Linux am LSG: |
||
Administration / Linux / Domänen unter Linux / Windows Domäne mit LDAP / Grundsätzliche Überlegungen / Quellenangabe / | ||
Samba TNG and Unix Accounts with LDAPCreated on: 2001/01/09Last revised on: 2001/06/20 DST, University of Verona, Italy Author: Mirko Manea <mami@arena.sci.univr.it>, <mami@mami.net> Url: http://www.mami.net/univr/tng-ldap/howto/howto.html Url: http://arena.sci.univr.it/~mami/tng-ldap/howto/howto.html WORK STILL IN PROGRESS... USE AT YOUR OWN RISK!!!YOUR HELP IS WELCOMEWARNING: The LDAPv2 schemata have been changed! Please check the changelog. Table of contents
Changelog
schemacheck on option in slapd.conf.
Because of this I added some fields to basic-users.ldif
too. Thanks to Shanker Balan <shanu@exocore.com> for this hint;
Tested platforms and requirementsThis howto is based on Redhat Linux 7.0 because, at the time of this
writing, this is one of the wider used Linux distribution which is shipped
with OpenLDAP 1.2.11 (a free LDAPv2 implementation service) and PAM (Pluggable
Authentication Module). It is also easy to setup standard unix
authentication against LDAP. I think this will work on every platform where these packages run. I tested Windows 2000 Pro clients with SP1 and Windows NT workstations. With Windows NT you need at least SP5. How to setup OpenLDAPSetting up OpenLDAP server requires editing slapd.conf (usually in /etc/openldap/slapd.conf). Just get it and change suffix, rootdn, rootpw and access sections to meet your needs.To create the crypt password used in slapd.conf you can use something like this: $ perl -e "print crypt('passwd', join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]);" where Then download unix.schema-v2 and sambatng.schema-v2 and move it to /etc/openldap/. This file contains schemata's definitions for unix and sambatng accounts. Now edit ldap.conf, which is used by the ldap command line utilities and change values of BASE and HOST to meet your previous settings. Finally check that OpenLDAP starts automatically (ie /sbin/chkconfig ldap on) and start it (ie /etc/init.d/ldap start). To check that things are working you can invoke it by typing /usr/sbin/slapd -d 3. Ldap entries for Samba TNGBefore starting to create users you need to import some basic ldap entries which defines standard users and groups. Download and import the following files:
dc=sci,dc=univr,dc=it with your suffix and then
import in your LDAP database. A quick way is:
$ cat basic-users.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | sed 's/o: univr/o: <YOUR_ORG_NAME>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>" $ cat builtin.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>" The password you are prompted is the one you choose in the previous step, ie the root's LDAP passwd. To make things easier it is useful to create an organizationalUnit where users will be inserted. In my example it is called Students. Just download Students.ldif and then import: $ cat Students.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>" Now you can create your users by importing a LDIF like (importing this
will create a user dn: uid=manea,ou=Students,dc=sci,dc=univr,dc=it objectclass: account objectclass: posixAccount objectclass: top objectclass: shadowAccount objectclass: sambaAccount acctflags: [U ] userpassword: {crypt}$1$LjbaxE00$g7.4JsK6qfEalTny7XpDc/ ntpassword: A763993FC42F396664EBD053BA326D41 lmpassword: F6818657596D3B35AAD3B435B51404EE uid: manea uidnumber: 1002 gidnumber: 1992 cn: manea ntuid: manea rid: 2712 grouprid: 201 gecos: Mirko Manea loginshell: /bin/bash smbhome: \\arena\homes profile: \\arena\profiles\default homedrive: H: script: scripts\startup.bat homedirectory: /home/info93/manea logontime: 00000000 logofftime: 00000000 kickofftime: 00000000 pwdlastset: 3A561FEC pwdcanchange: 3A2CEBFF pwdmustchange: FFFFFFFF shadowmax: 99999 shadowwarning: 7 shadowlastchange: 11270I wrote a simple useradd-like script: ldapuseradd.pl. Feel free to test and improve it. Be sure to grab mkntpwd utility (source) or my binaries (Linux/i386 glibc2, Linux/PPC). Note: "nt/lm passwords are cleartext equivalent, that means,
if someone gets the hex string, he can directly connect to any nt machine
and to your tng-pdc. Download and compile Samba TNGDownload Samba TNG from the cvs as described at http://www.samba-tng.org/cvs.html or get this snapshot samba-tng-20010427-patched.tar.bz2 (older and no more in sync with this howto: samba-tng-20010112.tar.bz2). I used the following steps:$ cd tng/source/ $ ./configure --prefix=/usr/local/tng --with-ldap --with-quotas (or if you want to use the depreciated LDAPv2 schema: ./configure --prefix=/usr/local/tng --with-ldap --enable-old-ldap-schema --with-quotas ) $ make $ make install If you have problems making tng work with Linux Red Hat 7.1 use --enable-static. Configuring Samba TNGConfiguring samba requires only few steps. Under tng root (/usr/local/tng) I create the following additional directories:$ cd /usr/local/tng/ $ mkdir private $ chmod 700 private $ mkdir -p profiles/default $ mkdir -p netlogon/scripts In ./private I created a file ldappasswd with the ldap password needed to bind to LDAP server (in clear text). In ./profiles/default I put a mandatory profile. To create a mandatory
profile just rename NTUSER.DAT to NTUSER.MAN, which is created the first
time you log in. Be careful to create this profile by using a template
user, whose grouprid must be the same as the users that are going to use
that profile. You can also use a directory ending with In ./netlogon you can put your policy templates (ie NtConfig.pol under Windows NT and 2000). In ./netlogon/scripts you can put your logon scripts. Finally put smb.conf in ./lib/. The relevant section for LDAP is in global: ldap suffix = "ou=Students,dc=sci,dc=univr,dc=it" ldap bind as = "uid=root,dc=sci,dc=univr,dc=it" ldap passwd file = /usr/local/tng/private/ldappasswd ldap server = localhost ldap port = 389 ldap scope = sub How to change passwordA user's ldif contains three user password's fileds, which should be kept in sync. One can change his/her password from Windows 2000 applet (with CTRL+ALT+DEL) or from Linux (by invoking a passwd replacement program). Put this ldapsync.pl script into /usr/local/sbin which will be used as passwd program from samba. Be sure that in your smb.conf there are these lines:; sync samba with unix password unix password sync = Yes passwd program = /usr/local/sbin/ldapsync.pl -o %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *modifying* Please change the first lines to reflect your LDAP settings. It also should be readable only by root: $ chmod 0700 /usr/local/sbin/ldapsync.pl ldapsync.pl contains ldap root's password so I wrote another small script to change unix password instead of using standard password changing programs (passwd, yppasswd): ldapchpasswd. This program binds as the user requesting password change, so only providing the right password will grant access (if you configured acl as above). Please change the first lines to reflect your LDAP settings. Until someone tells me how to generate nt/lm passwords, an extern utility (mkntpwd) is required to use both programs. Source code can be obtained here. Binary is available for: Linux/i386 glibc2, Linux/PPC. How to configure LinuxRedHat 7.0 makes configuration very easy. Once you have installed openldap-clients and nss_ldap packages, you should invoke /usr/sbin/authconfig: select 'Use LDAP', specify your Server (for example 127.0.0.1 for localhost) and your Base DN (for example dc=sci,dc=univr,dc=it). Then click next and check that 'Use Shadow Passwords', 'Use MD5 Passwords' and 'Use LDAP Authentication' are selected; Server and Base DN are the same as you wrote before. RedHat 6.2 or other unix using nss_ldap works too (I've tested with
122-1.6 from RH62). Just add /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap/etc/ldap.conf: host 127.0.0.1 base dc=sci,dc=univr,dc=it
Setting up system auth against LDAP is important! If not you must create an Administrator account in /etc/passwd, ie in Red Hat 6.2 type:
Now your should be able to logon using users you created with ldapuseradd.pl. How to join Windows 2000 to domainI use this procedure, which maybe it is buggy, but it works. It is necessary to set a password to Administrator: # samedit -S . -U root -c 'samuserset Administrator -p my_password' For each machine you need an entry in /etc/passwd: # groupadd -g 10000 ntmachine # adduser -u 10001 -g 10000 -d /dev/null -s /dev/null -c 'Windows NT machine' -M -n w2k$ Now from the windows 2000 applet join the domain specifying Administrator as user when prompted. After few seconds (it takes about 15 secs on my machine) the Welcome to DOMAIN window will appear. I do not know if this is a bug, but when the w2k machine joins the domain, the account created on LDAP is disabled (recent cvs have fixed this). I enabled it with: # samedit -S . -U root -c 'samuserset2 w2k$ -c D' In recent cvs this bug has been fixed and this workaroud is no longer needed. Now you should be able to use the same user account on both Linux and Windows 2000, using the same password! How to configure Apache with LDAPThe auth_ldap module provides a way to obtain users from LDAP database, ie you can resolve user's home directories (with ~username). Make sure you load the module with something like this:
LoadModule auth_ldap_module modules/mod_auth_ldap.so [...] AddModule auth_ldap.c Put these directives at the top of LoadModule and AddModule sections in httpd.conf. Known bugs and TODO listThere are many things which I currenly do not understand well:
LinksJust a few links to useful documents:
CreditsThis document is based mainly on the work of Ignacio Coupeau (CTI, University of Navarra).Many thanks to Elrond <elrond@samba.org> for his feedback.
|