Samba and LDAP
This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See the section called “OpenLDAP Server” and the section called “LDAP Authentication” for details on setting up OpenLDAP. For more information on installing and configuring Samba see Chapter 17, Windows Networking.Installation
sudo apt-get install samba samba-doc smbldap-tools
Strictly speaking the smbldap-tools package isn't needed, but unless you have another package or custom scripts,
a method of managing users, groups, and computer accounts is needed.
OpenLDAP Configuration
-
The Samba attributes are defined in the
samba.schema
file which is part of the samba-doc package. The schema file needs to be unzipped and copied to/etc/ldap/schema
. From a terminal prompt enter:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ sudo gzip -d /etc/ldap/schema/samba.schema.gz
-
The samba schema needs to be added to the cn=config tree.
The procedure to add a new schema to slapd is also detailed in
the section called “Further Configuration”.
-
First, create a configuration file named
schema_convert.conf
, or a similar descriptive name, containing the following lines:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema
-
Next, create a temporary directory to hold the output:
mkdir /tmp/ldif_output
-
Now use slapcat to convert the schema files:
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
Change the above file and path names to match your own if they are different.
-
Edit the generated
/tmp/cn\=samba.ldif
file, changing the following attributes:
dn: cn=samba,cn=schema,cn=config ... cn: samba
And remove the following lines from the bottom of the file:
structuralObjectClass: olcSchemaConfig entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95 creatorsName: cn=config createTimestamp: 20080827045234Z entryCSN: 20080827045234.341425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080827045234Z
The attribute values will vary, just be sure the attributes are removed.
-
Finally, using the ldapadd utility, add the new schema to the
directory:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif
-
First, create a configuration file named
-
Copy and paste the following into a file named
samba_indexes.ldif
:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub
Using the ldapmodify utility load the new indexes:
ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif
If all went well you should see the new indexes using ldapsearch:
ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb
-
Next, configure the smbldap-tools package to match your environment. The package
comes with a configuration script that will ask questions about the needed options. To run the script enter:
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz sudo perl /usr/share/doc/smbldap-tools/configure.pl
Once you have answered the questions, there should be/etc/smbldap-tools/smbldap.conf
and/etc/smbldap-tools/smbldap_bind.conf
files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately.
-
The smbldap-populate script will add the necessary users, groups, and LDAP objects
required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with
slapcat before executing the command:
sudo slapcat -l backup.ldif
-
Once you have a current backup execute smbldap-populate by entering:
sudo smbldap-populate
You can create an LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct.
Samba Configuration
/etc/samba/smb.conf
commenting
the passdb backend option and adding the following:
# passdb backend = tdbsam # LDAP Settings passdb backend = ldapsam:ldap://hostname ldap suffix = dc=example,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=example,dc=com ldap ssl = start tls ldap passwd sync = yes ... add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"Restart samba to enable the new settings:
sudo restart smbd sudo restart nmbdNow Samba needs to know the LDAP admin password. From a terminal prompt enter:
sudo smbpasswd -w secret
Replacing secret with your LDAP admin password.
|
samba.schema
file.
Add the Samba attributes to existing users using the smbpasswd utility, replacing
username with an actual user:
sudo smbpasswd -a username
You will then be asked to enter the user's password.
To add new user, group, and machine accounts use the utilities from the smbldap-tools package. Here are some examples:
-
To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:
sudo smbldap-useradd -a -P username
The -a option adds the Samba attributes, and the -P options calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user.
-
To remove a user from the directory enter:
sudo smbldap-userdel username
The smbldap-userdel utility also has a -r option to remove the user's home directory.
-
Use smbldap-groupadd to add a group, replacing groupname with an appropriate group:
sudo smbldap-groupadd -a groupname
Similar to smbldap-useradd, the -a adds the Samba attributes.
-
To add a user to a group use smbldap-groupmod:
sudo smbldap-groupmod -m username groupname
Be sure to replace username with a real user. Also, the -m option can add more than one user at a time by listing them in comma separated format.
-
smbldap-groupmod can also be used to remove a user from a group:
sudo smbldap-groupmod -x username groupname
-
Additionally, the smbldap-useradd utility can add Samba machine accounts:
sudo smbldap-useradd -t 0 -w username
Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script option in/etc/samba/smb.conf
was changed to use smbldap-useradd.
No comments:
Post a Comment