer Name" tab --> click "Change" button -->choose "Domain" radio button --> type "hittc" domain name at domain dialog -->ok -->ok -->restart to login domain
Comments
Post a Comment