Installatie:

Benodigde componenten:

  • samba
  • openldap
  • nss_ldap
  • pam_ldap
  • smbldap-tools

USE flags

benodigd

Deze USE flags zijn benodigd voor een succesvolle installatie:

  • acl - Adds support for Access Control Lists
  • kerberos - Adds kerberos support
  • ldap - Adds LDAP support (Lightweight Directory Access Protocol)
  • pam - Adds support PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
  • readline - enables support for libreadline, a GNU line-editing library that most everyone wants.
  • crypt - Add support for encryption -- using mcrypt or gpg where applicable
  • gdbm - Adds support for sys-libs/gdbm (GNU database libraries)
  • samba - Adds support for SAMBA
  • ssl - Adds support for Secure Socket Layer connections
  • tcpd - Adds support for TCP wrappers
gebruikt in testomgeving
  • cups - Add support for CUPS (Common Unix Printing System)
  • python - Adds support/bindings for the Python language
  • perl - Adds support/bindings for the Perl language.
  • xml2 - Check/Support flag for XML library (version 2)
  • mysql - Adds mySQL support
  • berkdb - Adds support for sys-libs/db (Berkeley DB for MySQL)

Voeg deze USE flags toe aan /etc/make.conf, evt onderaan make.conf:

USE="${USE} acl kerberos ldap pam readline crypt gdbm samba ssl tcpd cups python perl xml2 mysql berkdb"

Of gebruik euse (uit het app-portage/gentoolkit package) om de USE flags toe te voegen aan de make.conf:

euse --enable acl kerberos ldap pam readline crypt gdbm samba ssl tcpd cups python perl xml2 mysql berkdb

Start vervolgens de installatie:

emerge samba openldap nss_ldap pam_ldap smbldap-tools

>>> Installing (49 of 49) net-nds/smbldap-tools-0.9.4-r1 

 * - A good howto is found on http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/
 * - The configure script is installed as smbldap-configure.pl. Please run it to configure the tools.
 * - Examples configuration files for Samba and slapd have been copied to /usr/share/doc/smbldap-tools-0.9.4-r1,
 *   together with the migration-scripts.

 Optional Packages

If you intend to use Web admin interfaces such as: phpLDAPadmin or LAM. Then you might want to emerge apache and mod_php at this point. USE Flags

you have the option of compiling either apache version 1 or 2, determining which version you want to use is outside the scope of this HowTo, however if you know that you want to use version two then, you need to have the USE flag apache2 set. I have found that most of the php administration tools will not function properly with the phphardened flag set. Ensure that php is not compiled with phphardened by using the -phphardened flag.

  • note: the flag in latest versions is actually hardenedphp
  • note: the use flags needed by PHP for LAM are xml nls session pcre

emerge

Assuming you have set the desired USE flags for apache and php go ahead and emerge them. again this will take a while so go take a break after running the following command

  1. emerge apache mod_php 
 Configure LDAP

first thing first is to ensure the proper ownership of some key directories

  1. chown -R ldap:ldap /var/lib/openldap-*

/etc/openldap/slapd.conf

You can edit the /etc/openldap/slapd.conf file that ships with openldap or we can just create a new one either way we want it to resemble something similar to the following

The include statements include various schema's into our LDAP tree

include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema

The slapd gentoo init script doesn't make the pidfile or argsfile correctly so we specify them here.

pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args

Note: 06/08/06 net-nds/openldap-2.2.28-r3 has the two previous lines present in /etc/openldap/slapd.conf by default. evilshenaniganz

You should set loglevel to 256 initially, this will give you some good hints when debugging problems. Read man slapd.conf for more information on what the loglevel directive will give you

loglevel 256

for database you can either use "bdb" or "ldbm". bdb is generally favoured by the openldap project as it is faster and more stable, it is somewhat difficult to setup when your server is under high load. Hint: create a DB_CONFIG file in your data directory (/var/lib/openldap-data/) and read the berkeley db documentation at sleepycat.com. suffix is the suffix for the root of our LDAP tree. The field names here must be all caps, or Windows will turn up its nose when asked to join your domain, with an error stating "User account not found." It will be very frustrating. directory designates the data directory for our LDAP database. rootdn is the hardcoded super-user of the database. rootpw is the hardcoded root password. To generate a 'secret' you can use

  1. slappasswd -h {MD5}

New password: <example> Re-enter new password: <example> {MD5}s+JROT6YmCR/KFfL3N9o4w==

{MD5} indicates the scheme we will be using to encrypt the password. For more information about using different schemes: slappasswd () The index directives define optional indexes that are used to help speed up searches aginst common LDAP data.

database ldbm suffix "dc=example,dc=net" rootdn "cn=Manager,dc=example,dc=net" rootpw {MD5}s+JROT6YmCR/KFfL3N9o4w== directory /var/lib/openldap-data/ index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial

Note: 5/05/2007 Alternative Using bdb (faster DB for large record)

database bdb suffix "dc=example,dc=net" checkpoint 32 30 # <kbyte> <min> rootdn "cn=Manager,dc=example,dc=net" rootpw {MD5}s+JROT6YmCR/KFfL3N9o4w== directory /var/lib/openldap-data/ index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial

Note: 14/03/2007 Additionally, i had to remove (or maybe move after "suffix") a entry called "checkpoint" out of my configuration, which was in by default. User:emphasis.nils-wisiol.de Note: 28/04/2007 if you use ldbm change directory to /var/lib/openldap-ldbm LDAP-howto . Don't forget to run chown ldap:ldap /var/lib/openldap-ldbm /etc/openldap/ldap.conf

You should also have a file called /etc/openldap/ldap.conf. This file tells the client programs from the openldap package (ldapsearch, ldapadd, ...) which server it should connect to. Don't confuse this one with /etc/ldap.conf which is for the pam_ldap and nss_ldap packages from padl.com.

to configure conectivity for the OpenLDAP tools we only need to define the HOST and BASE settings to match our slapd settings

HOST 127.0.0.1 BASE dc=example,dc=net

/etc/conf.d/slapd

we need to make sure the OPTS= line in /etc/conf.d/slapd looks similar to the following. If it dosen't we may have issues starting it through the gentoo scripts. also it wont start a ssl port with out it.

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

Finalizing openldap

We should allways do a sanity check on /etc/openldap/slapd.conf every time we change it. We can accomplish this with slaptest

  1. slaptest

Note: 11/01/2007 If you're using bdb use slaptest -u to check the sanity of /etc/openldap/slapd.conf then start manually the deamon with /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 255 to generate the initial db and check if something wrong. Then stop it with ctrl+C and change the permission on /var/lib/openldap-data as shown in the note number 3.

JioJio Note: 14/03/2007 Maybe your openldap executable is not in /usr/sbin/slapd, like said in the first node, but in /usr/lib/openldap/slapd. User:emphasis.nils-wisiol.de Note: 11/09/06 If you're using bdb the rights for the database in /var/lib/openldap-data/ may have been created as root. If so you need to chown ldap:ldap /var/lib/openldap-data/* before starting slapd dcrawford

Next we can attempt to start slapd. Also dont forget to add slapd to the default runlevel.

  1. /etc/init.d/slapd start
  2. rc-update add slapd default

Note: 09/12/06 check ldap is the owner of files in /var/lib/openldap-data if failed started

hopefully slapd started [ok], if it didn't ([!!]) skip down to the troubleshooting section, otherwise continue with the testing section to make sure everything's running correctly. Configure PAM /etc/pam.d/system-auth Note: 5/05/2007 Please skip this section as pam will know where to go when reading /etc/nsswitch.conf - FIXME: is this correct? I need to add those pam_ldap.so lines. Else it won't work here.

PAM, short for Plugable Authentication Module(s) is a system that allows us to define the modules used for system authentication. redefining pam.d/system-auth along with nsswitch.conf will allow us to authenticate against our LDAP directory.

You should also have a file called /etc/pam.d/system-auth. We need to edit the file to resemble something like this: File: /etc/pam.d/system-auth

  1. %PAM-1.0

auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so

account required pam_unix.so account sufficient pam_ldap.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 type= password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so

session required pam_limits.so session required pam_unix.so session optional pam_ldap.so

/etc/pam.d/su

You probably want to make a few changes to su authentication. By default, su checks that the user is in group wheel, and then authenticates them as the root user through the normal system-auth methods. There are two changes that you may want to make.

You probably want to have the wheel group information in LDAP instead of in /etc/group. Unfortunately, pam_group.so and pam_wheel.so seem to stop after checking /etc/group if the group wheel is present in the file and the user is not in the group. You can safely remove the wheel group and and then add it to LDAP with the following commands:

  1. groupdel wheel
  2. smbldap-groupadd -g 10 -o wheel
  3. smbldap-groupmod -m <userlist, comma separated> wheel

Note: 01/05/08 By removing wheel from /etc/group, you might not be able to su if your LDAP server is down. This makes remote administration difficult, since a secure setup only allows root to login from the console. Note: 16/09/2008 I created 'wheel' group in LDAP, added appropriate users to that group, then appended line in /etc/pam.d/su

auth sufficient pam_ldap.so

Local 'wheel' group still exists and users added to LDAP 'wheel' are able to su. --Stootch 12:40, 16 September 2008 (UTC)

[NOTE: You probably should perform an smbldap-populate (information provided on the next page for completing this) before you remove/add the wheel group.]

You may not want to allow su'ing with the LDAP root password, but force the /etc/passwd password instead. If that is the case, you should copy the auth section from /etc/pam.d/system-auth to /etc/pam.d/su and remove the pam_ldap.so line. This will override the new default, LDAP-centric authentication behavior. Here is a sample auth section. File: /etc/pam.d/su

  1. %PAM-1.0

auth sufficient pam_rootok.so auth required pam_wheel.so auth required pam_env.so auth sufficient pam_ldap.so auth required pam_deny.so

Configure NSS_LDAP /etc/nsswitch.conf

You should also have a file called /etc/nsswitch.conf.we need to modify the lines pretaining to passwd:, group, and shadow to resemble the following.

passwd: files ldap group: files ldap shadow: files ldap

Note: 5/05/2007 Alternative Configuration

passwd: compat ldap shadow: compat ldap group: compat ldap

  1. sudoers: files ldap

For LDAP sudoer please check on OpenLDAP /etc/ldap.conf

Next we want to configure /etc/ldap.conf this file sets directives pertaining to the ldap we specified in nsswitch.conf above.

again we use host and base to refer to our ldap server address and context of our ldap tree respectively.

host 127.0.0.1 base dc=example,dc=net

some ldap attribute which is different from the default ldap.conf

pam_filter objectclass=posixAccount pam_login_attribute uid

the nss_base_* specify the context in ldap to look for the suffix config item where refering to. make sure to have two nss_base_passwd sections to cover users and computers so you don't get a nasty "user name could not be found error" when joining computers to the domain.

nss_base_passwd ou=Computers,dc=example,dc=net?sub nss_base_passwd ou=Users,dc=example,dc=net?sub nss_base_shadow ou=Users,dc=example,dc=net?sub nss_base_group ou=Groups,dc=example,dc=net?one

Here we use debug to specify the output message complexity, during testing this value should be 256 to help track down problems. the logdir directive tells us where we store the logs that the debug directive produces.

debug 256 logdir /var/log/nss_ldap

Note: There is a problem with the debug 256 option. When portage emerges packages like openssh or glibc, the sandbox environment crashes the whole operation with ACCESS VIOLATION, commenting the debug 256 out from the file helped me solve this problem, I hope this will help others as well. m0t3jl

The ssl directive is used to identify whether or not we're using an encrypted conversation. pam_password ... tbe ...

ssl no pam_password md5

Note: You can also use the following. This will let the ldap server do the encrypting and storing of the password. This plays well with the smbk5pwd overlay. Po0ky

pam_password exop

Dont forget to create the folder(s) refrenced in the logdir directive. we can accomplish this with the following command.

  1. mkdir -p /var/log/nss_ldap

To avoid greater timeout delays on boot time, set bind_policy to soft. This ensures no waiting for a timeout if the slapd is not yet started and a service needs to switch user.

bind_policy = soft

Note: Don't forget to alt both the rootbinddn to reflect your settings, also Password is stored in /etc/ldap.secret (mode 600) . Otherwise it will keep saying can't connect !! mmuser Configure Samba

Next we're going to try to tackle the big item, Samba. Configuring Samba can become quite a complex task on its own right. As such where going to keep our samba config to the minimum nesscary for us to get a PDC running, with a LDAP backend.

The following is mostly cut and pasted out of the HOWTO Implement Samba as your PDC and modified for our needs.The following is /etc/samba/smb.conf

The first section we will configure is the [global] services section, followed by [netlogon], [profiles], [homes] and other services sections. You'll need to change some values to meet your criteria. The [global] service section =

netbios name sets the NetBIOS name by which a Samba server is known. This is what you'll see in network neighborhood. workgroup controls what workgroup your server will appear to be in when queried by clients. This is also the DOMAIN you will work from if you are using one server string controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view.

IMPORTANT** make sure that your workgroup(domain) name is not a full DNS name in the samba setup. using a name such as domainexample.com here will make an xp client search your DNS server for AD SRV records when you try to join a domain. setting it to "domainexample" is the best bet.

[global] 

 netbios name = COMPUTER_NAME
 workgroup = YOUR_DOMAIN
 server string = LDAP PDC [on Gentoo :: Samba server %v]

hosts allow is a comma, space, or tab delimited set of hosts which are permitted to access a service. security affects how clients respond to Samba and is one of the most important settings in the smb.conf file. encrypt passwords controls whether encrypted passwords will be negotiated with the client. socket options allows you to set socket options to be used when talking with the client. It is for performance fine tuning. If you find more/better options, I'd love to know of them. interfaces allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. bind interfaces allows the Samba admin to limit what interfaces on a machine will serve SMB requests.

hosts allow = 192.168.4.0/24 127.0.0.0/8 security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = lo eth0 bind interfaces only = yes

To make your Samba server the PDC, the following 4 parameters are required. Setting your OS level to 65 ensures your server WILL BE the PDC in a network where there are other DC. local master allows nmbd to try and become a local master browser on a subnet. os level controls what level Samba advertises itself as for browse elections. domain master enables WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. preferred master controls if nmbd is a preferred master browser for its workgroup.

local master = yes os level = 65 domain master = yes preferred master = yes

null passwords allows or disallows client access to accounts that have null passwords. hide unreadable prevents clients from seeing the existance of files that cannot be read. hide dot files controls whether files starting with a dot appear as hidden files.

null passwords = no hide unreadable = yes hide dot files = yes

domain logons dictates whether the Samba server will serve Windows Domain logons for the workgroup it is in. logon script specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. logon path specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. logon drive specifies the local path to which the home directory will be connected and is only used by NT Workstations. logon home specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. Please note that variables U must be used. They defined the server name and username (respectively). You may specify any drive letter as long as it does not conflict with other drives on your Win2k client.

For logon script, I personally use a static file name. Using U == the username establishing the connection.

domain logons = yes ;logon script = login.bat OR %U.bat logon path = \\%L\profiles\%U logon drive = H: logon home = \\%L\%U

IMPORTANT NOTE: This may sound pretty obvious, but will save you a ton of headaches and Windows-cursing. You really want to have your logon drive as Z:, just in case.

Why, you ask? Take a look at the following example: you have a computer with three HDD partitions (C:, D:, and E:), as well as a DVD reader (F:) and a CD-RW (G:). And, yes, your logon drive at H:. Common sense would suggest that, should you connect any removable media to this computer (say, a USB drive, an external DVD burner, etc.), it would get allocated as I:, right?

The first mistake here is that you assumed that Microsoft would use any common sense. Let me explain what happened to me in such a case. Apparently, the recently-inserted media tries to get H: and the only result is that it becomes unaccessible. Another example would be a computer that doesn't have such a heavily partitioned HDD, but is filled with removable media bays, just as any VAIO or HP you can find out there. --Demiurgo 00:49, 23 June 2006 (UTC)

wins support controls if the nmbd process in Samba will act as a WINS server. name resolve order is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. dns proxy specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no

time server determines if nmbd advertises itself as a time server to Windows clients. log file option allows you to override the name of the Samba log file (also known as the debug file). max log size specifies the max size the log file should grow to.

time server = yes log file = /var/log/samba/log.%m max log size = 50

The following are parameters to assist you in adding/deleting users/machines from a client. Note: That using these peramaters that refrence the smbldap-tools means that you must install it when presented later in this HowTo

add user script = /usr/sbin/smbldap-useradd -m "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "g" delete user from group script = /usr/sbin/smbldap-groupmod -x "g" set primary group script = /usr/sbin/smbldap-usermod -g "u"

...tbe...

passdb backend = ldapsam:ldap://127.0.0.1/ ldap delete dn = Yes ldap ssl = no winbind nested groups = no

Note: You must add the line for winbind or samba will not start. This is a known bug in samba. Chucks

The following settings refer to the positions of various LDAP objects in our directory. ldap suffix is the same one we entered in slapd.conf and is the root of our LDAP tree. ldap admin dn is the distunguished name of your rootdn previously named in slapd.conf. ldap xxxx suffix is the suffix of each of the containers you see, where xxxx = group, user, machine, idmap.

ldap suffix = dc=example,dc=net ldap admin dn = cn=Manager,dc=example,dc=net ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap

The [SHARE_NAME] services section

This section defines your shares. If you include a parameter within any one of these sections that is defined in the global section it will override the parameter in the global section. I'm not going to get into detail about each and every parameter here. The samba link provided above is a great resource for defining parameters. Use it!

netlogon is the service section of where your Default Profile (for new users) and your login script reside. Make sure the directory is owned and group owned by root and permissions are 755 (chmod -R 0755).

[netlogon] 

 path = /var/lib/samba/netlogon
 guest ok = Yes
 browseable = no
 write list = root

profiles is the service section for user roaming profiles. Make sure the directory proper is owned and group owned by root. Make sure its permission is 755 (chmod -R 1757). Inside this directory is where you user profiles are located.

[profiles] 

 path = /var/lib/samba/profiles
 writable = yes
 browseable = no
 create mode = 0644
 directory mode = 0755
 guest ok = yes

homes defines the users home directory. Nothing special needs to be done to this directive or directory.

[homes] 

 path = /home/%U
 browseable = no
 valid users = %S
 read only = no
 create mask = 0664
 directory mask = 0775

public is only an example of one of my shares. You can define as many as you want. You can name them whatever you want. It does not have to be named [public].

[public] 

 comment = Public Stuff
 path = /public
 public = yes
 read only = yes
 browseable = yes
 write list = @users

Finishing up Samba Now that we have configured smb.conf with the rootdn, we need to store the password for it. we can accomplish this with the following command. Note: your secret password will have to be typed at the command line

  1. smbpasswd -w secret

Before we will be able to start samba we need to do a quick sanity check.

  • check to make sure all folders refrenced in /etc/samba/smb.conf actualy exist
  • ensure the proper permissions are on the folder referenced by netlogon and profiles (usualy they dont) we can fix them with a chmod 0755 /path/to/folder

You should also use testparm to run a sanity check against smb.conf. You can do this by executing the following command.

  1. testparm

Make sure to add samba to the default runlevel

  1. rc-update add samba default

now that its time to start up samba

  1. /etc/init.d/samba start

now with fingers crossed we should have had a successfull start Configure smbldap-tools

Next you will need to edit the two smbldap-tools config files /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf the editing of these files is straightforward and mostly needs to reflect settings you have specifed previously. With the execption of the lines noted below edit the config files to suit your needs. /etc/smbldap-tools/smbldap.conf

the directives ldapTLS, verify, and hash_encypt have to be set as follows. any of the other directives should be changed to match settings we have previously set in other files. if you dont know what a directive does, it should be safe to skip it.

ldapTLS="0" verify="none" hash_encrypt="MD5"

  1. Other configuration should be altered too!!!

Note: Whilst configuring smbldap-tools, do not use the %L for the PDC name when configuring the Paths to use. This will break roaming profile logins /etc/smbldap-tools/smbldap_bind.conf

this file need only to be updated with the rootdn that you have previously specified as well as the secret password of the rootdn in plain text.

after editing the above files feel free to move onto the next section. Using Smbk5pwd overlay

I'm still working on this subject, you can take a peak by checking out the Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup - Po0ky

In this section we will evaluate the Basic setup, testing various portions in order to evaluate functionality. First we will start with ldap Populate

Before we can execute the majority of these tests we first need get some critical inital entires into the LDAP database, the best way to do that is with smbldap-tools.

  1. smbldap-populate

LDAP

The following command will produce a list of all the entries in LDAP, also it verifys that slapd is working properly and that /etc/openldap/ldap.conf is working. We should get several entries back.

  1. ldapsearch -D "cn=manager,dc=example,dc=net" -W

If you show error message and not using cn=config use parameter -x ( ldapsearch -D "cn=manager,dc=example,dc=net" -W -x) PAM / NSS LDAP

To do a basic verification of the user system we'll use the getent command to look up some passwd information

  1. getent passwd |grep 0:0

which should return something similar to this Note: less than two lines returned from this command shows that there is an error with NSS LDAP and that you should examine files related to it to find the error

Code: good getent output

root:x:0:0:root:/root:/bin/bash root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false

To test our PAM system, we'll create a system account in LDAP and will try to login with this new user. To create this system acccont we'll use smbldap-useradd

  1. smbldap-useradd -a -m -P testuser

which should return the following Code: smbldap-useradd output

Changing password for testuser New password : Retype new password :

Next we can try a UNIX login to our system as testuser. we can do this using another console or ssh. Everything should work fine.

  1. ssh testuser@localhost

Code: ssh

Password: Last login: Wed Nov 23 20:55:13 2005 from localhost testuser@system ~ $

Samba

We can verify that Samba-3 can obtain the user accounts from the LDAP passwd backend by executing the following command.

  1. pdbedit -Lv testuser

output from this command should resemble the following Code: good pdbedit output

Unix username: testuser NT username: testuser Account Flags: [UX ] User SID: S-1-5-21-1832081158-3534132708-4235750906-3010 Primary Group SID: S-1-5-21-1832081158-3534132708-4235750906-513 Full Name: System User Home Directory: \\COMPUTER_NAME\testuser HomeDir Drive: H: Logon Script: logon.bat Profile Path: \\COMPUTER_NAME\profiles\testuser Domain: YOUR_DOMAIN Account desc: System User Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Wed, 23 Nov 2005 20:54:51 GMT Password can change: 0 Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Joining Computers RequireSignOrSeal

The following registry key is needed for Windows 2000 and XP clients to join and logon to a Samba Domain. One of the easiest ways to drop this into the registry is to paste it into a text file and rename it to the .reg extension and then double click on the file. Note: Windows 2000 Sp4 appears to allready have this key set to 0

Code: RequireSignOrSeal

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "requiresignorseal"=dword:00000000

Join It! Note: This section will require a second computer running windows 9x/2000/XP (example is exact to Win 2k, your process to join a computer may varry)

On your windows computer open Start -> control pannel. Select "Computer Management" and then the "Network Identification" tab. Click on the "Properties" button. This will bring up the "Identification changes" dialog, here you can change your computer's name as well as workgroup/domain. Select the domain radial and enter the name of your domain YOUR_DOMAIN is used in this HowTo. click 'Ok' windows will then open another dialog box asking for "The name and password of an account with permission to join to the domain" you can then enter the username of any member of the domain admins group. this is usualy cn=root,ou=people,dc=example,dc=net, or more simply root, and the password you specified when smbldap-populate asked. enter root and your secret password. and click 'Ok'

You should get a nice message saying, "welcome to YOUR_DOMAIN" followed by "you need to reboot in order for changes to take affect." You should reboot your windows computer now. Logging In

Now that your computer has restarted and is at the login prompt you should be able to login with any domain account. root should be available as well as the testuser we created previously. If everything was configured correctly and all directories were created with proper permissions you should be dumped right into the desktop. Note: you may get a warning about your profile not existing, if you log out and back in, it should disapeer, if it returns then you should troubleshoot your access to \\YOUR_COMPUTER\profiles 

 Create Certs

OPTIONAL Usage off SSL and or TLS encription methods is recommended as a "best practice" because passwords are transfered over the connections between the LDAP system and what ever it talks to. Using them is completely optional, but highly recommended.

First we should create our ssl certificates. The following procedure is used to create a self signed certificates for more information see OpenLDAP SSL/TLS How-To

First we need to create a directory for building our certs in. change to that directory and then create a new CA. the script will execute and ask you some questions about your orgazination.

Tip: YOUR NAME is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.

  1. mkdir /var/myca
  2. cd /var/myca
  3. /etc/ssl/misc/CA.sh -newca

This creates a demoCA directory with various items including demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and private key)

Next we need to create a new server certificate signing request that we can later sign with the previously generated CA cert. Again it will ask you some questions about your orgazination.

Tip: YOUR NAME is not your name, it should be your FQDN. If you set it to anything else, clients will reject your certificate. Make sure your clients attempt to connect to the FQDN address of your host if it is multi-homed.

  1. openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Next we have the CA sign the CSR. after we execute its going to ask for us to enter the PEM pass phrase this is the challenge passphrase we gave in the previous command. its also going to ask if we want to sign the cert, which we do.

  1. /etc/ssl/misc/CA.sh -sign

The result of the above command should be the creation of newcert.pem our signed cert

Next we should move the certs to our desired certificate repository and rename them. i prefer to put them in /certs/openldap

  1. mkdir -p /certs/openldap
  2. mv demoCA/cacert.pem /certs/openldap/CA-cert.pem
  3. mv newcert.pem /certs/openldap/ser-crt.pem
  4. mv newreq.pem /certs/openldap/ser-key.pem
  5. chmod 400 /certs/openldap/ser-key.pem
  6. chown ldap:ldap /certs/openldap/ser-key.pem

The chmod makes the private key read-only, the owner of the key should be the same user that runs slapd. a chown command will be nesscary if the owner of the server key is not the same as the user who runs slapd. The certificates should be publicly readable Warning: failure to execute the chown in the commands above will prevent slapd from starting, leaving an error msg of "main: TLS init def ctx failed: -1" in /var/log/syslog

Update /etc/openldap/slapd.conf to ensure the following lines are uncommented

  1. TLSCertificateFile /certs/openldap/ser-crt.pem
  2. TLSCertificateKeyFile /certs/openldap/ser-key.pem
  3. TLSCACertificateFile /certs/openldap/CA-cert.pem

You may also want to update /etc/openldap/ldap.conf. This line will let the ldapsearch client automatically use your certificate to verify the server. client ~# echo "TLS_CACERT /certs/openldap/CA-cert.pem" >> /etc/openldap/ldap.confImage:CursorOFF.gif Configure Samba to use TLS

Update the following line in/etc/samba/smb.conf in the [Global] section. File: smb.conf 

 ldap ssl = start_tls

Now, restart everything and hope it works! Code: Restart Servers 

 # /etc/init.d/slapd restart
 # /etc/init.d/samba restart

Securing Files

We need to secure /etc/openldap/slapd.conf from access to anyone besides root because there is a root password for are entire ldap directory in the file. We can accomplish this with the following command. Code: secure slapd.conf

  1. chmod 600 /etc/openldap/slapd.conf
  2. chown ldap:ldap /etc/openldap/slapd.conf

Not using the rootdn

See Talk:HOWTO_LDAP_SAMBA_PDC_Security_Upgrade for now.

The following commands are use OpenSSL to verify SSL and TLS connections. localhost can allways be subsituted for any name the refers to your LDAP server. The first command verify's SSL and the second will verify TLS. Note: ctrl-c (^C) will be nesscary as the command hangs in limbo after it finishes.

Note: the second command wont work... yet!

  1. openssl s_client -connect localhost:636 -showcerts -state -CAfile /certs/openldap/CA-cert.pem
  2. openssl s_client -connect localhost:389 -showcerts -state -CAfile /certs/openldap/CA-cert.pem

Good output will resemble the following: (output was edited for size) Code: good openssl output

CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- (...Certificate chain output deleted...) --- No client certificate CA names sent --- SSL handshake has read 2161 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: 

    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: CF98B6D749348537401A137BA4BC6FFD4221A1BA...
    Session-ID-ctx:
    Master-Key: ...9DEA83A16F72934AF5213BDBF2EA46BF254342B846E8A7
    Key-Arg   : None
    Start Time: 1128586936
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

--- 

 Log levels

An often overlooked preformance hinderance is logfiles. If you have followed my guide thus far then you have specified several log levels quite high, which will result in lots of extra data for the system to generate and then process when it writes it to a log on the disk. The following section outlines where we can trim the log file 'fat.' /etc/ldap.conf

This is a big one, with debug set to 256 it will create a log for every lookup the system does against passwd, shadow, or group account information, which can be quite often (every ls looks up passwd and group. once this works, it will continue to work so feel free to edit the /etc/ldap.conf and comment out the debug directive or set it to 0. /etc/openldap/slapd.conf

This is another big one, with loglevel set to 255 slapd will display information on damn near everything and again once slapd is up and running properly we no longer need access to all thoes messages. Edit /etc/openldap/slapd.conf and comment out the loglevel directive, or set it to 0. When your done editing this we will need to restart slapd. This can be accomplished with the following command.

  1. /etc/init.d/slapd restart

/etc/samba/smb.conf

If you turned up the log level for samba it can produce extra and unnecessary output just as well as the others. Edit /etc/samba/smb.conf and comment out the log level directive or set it to 0. When your done editing this you will need to restart samba, this can be accomplished with the following command.

  1. /etc/init.d/samba restart

By default, Samba still uses NSS to get user and group information. While this works because we configured NSS to use LDAP, having Samba go directly to LDAP is much faster. First, we need to change /etc/samba/smb.conf to do this: File: smb.conf

[global] ldapsam:trusted = yes

  1. This is the default

guest account = nobody

Now we need to add the guest account to LDAP so that Samba can start.

  1. userdel nobody
  2. groupdel nobody
  3. smbldap-groupadd -g 65534 -o nobody
  4. smbldap-useradd -a -u 65534 -g 65534 -n -s /bin/false -d / nobody
  5. /etc/init.d/samba restart

See smb.conf(5) for details on the ldapsam:trusted = yes setting. Roaming Profiles

When a user logs onto the network using a roaming profile the default behavior is for everything in the C:\Documents and Settings\ tree to be copyed from its location on a remote server to the workstation the user has logged into. While the user is logged in all changes are made to the local copy. When the user logs off the workstation all of the data is copied back onto the server that originaly contained the profile. When user profiles grow in size we can have dramatic preformance hits on not only user logon and logout times, but also network performance. The following outlines some steps that can be taken to minimalize the size of roaming profiles while still enjoying their benifits.

There are two places where we need to make modifications in order to reduce the size of roaming profiles. The first is the Local Group Policy of each workstation. The second is each users HKEY_CURRENT_USER registry cluster (NTUSER.DAT) Local Group Policy

Currently Samba PDC's are unable to take advantage of Group Policy Objects, However we can enact the same changes to each computers Local Group Policy. While you don't have to do it manually for each computer, we do have to do it manually at least once. On a windows client click Start -> run, and enter 'gpedit.msc' (without the single quotes).

... tbe ...

Preview of docs in Talk:HOWTO_LDAP_SAMBA_PDC_Performance_Tuning Page ;) -- Po0ky 09:00, 2 January 2006 (GMT) --

Note: 29/4/2007 You are not able to make real GPO's objects like in a Windows Domain, but with a tool from MS called poledit.exe you are able to set some basic policies running for a group or a default domain member, or a machine or other objects. If you save the config in the root of "Netlogon-Share" and name the policy NTConfig.POL, your users and clients will use it. There are some options like "Erasing roaming profiles from workstations after logoff " , "Limit Size of roaming profiles" and "Exclude Directories From Profile".

The advantage of this solution is, you DO NOT HAVE to configure "Local Group Policy" as mentioned above on each client, or each user for a domain. You have a central file "NTConfig.POL, where all configuration for domain members and computers is written. The Default Profile

By creating a default profile we can ensure that all users created afterwards will use a profile which is more limited in what is transfered back and forth on logon and logout.

First we need a fresh and 'untainted' profile to use as our base profile. the easyist way to accomplish this is to logon with our testuser (provided you havent changed anything, if you have, create a new user with smbldap-useradd -a -m -P username and log in with them.)

Once Loged in click on Start -> run and key in regedt32