LINUX GURU: Samba/LDAP configuration on RHEL5

Samba/LDAP configuration on RHEL5

Introduction

A straightfoward tutorial to configure Samba/LDAP as a Primary Domain Controller / Directory on RHEL5.

Note. local user mapping is mandatory as Samba needs UNIX users too.

Package dependencies

Make sure you've got those RHEL packages installed,

openldap-servers

nss_ldap

samba

httpd

mysql

mysql-server

php-ldap

php-mysql

php-pdo

php-cli

perl-DBI

perl-DBD-MySQL

perl-Convert-ASN1

perl-XML-NamespaceSupport

perl-XML-SAX

perl-Net-SSLeay

perl-IO-Socket-SSL

perl-LDAP

perl-Digest-SHA1

Note. the "nss_ldap" package provides the PAM/LDAP library,

ll /lib/security/pam_ldap.so

Plus those few ones from EPEL (fedoraproject.org/wiki/EPEL),

perl-Crypt-SmbHash

perl-Digest-MD4

perl-Jcode

perl-Unicode-Map

perl-Unicode-Map8

perl-Unicode-MapUTF8

perl-Unicode-String

Network settings

Configure static look ups,

vi /etc/hosts

like,

127.0.0.1  localhost

IP    HOSTNAME  SHORT_HOSTNAME

OpenLDAP server

Add that schema,

cp /usr/share/doc/samba-3.0.25b/LDAP/samba.schema /etc/openldap/schema/

Configure the daemon,

mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist

cat > /etc/openldap/slapd.conf <

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

database        bdb

suffix          "dc=example,dc=net"

rootdn          "cn=admin,dc=example,dc=net"

rootpw          LDAP_PASSWORD

# rootpw                {crypt}ijFYNcSNctBYg

directory       /var/lib/ldap

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

EOF9

Note you could use a crypted password. Then add,

password-hash   {CRYPT}

Note you could add some Samba indexes,

index           cn,sn,uid,displayName           pres,sub,eq

index           uidNumber,gidNumber             eq

index           sambaSID                        eq

index           sambaPrimaryGroupSID            eq

index           sambaDomainName                 eq

index           objectClass                     pres,eq

index           default                         sub

Note you could also add the TLS configuration later on.

Configure the database,

cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown ldap:ldap /var/lib/ldap/DB_CONFIG

chmod 600 /var/lib/ldap/DB_CONFIG

Start, check and stop the service,

service ldap start

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts # should return two lines

service ldap stop

slapcat # should return empty

Initialize the database,

cat > /etc/openldap/init.ldif <

dn: dc=example,dc=net

objectclass: dcObject

objectclass: organization

o: Ministere de la justice

dc: base

dn: cn=admin,dc=example,dc=net

objectclass: organizationalRole

cn: admin

EOF9

slapadd -l /etc/openldap/init.ldif && print " Done"

chown -R ldap:ldap /var/lib/ldap

chmod 600 /var/lib/ldap/*

slapcat # should return the two ldap entries

Start & check the service,

service ldap start

chkconfig ldap on

ldapsearch -x -b "dc=example,dc=net"

Phpldapadmin frontend (optional)

Prepare PHP,

mv -f /etc/php.ini /etc/php.ini.dist

sed 's/memory_limit = 16M/memory_limit = 32M/' /etc/php.ini.dist > /etc/php.ini

Fetch phpldapadmin (phpldapadmin.sourceforge.net) and untar it,

tar xzf phpldapadmin-1.1.0.5.tar.gz

mv phpldapadmin-1.1.0.5 /var/www/html/ldap

Note if this is a fresh OS install,

mv -f /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.dist

Configure the frontend,

vi /var/www/html/ldap/config/config.php

namely,

$config->custom->jpeg['tmpdir'] = "/tmp";

Start the http daemon,

service httpd start

chkconfig httpd on

Check the url and login,

IP/ldap

Samba Domain Controller

Configure the daemons,

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist

cat /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smb.conf \

| sed '

/^$/d;

/^#/d;

/^[[:space:]]*#/d;

s|/opt/IDEALX/|/usr/local/|g;

s/cn=Manager/cn=admin/g;

s/dc=idealx,dc=org/dc=example,dc=net/g;

s/idealx.com/example.net/g;  

s/IDEALX-NT/EXAMPLE/g;

s/PDC-SRV/SHORT_HOSTNAME/g;

s/Samba Server %v/Domain Controller/g

/min passwd length/d;

/printer admin/d;

' > /etc/samba/smb.conf && print " Done"

Edit the configuration,

vi /etc/samba/smb.conf

and add this at the end for user shares,

[homes]

        comment = Home Directories

        browseable = no

        writable = yes

;       valid users = %S

;       valid users = MYDOMAIN\%S

Smbldap-tools connector

Prepare the scripts,

cp /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-* /usr/local/sbin/

cp /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap_tools.pm /usr/local/sbin/

chmod +x /usr/local/sbin/smbldap*

Configure the connector,

cat /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap.conf \

| sed '

/^$/d;

/^#/d;

/^[[:space:]]*#/d;

s|/opt/IDEALX/|/usr/local/|g;

s/cn=Manager/cn=admin/g;

s/dc=idealx,dc=org/dc=example,dc=net/g;

s/idealx.com/example.net/g;  

s/IDEALX-NT/EXAMPLE/g;

s/PDC-SRV/SHORT_HOSTNAME/g;

s/ldapTLS="1"/ldapTLS="0"/;

/cafile/d;

/clientcert/d;

/clientkey/d;

' >> /etc/smbldap-tools/smbldap.conf && print " Done"

Get the Domaine Controller's SID,

net getlocalsid

and edit the configuration to change the SID,

vi /etc/smbldap-tools/smbldap.conf

like,

SID=_SID_

Configure the access information,

cat > /etc/smbldap-tools/smbldap_bind.conf <

masterDN="cn=admin,dc=example,dc=net"

masterPw="LDAP_PASSWD"

EOF9

Fix file permissions,

chmod 644 /etc/smbldap-tools/smbldap.conf

chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Ready to go

Configure the UNIX users' LDAP mapping,

authconfig-tui

Note. enable local authorize

Note. those files get altered,

#/etc/nsswitch.conf

#/etc/pam.d/system-auth-ac

#/etc/ldap.conf

#/etc/openldap/ldap.conf

Check Samba's configuration and setyp the LDAP master password,

testparm

smbpasswd -w LDAP_MASTER_PASSWORD

Populate the LDAP tree,

/usr/local/sbin/smbldap-populate

Start the Domain Controller,

tail -f /var/log/messages &

tail -f /var/log/samba/* &

service smb start

chkconfig on

net groupmap list

Join the "EXAMPLE" domain from a Windows box with those creditentials:

Login : root

Password : LDAP_MASTER_PASSWORD

Usage

Create a group,

smbldap-groupadd -a GROUPNAME

getent group | grep GROUPNAME

Create a user,

smbldap-useradd -a -g GROUPNAME -G 'Domain Users' -m -s /bin/ksh -d /home/USERNAME -F '' -P USERNAME

getent passwd | grep USERNAME

Note. primary group 'GROUPNAME' and secondary group 'Domain Users'

Note. other possible groups : "Administrators" and "Domain Admins"

Check in the LDAP repository for USERNAME's primary group,

dn: uid=USERNAME,ou=Users,dc=example,dc=net

...

gidNumber: GID_NUMBER

and secondary groups (primary group is also referenced as secondary group in the LDAP repo),

dn: cn=GROUPNAME,ou=Groups,dc=example,dc=net

...

memberUid: USERNAME

also,

dn: cn=Domain Users,ou=Groups,dc=example,dc=net

...

memberUid: USERNAME