IBM-LDAP

LDAP-based authentication for SambaInstall and configure Samba as a primary domain controller withLDAP on Linux

Skill Level: Intermediate

Keith Robertson ([email protected])Advisory software engineerIBM

31 Jan 2006

This tutorial demonstrates how to install and configure Samba as a primary domaincontroller with a secure LDAP-based authentication mechanism. It also describeshow to configure the LDAP server, OpenLDAP, for PAM-based authentication andhow to secure the link between Samba and OpenLDAP with Transport Layer Security(TLS). The completed system boasts a secure file- and print-sharing setup, inaddition to a robust LDAP server that could be used for purposes beyond thoserequired by Samba. Additionally, Windows® clients are able to logon to your Sambaserver which acts as a primary domain controller and have shared drivesautomatically mounted for them based on their group membership.

Section 1. Before you start

About this tutorial

In this tutorial -- about how to install and configure Samba as a primary domaincontroller with a secure LDAP-based authentication mechanism -- I'll:

• Introduce LDAP, show how it integrates with Samba, and discuss securityconcerns

LDAP-based authentication for Samba Trademarks© Copyright IBM Corporation 2006. All rights reserved. Page 1 of 30

mailto:[email protected]

http://www.ibm.com/developerworks/ibm/trademarks/

http://www.ibm.com/legal/copytrade.shtml

• Go through the steps of configuring LDAP, including installing OpenLDAPand the IDEALX LDAP Samba toolkit; configuring OpenLDAP necessities,the slapd.conf file, the /etc/ldap.conf file, and the Pluggable AuthenticationModules (PAM); and explain how to start OpenLDAP

• Next, show you how to configure Samba, including installing and startingSamba and the Logon Profile Generator; creating the required directoriesand the shared drives; configuring the smb.conf file and setting the LDAPdatabase-access password; populating the database; adding the PAMand other users and adding Windows workstations to the domain; anddebugging the Samba installation in case it didn't work

• Finally, cover security issues and talk about how to enable security forthis system, including enabling the Transport Layer Security forOpenLDAP, PAM, and Samba and how to test the security of your system

The completed system boasts a secure file- and print-sharing setup, in addition to arobust LDAP server that could be used for purposes beyond those required bySamba. Additionally, Microsoft Windows clients are able to logon to your Sambaserver which acts as a primary domain controller and have shared drivesautomatically mounted for them based on their group membership.

This tutorial is best suited for readers with moderate UNIX or Linux familiarity andexperience with basic IP networking concepts. The author used Fedora Core 3 asthe Linux distribution, but other Linux distributions or UNIX variants, such as AIX,Solaris, or HP-UX, would also work for the setup described in the tutorial. Allapplications and utilities used in this tutorial are open source and are available fromeither your Linux vendor or the application vendor's homepage.

Prerequisites

The Linux distribution is Fedora Core 3; however, there is no reason why the setupdescribed here would not work on other Linux distributions or UNIX variants such asAIX, Solaris, or HP-UX. The software is free and obtained in a number of ways. Irecommend that you get a precompiled version (such as an RPM) from your Linuxvendor's ftp mirror.

Here is a list of software used in this tutorial. There is no need to get the listbeforehand as the tutorial describes how to download and install them.

• OpenSSL.

• OpenLDAP.

• Samba.

developerWorks® ibm.com/developerWorks




• Perl module Crypt::SmbHash.

• Perl module Digest::SHA1.

• Perl module IO::Socket::SSL.

• Perl module Net::SSLeay.

• IDEALX Samba LDAP tools.

Note: This tutorial identifies the specific versions of the various software componentstested. You might have success with earlier versions of the software, but I cannotguarantee that they will work. In general, software that is newer than the versionsdescribed in this tutorial should work.

Tutorial network layout

The network described in this tutorial is intended to be small so that you can easilyduplicate the examples on a home or lab network. For this setup, I used a typicalhome broadband router with a built-in firewall. The following diagram depicts thephysical network layout.

Figure 1. Tutorial network configuration

This Microsoft Windows network contains three classes of users -- marketing,engineering, and management. Engineering and marketing each have a shareddrive where users from each group may place files for others in that same group tosee; however, members from one group cannot see files on the other group's shareddrive. For example, a marketing employee may not view a file on the engineeringdrive. Management also has a shared drive that is visible only to managers. Inaddition, we give managers special privileges so that they can see files from bothengineering and marketing.

ibm.com/developerWorks developerWorks®




Section 2. Introducing LDAP

Now I'll introduce LDAP, show how it integrates with Samba, and discuss securityconcerns.

A brief introduction to LDAP

LDAP is a popular mechanism for authentication and as a repository for storingpersonally identifiable information. It has several advantages over traditionalflat-file-based authentication mechanisms, for example /etc/passwd. One of theseadvantages is that LDAP can be used to produce the Holy Grail of passwordmanagement, a single sign-on. Single sign-on is available because softwareapplications can authenticate remotely against a common LDAP-based userrepository across a TCP/IP network. The LDAP method of authentication is in directcontrast to flat-file-based authentication schemes that are typically tied to a singlemachine and do not distribute well.

LDAP manages data in what is termed a directory information tree. This tree helps toorganize data through categorization. Many LDAP servers use SQL databases tostore their information because they are a natural fit. As with a traditional SQLdatabase, LDAP uses schemas to define where data should be located and howdata should be formatted. The use of schemas and the similarities with traditionalSQL databases are key advantages of LDAP because they contribute greatly to itsextensibility.

Integrating Samba with LDAP

There are three main integration points between Samba and an LDAP server:

• The first is the inclusion of Samba's schema into the LDAP server.

• The second is configuring Samba to authenticate through the LDAPserver.

Authentication takes place with the help of Linux's PAM utility (PluggableAuthentication Modules). The PAM utility abstracts the process of authenticationaway from software applications running on Linux so that they do not have tounderstand the complexities of a particular authentication mechanism. As such,PAM gives software applications an enormous degree of flexibility because asoftware application can call one API for authentication and PAM decides if it should





use flat file, LDAP, or some other mechanism for authentication.

• The third integration point involves a set of tools that aid in themanagement of Samba's LDAP directory information tree. This toolkit isproduced by a third-party; however, it is covered under the GNU PublicLicense.

Security

A key strength of LDAP is its ability to be used as an authentication mechanism forsoftware applications that could be scattered across a network. A side effect of thisstrength is that passwords may flow across the network during the authenticationphase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL(Secure Sockets Layer) and TLS.

In this tutorial, the LDAP server is running on the same physical server as Samba;thus, there isn't much need for encryption. However, I will demonstrate how toencrypt the channel between LDAP and Samba because it is relatively simple andnecessary for the reader who hosts Samba and LDAP on different machines.

This tutorial proceeds in two phases. The first phase details how to configure Sambaand LDAP in an unsecured mode. Once the first phase is complete, encryption isenabled to secure the channel between Samba and the LDAP server. I amproceeding in a two-phase approach because in general, it is usually easier toinstall, configure, and diagnose problems in an unsecured mode.

Section 3. Configuring LDAP

Step 1: Installing OpenLDAP

To install OpenLDAP:

1. Check to see if your distribution has OpenLDAP installed. Issue thefollowing command at a terminal: rpm -qa | grep ldap. If you do notget a response of openldap-2.2.13 or greater, then you should eitherupgrade or install anew (which is described next).

2. If you don't have OpenLDAP version 2.2.13 or greater, go to yourdistribution's mirror and download a binary package. In my case, I went to





Fedora's mirror list and downloaded openldap-2.2.13-2.i386.rpm.Then I issued the following command: rpm -Uvhopenldap-2.2.13-2.i386.rpm.

Step 2: Installing IDEALX's LDAP Toolkit for Samba

A toolkit from IDEALX is required to automate many of the important interactionsbetween Samba and your LDAP server. Included in the toolkit from IDEALX arescripts that Samba automatically call to add users, modify users, add machines, etc.The scripts are written in Perl and can also be used from the command line.

To install the IDEALX toolkit:

1. Go to IDEALX's homepage and download version .0.9.1 or later of thetoolkit (smbldap-tools-.0.9.1.tgz).

2. In a temporary directory, unpack the toolkit with the following command:tar -zxf smbldap-tools-0.9.1.tgz.

3. We create a directory for the IDEALX scripts to live in. At the commandprompt type: mkdir -p /var/lib/samba/sbin. Then type: chmod-R 755 /var/lib/samba.

4. Change into the directory created by the tar command. Type: cdsmbldap-tools-0.9.1.

5. Copy the required scripts from the temporary directory to the permanentdirectory with the following command: cp smbldap* configure.pl/var/lib/samba/sbin.

6. Set the correct ownership and permissions by changing into the/var/lib/samba/sbin directory and issuing the following commands in order:

1. chmod 750 *

2. chmod 640 smbldap_bind.conf smbldap.confsmbldap_tools.pm

7. You can now safely remove the temporary directory.

The IDEALX toolkit requires some additional Perl modules that may not be installedon your system. This section demonstrates how to download and install them.

1. The first thing you need to do is to download all of the requisite Perl



http://fedora.redhat.com/download/mirrors.html

http://samba.idealx.org/dist/



modules from CPAN.org. Go to CPAN.org and type the following searchstrings into the search box.

• Search for Perl module: Crypt::SmbHash

• Search for Perl module: Digest::SHA1

• Search for Perl module: IO::Socket::SSL

• Search for Perl module: Net::SSLeayHopefully, you will be able to navigate from the results of each searchdirectly to each module's homepage. On each of the four module'shomepage you will find a link to download the associated Perl module.

2. The next step is to un-tar and un-zip the downloaded Perl modules. Issuethe following command in the directory where you saved the fourdownloaded modules: tar -zxvf *.gz.

3. The final step is to build and install each of the four modules. Change intoeach of the newly created directories and issue the following commandsas root.

1. perl Makefile.PL

2. make install

Step 3: Configure the schemas, directories, and keys neededby OpenLDAP

If you installed from an RPM and your Linux distribution is Fedora, then you shouldhave a directory called /etc/openldap. In this directory is OpenLDAP's primaryconfiguration file, slapd.conf. Before we begin editing this file, we perform somepreliminary setup actions.

OpenLDAP needs to be made aware of Samba's LDAP schema. To do this we copySamba's schema into /etc/openldap/schema.

1. Find Samba's schema. It should be located in the directory that Sambawas installed in. To find it type: locate samba.schema.

2. Copy it into /etc/openldap/schema.

3. Set the correct permissions. Type: chmod 644/etc/openldap/schema/samba.schema.

Create the directory for our LDAP database. In this tutorial, we give this directory the



http://search.cpan.org/



same name as our domain name.

1. Type: mkdir -p /var/lib/ldap/somedomain.com.

2. Set the correct permissions: chmod 700/var/lib/ldap/somedomain.com.

3. Set the correct ownership. Fedora users should already have the userLDAP defined in /etc/passwd. If you are installing on a differentdistribution you may need to create that user. Type: chown ldap:ldap/var/lib/ldap/somedomain.com.

Finally, we create the encryption keys that OpenLDAP uses for TLS. To do this youneed OpenSSL. The vast majority of Linux distributions ship with OpenSSL;however, if you do not have it installed, get a copy from your vendor orhttp://www.openssl.org/.

This tutorial assumes that the user will not be using a commercial certificateauthority (CA) such as Verisign, Thawte, etc. As such, we will need to become ourown CA and sign the certificates used by our LDAP server. The steps belowdemonstrate how to become a CA and sign certificates.

1. If you haven't already done so, edit openssl.cnf to match your particularneeds. Find the openssl.cnf file and type: locate openssl.cnf.

2. In the same directory as openssl.cnf issue the following commands asroot.Listing 1. Step to become CA

mkdir -p CA/certs CA/crl CA/newcerts CA/privatechmod 700 CA/privatetouch CA/index.txtecho 01 > CA/serial

3. Open openssl.cnf in your favorite editor and change the followingparameters to match your particular situation.Listing 2. Step to become CA

# The dir parameter is important because it tells# openssl where to find all necessary files used to# generate keys.dir = ./# default_days defines the length of time your key is valid for.default_days = 3650# default_bits is an indicator of the strength of your key. I elected# 1024 but you can choose more or less.



http://www.openssl.org/



default_bits = 1024# The following parameters should be modified to fit your# organization.countryName_default = USstateOrProvinceName_default = North CarolinalocalityName_default = Raleigh0.organizationName_default = somedomain.com

4. Create your CA certificate and key pair with the following command:openssl req -nodes -config openssl.cnf -new -x509-keyout CA/private/cakey.pem -out CA/cacert.pem -days3650.

5. Create the key pair for OpenLDAP with the following commands:

1. openssl req -config openssl.cnf -nodes -new-keyout /etc/openldap/slapd-key.pem -outslapd.csr

2. openssl ca -config openssl.cnf -out/etc/openldap/slapd-cert.pem -in slapd.csr

3. chown root:ldap /etc/openldap/slapd-key.pem

4. chmod 640 /etc/openldap/slapd-key.pem

5. chmod 644 /etc/openldap/slapd-cert.pem

6. Copy your CA's certificate to the openldap configuration directory so thatvarious applications can access it.

1. cp CA/cacert.pem /etc/openldap/

2. chmod 644 /etc/openldap/cacert.pem

Step 4: Configure slapd.conf

The executable supplied by OpenLDAP that corresponds to an actual LDAP serveris called slapd. The slapd daemon reads all of its configuration information fromslapd.conf. In this section, I provide a sample slapd.conf that is annotated withcomments. You must change all sections a denoted by a "# MODIFY" comment to fityour particular situation.

Before we begin editing, generate a password hash for the rootdn. This is thepassword that you must use to make changes to your LDAP server's directoryinformation tree.





Note: Choose a password that is different from your Linux server's root password.

1. From the command line type: slappasswd -h {SSHA} -s <yourpassword here>.

2. Save the output from this command, as you will need it next. It could looklike: {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/.

If you installed a binary version of OpenLDAP on Fedora, slapd.conf it should existas /etc/openldap/slapd.conf. Modify it to suit your particular situation.

The contents of /etc/openldap/slapd.conf looks like this:

Listing 3. Contents of slapd.conf

## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema

# -1 is all messages 296 is a good compromise for most debugging#loglevel -1pidfile /var/run/slapd.pidargsfile /var/run/slapd.args

# The following three lines are related to security. Leave them commented out now.# We uncomment them and enable security *after* we have successfully tested Samba with# LDAP in an unsecured configuration. Debugging is infinitely easier without encryption# enabled.#TLSCipherSuite HIGH#TLSCertificateFile /etc/openldap/slapd-cert.pem#TLSCertificateKeyFile /etc/openldap/slapd-key.pem

database bdb# MODIFY# Modify suffix and rootdn to match your domain name.suffix "dc=somedomain,dc=com"rootdn "cn=Manager,dc=somedomain,dc=com"

# MODIFY# Use the following to generate:# slappasswd -h {SSHA} -s <your password here>rootpw {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/

# MODIFY# The database directory MUST exist prior to running slapd AND# should only be accessible by the slapd and slap tools.# Mode 700 recommended with an owner of ldap and a group of ldapdirectory /var/lib/ldap/somedomain.com

# Indices to maintain for this databaseindex objectClass eqindex cn pres,sub,eqindex sn pres,sub,eqindex uid pres,sub,eq





index displayName pres,sub,eqindex uidNumber eqindex gidNumber eqindex memberUID eqindex sambaSID eqindex sambaPrimaryGroupSID eqindex sambaDomainName eqindex default sub

# Access Control Entries# Note these ACEs are duplicated from the IDEALX smbldap usermanual with one exception# users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange

by dn="uid=samba,ou=Users,dc=somedomain,dc=com" writeby self writeby anonymous authby * none

# some attributes need to be readable anonymously so that 'id user' can answer correctlyaccess to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid

by dn="uid=samba,ou=Users,dc=somedomain,dc=com" writeby * read

# somme attributes can be writable by users themselvesaccess to attrs=description,telephoneNumber

by dn="uid=samba,ou=Users,dc=somedomain,dc=com" writeby self writeby * read

# some attributes need to be writable for samba (this ACE modified from original to allowsome unix commands to work) access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaLogonScript,loginShell

by dn="uid=samba,ou=Users,dc=somedomain,dc=com" writeby self readby * none

# samba need to be able to create the samba domain accountaccess to dn.base="dc=somedomain,dc=com"

by dn="uid=samba,ou=Users,dc=somedomain,dc=com" writeby * none

# samba need to be able to create new users accountaccess to dn="ou=Users,dc=somedomain,dc=com"


# samba need to be able to create new groups accountaccess to dn="ou=Groups,dc=somedomain,dc=com"


# samba need to be able to create new computers accountaccess to dn="ou=Computers,dc=somedomain,dc=com"


# this can be omitted but we leave it: there could be other branch# in the directoryaccess to *

by self readby * none

Step 5: Configure /etc/ldap.conf

The /etc/ldap.conf file is used by LDAP clients on the local system. These clientsinclude PAM, the interface through which Samba authenticates with the LDAPserver.





Sometimes there are multiple instances of ldap.conf on your system. Locate the onethat PAM has been configured to use. To do this type: strings/lib/libnss_ldap.so.2 | grep conf. Usually, the returned value is/etc/ldap.conf.

Edit ldap.conf in your favorite editor and insert the following text. Modify the sectionsdenoted with a "# MODIFY" comment.

The contents of /etc/ldap.conf look like this:

Listing 4. Contents of /etc/ldap.conf

## IMPORTANT## The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in## /etc/openldap.## The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch.## If you intend to use those tools you will need to add a TLS_CACERT directive to that## file also.

# Your LDAP server. Must be resolvable without using LDAP.# Multiple hosts may be specified, each separated by a# space.host 127.0.0.1

# MODIFY# The distinguished name of the search base.base dc=somedomain,dc=com

# MODIFY# The distinguished name to bind to the server with.# We will use the root dn until we can create a lesser privileged user.binddn cn=Manager,dc=somedomain,dc=combindpw < use the password you created for Manager in "Step 4: Configure slapd.conf">

# MODIFY# Note: "ou=Users" and "ou=Groups" should match what# you entered in smb.conf for "ldap group suffix"# and "ldap user suffix"nss_base_passwd ou=Users,dc=somedomain,dc=com?onenss_base_passwd ou=Computers,dc=somedomain,dc=com?onenss_base_shadow ou=Users,dc=somedomain,dc=com?onenss_base_group ou=Groups,dc=somedomain,dc=com?one

ssl nopam_password md5# We need to tell PAM where the certificate used to authenticate the LDAP# server (i.e. is the LDAP server the one we think it is).tls_cacertfile /etc/openldap/cacert.pem

# If you experience difficulty authenticating after enabling TLS, try uncommenting# the next line. You will know that you are having problems if you# issue "getent group" and do not see any of the MS Windows groups# that have been created in your LDAP database.# tls_checkpeer no

Step 6: Configure PAM

Configuring PAM can be tricky. As such, I prefer to use the utility provided by my





Linux vendor to do all of the dirty work for me. Fedora provides a command lineutility called authconfig that knows how to modify all of PAM's configuration files.Other Linux vendors have similar configuration utilities, so consult thedocumentation if you're not using Fedora.

1. Launch authconfig from the command line. Type: authconfig.

2. Edit the first screen as shown.Figure 2. authconfig screen 1

3. Edit the second screen as shown.Figure 3. authconfig screen 2

Step 7: Start OpenLDAP

Now it is time to start our LDAP server. Fedora users who installed from a binaryRPM should be able to execute the following command: /etc/init.d/ldapstart.





Section 4. Configuring Samba

Now let's turn our attention to Samba -- installation, creating directories, andconfiguration.

Step 1: Installing Samba

To install Samba:

1. Check to see if your distribution already has Samba installed. Issue thefollowing command at a terminal: rpm -qa | grep samba. If you donot get a response of samba-3.0.14 or greater, then you should eitherupgrade or install anew (which is described next).

2. If you do not have Samba version 3.0.14 or greater, go to Samba'shomepage and download a binary package for your particular Linuxdistribution. The Samba suite is divided into four separate RPMs, all ofwhich are extremely useful and I recommend you install them all.However, if you are a minimalist, you should install the samba andsamba-common packages only. Download the samba RPMs that youwant and install them with the following command: rpm -Uvh samba*.

Step 2: Create the requisite directories

We need to create some directories that Samba uses for runtime data.

1. mkdir -p /var/lib/samba/netlogon/scripts//var/lib/samba/printing/

2. chmod -R 755 /var/lib/samba/netlogon/var/lib/samba/printing

Step 3: Configure smb.conf

If you installed a binary version of Samba on Fedora, you should have aconfiguration directory called /etc/samba. This directory contains various files thatare used by Samba's two daemons (smbd and nmbd). Samba's primaryconfiguration file, smb.conf, is located in this directory. We change this file to reflect



http://us3.samba.org/samba/ftp/Binary_Packages/

http://us3.samba.org/samba/ftp/Binary_Packages/



our Microsoft Windows network and we add hooks to make Samba aware of theLDAP backend. The file is shown below with comments.

Change all sections a denoted by a "# MODIFY" comment to fit your particularsituation. Also, all of the directives in this configuration file are described in theSamba manual. You can view it by typing man smb.conf.

The contents of /etc/samba/smb.conf look like this:

Listing 5. Contents of /etc/samba/smb.conf

# Global parameters[# Global parameters[global]

# MODIFYworkgroup = BIGTIME# MODIFYnetbios name = linus# MODIFYserver string = Linus Samba Serverpassdb backend = ldapsam:ldap://127.0.0.1/# By default run with minimal logging. However, if you need to debug# 5 is a fairly verbose logging level.#log level = 5log file = /var/log/samba/log.%mmax log size = 50time server = Yesadd user script = /var/lib/samba/sbin/smbldap-useradd -a '%u'delete user script = /var/lib/samba/sbin/smbldap-userdel '%u'add group script = /var/lib/samba/sbin/smbldap-groupadd -p '%g'delete group script = /var/lib/samba/sbin/smbldap-groupdel '%g'add user to group script = /var/lib/samba/sbin/smbldap-groupmod -m '%u''%g'delete user from group script = /var/lib/samba/sbin/smbldap-groupmod -x '%u' '%g'set primary group script = /var/lib/samba/sbin/smbldap-usermod -g '%g' '%u'add machine script = /var/lib/samba/sbin/smbldap-useradd -w '%u'# Personally, I do not like roaming profiles because they take up too# much space on my server. As such, I disable roaming profiles by# setting the following two variables to nulllogon path =logon home =logon drive = H:domain logons = Yespreferred master = Yesdomain master = Yeswins support = Yes# MODIFYldap admin dn = cn=Manager,dc=somedomain,dc=comldap group suffix = ou=Groupsldap idmap suffix = ou=Idmapldap machine suffix = ou=Computersldap passwd sync = Yes# MODIFYldap suffix = dc=somedomain,dc=comldap user suffix = ou=Usersidmap backend = ldap:ldap://127.0.0.1idmap uid = 10000-20000idmap gid = 10000-20000

# The next three blocks define the shared drives that we will be exposing. They are all# nearly identical. The important thing to note is that all files on these drives are# readable and writeable by any user in that group.[netlogon]





path = /var/lib/samba/netlogon/scriptsbrowseable = Noroot preexec = /var/lib/samba/netlogon/scripts/logon.pl %U %I

# MODIFY[marketing]

comment = Marketing materialpath = /home/marketing# Any files written to this drive will have this user group. Since this is a# *shared* drive all users should have permission to read/write/remove any file.# If you do not agree you will probably want to remove the "force group" lineforce group = marketingread only = Nocreate mask = 0770directory mask = 0770browseable = No

# MODIFY[engineering]

comment = Common materialpath = /home/engineeringpath = /home/marketing# Any files written to this drive will have this user group. Since this is a# *shared* drive all users should have permission to read/write/remove any file.# If you do not agree you will probably want to remove the "force group" lineforce group = engineeringread only = Nocreate mask = 0770directory mask = 0770browseable = No

# MODIFY[management]

comment = Management Datapath = /home/managementpath = /home/marketing# Any files written to this drive will have this user group. Since this is a# *shared* drive all users should have permission to read/write/remove any file.# If you do not agree you will probably want to remove the "force group" lineforce group = managementread only = Nocreate mask = 0770directory mask = 0770

Step 4: Set Samba's password for accessing the LDAPdatabase

Samba needs to know the rootdn's password so that is can both read and write to itsschema within the LDAP server. Execute the following command to give Samba thispassword. You should use the same password as in Step 4: Configure slapd.conf:smbpasswd -w <your password here>.

Samba should respond as follows: Setting stored password for"cn=Manager,dc=somedomain,dc=com" in secrets.tdb.

Step 5: Install the Logon Profile Generator





Our Samba server is configured to be a Microsoft Windows domain controller and assuch, it can control what actions a Windows client takes when it logs on to ourdomain. These actions can include things like retrieving a stored roaming profile,mounting drives, and synchronizing with a time server.

Our Samba server does not be store roaming profiles because these can take upquite a bit of space; however, we force each Microsoft Windows client that logs in toour domain to mount drives and synchronize with a time server.

In this step we create a Perl script that generates a Windows batch file that isexecuted each time a user logs in to the BIGTIME domain. The batch file causes theuser's Windows machine to automatically mount the drives that their security profilegrants them access to. This action is useful for large organizations with manycommon drives and a diverse security policy. The location and execution of thisbatch script are defined by two parameters in the netlogon section of smb.conf, theyare path and root preexec.

The Perl script is shown following. Perform these actions to install the Perl logonscript:

1. cd /var/lib/samba/netlogon/scripts

2. Create a file called logon.pl and fill it with the contents shown below.

3. chmod 755 /var/lib/samba/netlogon/logon.pl

Following is the Perl logon script.

The contents of /var/lib/samba/netlogon/logon.pl looks like:

Listing 6. Contents of Perl logon script

#!/usr/bin/perluse strict;# Set the permissions on any file we create to 640 (i.e. -rw-r--r--)umask(022);

my $NETLOGON_DIR = "/var/lib/samba/netlogon/scripts";my $LOG_DIR = "/var/log/samba";my $SERVERNAME = "linus";## You will need to modify this hash to match your mountpoints.my %MOUNTPOINTS = (

"engineering" => "NET USE W: \\\\$SERVERNAME\\engineering \/YES\r\n","marketing" => "NET USE W: \\\\$SERVERNAME\\marketing \/YES\r\n","management" => "NET USE W: \\\\$SERVERNAME\\management \/YES\r\n");

## Make sure that there is a user name and that it contains a valid## user name string (i.e. no invalid chars).if ($#ARGV != 1 ||

$ARGV[0] =~ /[^a-zA-Z0-9-_]/) {exit(1);





}

# Make sure that the user exists and log attempts with invalid IDsmy $uid = getpwnam($ARGV[0]);if ($uid == /[^0-9]/){

my $now = localtime;open LOG, ">>$LOG_DIR/log.netlogon";print LOG "$now";print LOG " - Error: Unknown user $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n";close LOG;exit(1);

}# Log the logon attemptmy $now = localtime;open LOG, ">>$LOG_DIR/log.netlogon";print LOG "$now";print LOG " - User $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n";close LOG;

## Create a custom logon batch file.open FH, ">$NETLOGON_DIR/$ARGV[0].cmd";

# Turn echo offprint FH "\@ECHO OFF\r\n";

# Synchronize time between Windows client and Linux server.print FH "NET TIME \\\\$SERVERNAME \/SET \/YES\r\n";

foreach my $key (keys(%MOUNTPOINTS)) {if (isMember($ARGV[0], $key)) {

# Put mount points in fileprint FH "$MOUNTPOINTS{$key}";

}}close FH;

# Checks to see if the given user is a member of# the given group.# Returns 1 if true and 0 otherwise.sub isMember{

my ($user, $group) = @_;my ($name, $passwd, $gid, $members) = getgrnam($group);my @members = split /\s+/, $members;

for(@members){if ($user eq $_) {

return 1;}

}return 0;

}

Step 6: Start Samba

Now it is time to start our Samba server. Fedora users who installed from a binaryRPM should be able to execute the following command: /etc/init.d/sambastart.

Step 7: Populate the LDAP database





Now it is time to populate the LDAP database with our Samba schema and someinitial values. For this task use the handy IDEALX scripts. We begin by executing aconfiguration script, /var/lib/samba/sbin/configure.pl. The configuration script createstwo files, smbldap_bind.conf and smbldap.conf, which contain importantenvironment variables used by all of the scripts in the IDEALX toolkit.

1. First type: cd /var/lib/samba/sbin/.

2. Edit smbldap_tools.pm and make the following changes to the variablessmbldap_conf and smbldap_bind_conf.

• my$smbldap_conf="/var/lib/samba/sbin/smbldap.conf";

• my$smbldap_bind_conf="/var/lib/samba/sbin/smbldap_bind.conf";

3. Next, launch the configuration utility by typing: ./configure.pl

4. You will now be prompted with a series of questions and I have provideda sample listing. In general, you should be able to simply press the returnkey to the queries; however, here are some important things to know.

• The password hash is case sensitive and should match the hashalgorithm you specified in ldap.conf's pam_password variable (seeStep 5: Configure /etc/ldap.conf).

• In this tutorial there is no LDAP slave server, so we will use the sameinformation as the master server.

• The bind password requested by this script is the same password youused for the rootdn in Step 4: Configure slapd.conf.

The output from the configure.pl script looks like:

Listing 7. Output from the Perl configure script

[root@linus sbin]# ./configure.plIf you need to change this, enter the full directory path, then press enter to continue.Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] >/var/lib/samba/sbin-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDCworkgroup name [BIGTIME] >

. netbios name: netbios name of the samba controlernetbios name [linus] >

. logon drive: local path to which the home directory will be connected (for NTWorkstations). Ex: 'H:'logon drive [H:] >

. logon home: home directory location (for Win95/98 or NT Workstation).





(use %U as username) Ex:'\\linus\%U'logon home (press the "." character if you don't want homeDirectory) [\\linus\%U]> .

. logon path: directory where roaming profiles are stored. Ex:'\\linus\profiles\%U'logon path (press the "." character if you don't want roaming profile)[\\linus\profiles\%U] > .

. home directory prefix (use %U as username) [/home/%U] >

. default users' homeDirectory mode [700] >

. default user netlogon script (use %U as username) [%U.cmd] > ""default password validation time (time in days) [45] >

. ldap suffix [dc=somedomain,dc=com] >

. ldap group suffix [ou=Groups] >

. ldap user suffix [ou=Users] >

. ldap machine suffix [ou=Computers] >

. Idmap suffix [ou=Idmap] >

. sambaUnixIdPooldn: object where you want to store the next uidNumberand gidNumber available for new users and groupssambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=BIGTIME] >

. ldap master server: IP adress or DNS name of the master (writable) ldap serverldap master server [127.0.0.1] >

. ldap master port [389] >

. ldap master bind dn [cn=Manager,dc=somedomain,dc=com] >

. ldap master bind password [] >

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be themaster oneldap slave server [127.0.0.1] >

. ldap slave port [389] >

. ldap slave bind dn [cn=Manager,dc=somedomain,dc=com] >

. ldap slave bind password [] >

. ldap tls support (1/0) [0] > 1

. How to verify the server's certificate (none, optional or require) [require] >

. CA certificate file [/var/lib/samba/sbin//ca.pem] > /etc/openldap/cacerts/cacert.pem

. certificate to use to connect to the ldap server[/var/lib/samba/sbin//smbldap-tools.pem] >

. key certificate to use to connect to the ldap server[/var/lib/samba/sbin//smbldap-tools.key] >

. SID for domain BIGTIME: SID of the domain (can be obtained with'net getlocalsid linus')SID for domain BIGTIME [S-1-5-21-1030832020-2822878261-2997333186] >

. unix password encryption: encryption used for unix passwordsunix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5

. default user gidNumber [513] >

. default computer gidNumber [515] >

. default login shell [/bin/bash] >

. default skeleton directory [/etc/skel] >

. default domain name to append to mail adress [] > somedomain.com-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=backup old configuration files:/var/lib/samba/sbin/smbldap.conf->/var/lib/samba/sbin/smbldap.conf.old/var/lib/samba/sbin/smbldap_bind.conf->/var/lib/samba/sbin/smbldap_bind.conf.old

writing new configuration file:/var/lib/samba/sbin/smbldap.conf done./var/lib/samba/sbin/smbldap_bind.conf done.

5. For those of you who do not want password expiration enabled, I willdemonstrate how to disable it. Edit smbldap.conf and comment out thefollowing line: defaultMaxPasswordAge="45".

6. Execute the following three commands to set the proper permissions andownership:

1. chown root:root smbldap.conf smbldap_bind.conf





2. chmod 644 smbldap.conf

3. chmod 600 smbldap_bind.conf

7. Now it is time to initialize our Samba schema in the LDAP database. Wewill execute the IDEALX script, smbldap-populate, which will create adomain administrator, some necessary groups, and various otherimportant schema elements. When you execute this script you may noticewarnings about uninitialized variables. If you do not want to see thesewarnings you can edit all of the IDEALX scripts and replace all instancesof "#!/usr/bin/perl -w" with "#!/usr/bin/perl". The followingcode is sample output from smbldap-populate. (Note: smbldap-populatemay prompt you for a password for the domain administrator which is bydefault is named root. You should give this user a password that isdifferent from the one used for the rootdn in Step 4: Configure slapd.confand that is different from you Linux machine's root user.

Listing 8. Executing the IDEALX script, smbldap-populate

[root@linus sbin]# ./smbldap-populatePopulating LDAP directory for domain BIGTIME (S-1-5-21-1030832020-2822878261-2997333186)(using builtin directory structure)

LDAP config host: 127.0.0.1port: 389version: 3timeout: 60adding new entry: dc=somedomain,dc=comadding new entry: ou=Users,dc=somedomain,dc=comadding new entry: ou=Groups,dc=somedomain,dc=comadding new entry: ou=Computers,dc=somedomain,dc=comadding new entry: uid=root,ou=Users,dc=somedomain,dc=comadding new entry: uid=nobody,ou=Users,dc=somedomain,dc=comadding new entry: cn=Domain Admins,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Domain Users,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Domain Guests,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Domain Computers,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Administrators,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Account Operators,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Print Operators,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Backup Operators,ou=Groups,dc=somedomain,dc=comadding new entry: cn=Replicators,ou=Groups,dc=somedomain,dc=comadding new entry: cn=NextFreeUnixId,dc=somedomain,dc=com

Please provide a password for the domain root:LDAP config host: 127.0.0.1port: 389version: 3timeout: 60Changing password for rootNew password :Retype new password :

Step 8: Create the shared drives





To create a shared drive for each of our three user groups (engineering, marketing,and management) we use the smbldap-useradd utility. This utility will create adirectory in /home that serves as a shared drive. We will also create an associatedUNIX user group that we use later to grant ordinary users permissions to the shareddrive. Execute the following commands as root:

Listing 9. Creating UNIX group for permissions to shared drive

cd /var/lib/samba/sbin./smbldap-groupadd engineering./smbldap-groupadd marketing./smbldap-groupadd management./smbldap-useradd -s /sbin/nologin -m -g engineering engineering./smbldap-useradd -s /sbin/nologin -m -g marketing marketing./smbldap-useradd -s /sbin/nologin -m -g management management

Note: The option "-s /sbin/nologin" is a security measure used to preventsomeone from logging into your Linux box with one of the three IDs.

Step 9a: Add the PAM user

For security reasons, we will force PAM to connect to our LDAP server with a DNthat is not root (like cn=Manager,dc=somedomain,dc=com). A quick scan of theldap.conf file we created in Step 5: Configure /etc/ldap.conf will show that PAM willattempt to connect to the LDAP with a dn ofcn=Manager,dc=somedomain,dc=com. We will create a lesser privledged user(uid=samba,ou=Users,dc=somedomain,dc=com) in this step.

Issue the following command to create the user samba: smbldap-useradd -s/bin/false -d /dev/null -P samba. When prompted for a password, give aunique password. When finished, update the binddn withuid=samba,ou=Users,dc=somedomain,dc=com and bindpw paramater inldap.conf with the password you just gave.

Step 9b: Add some users

The next step is to add some users and assign each a security profile. This listidentifies users and their assigned group:

• Marketing group: catbert

• Management group: boss

• Engineering group: dilbert, wally

Next, we create the users on our Linux system. This requires a two-step process for





each user:

1. Create the user ID on the system.

2. Set the Samba password.

By default the smbldap-useradd script will attempt to create a home directory onyour Linux system for each user, we will disable this with the -a option. Issue thefollowing commands as root:

Listing 10. Disabling the -a option

cd /var/lib/samba/sbin./smbldap-useradd -a -G "Domain Users",engineering dilbert./smbldap-passwd dilbert./smbldap-useradd -a -G "Domain Users",engineering wally./smbldap-passwd wally./smbldap-useradd -a -G "Domain Users",marketing catbert./smbldap-passwd catbert./smbldap-useradd -a -G "Domain Users",marketing,management,engineering boss./smbldap-passwd boss

Step 10: Add Microsoft Windows workstations to your domain

For this step, visit each workstation you plan to grant access. (The following stepsare for Microsoft Windows XP Professional, but they can be applied to otherMicrosoft Windows variants.)

Log on to each Windows workstation as administrator and perform the followingactions:

1. Go to the Control Panel and select System.

2. Select the Computer Name tab.

3. Click the button to rename this computer or join a domain.

4. A new window should appear. In this window, click the radio button fordomain and enter BIGTIME as the domain. Click OK.

5. When prompted for a user ID and password, use root as the user ID andthe password you gave in Step 7: Populate the LDAP database. You areprompted to reboot the workstation.

6. After rebooting, you will notice that the domain BIGTIME has been addedto the Log on to: selection box. Before we can log on as one of the





domain members we created in Step 9a: Add the PAM user, we shoulddecide where they fit in this workstation's local security hierarchy. In thistutorial, we will add all Domain Users in the BIGTIME domain to thePower Users local group on this workstation. Follow these steps:

1. From the logon screen, select the option for (this computer) fromthe Log on to: selection box.

2. Now log on as a user with administrative privileges for thisworkstation.

3. After logging in, select Start.

4. Select Control Panel.

5. Select Administrative Tools.

6. Select Computer Management.

7. Navigate to Local Users and Groups.

8. Click on Groups.

9. Click on Power Users.

10. Click the Add button and make sure the box From this Locationcontains BIGTIME.

11. Click the Advanced button.

12. Click Find Now.

13. You will be prompted for the domain administrator's id andpassword. Enter root and the password from Step 7: Populate theLDAP database.

14. Select Domain Users and click OK until you are returned to theComputer Management window.

7. Next, enter any of the users you configured (boss, wally, catbert, ordilbert) and log on to that workstation.

8. The workstation should automatically mount the drives that the user isallowed to access based on their security profile.

9. Repeat steps 1-6 on every workstation in your network.





Step 11: Quick review

You should now have a fully functioning Samba server acting as a MS WindowsPrimary Domain Controller if everything went smoothly. If everything did not gosmoothly, you should stop and debug before we complicate matters by enablingencryption in the next section. I have listed some diagnostic tests that you can run toassist with debugging.

• Execute testparm /etc/samba/smb.conf. This will check yourSamba server's configuration file for errors.

• A good test is to ensure that your Linux box can resolve the group IDs ofthe Windows users you created in Step 9a: Add the PAM user (wally,dilbert, etc.). Execute groups wally. If you do not see engineering andDomain Users, you should verify that your modifications to ldap.conf arespelled correctly and match exactly with those in smb.conf andslapd.conf.

• Examine your LDAP database with JXplorer. JXplorer is a graphicalLDAP database browser and it can assist you with understanding howSamba interacts with the database. For example, if you were successfuladding computers, groups, or users, you should see them in your LDAPserver's directory information tree.

• Look for problems in the logs. Examine the Samba's logs in/var/log/samba and OpenLDAP's logs in /var/log/slapd.

Section 5. Enabling security

Wrapping this tutorial up by looking at security issues, I'll show you how to enablethe Transport Layer Security for OpenLDAP, PAM, and Samba, and how to test theconfiguration.

Step 1: Enable TLS for OpenLDAP

In this step, we will instruct our LDAP server to use the security certificates wegenerated in Step 3: Configure the schemas, directories, and keys needed byOpenLDAP. Simply open /etc/openldap/slapd.conf and uncomment the followingthree lines:



http://jxplorer.org



Listing 11. Enabling TLS for OpenLDAP

TLSCipherSuite HIGHTLSCertificateFile /etc/openldap/slapd-cert.pemTLSCertificateKeyFile /etc/openldap/slapd-key.pem

Step 2: Enable TLS for PAM

Now we need to instruct PAM to communicate with the LDAP server over anencrypted connection. Fedora users can launch authconfig and let the tool do allof the dirty work. Alternatively, you can simply edit /etc/ldap.conf and add thefollowing line ssl start_tls.

Some people may experience difficulty getting PAM to communicate with their LDAPserver after enabing TLS. If you are unable to see the Windows groups you createdin your LDAP database with getent group, try adding the following line at the endof your ldap.conf file: tls_checkpeer no.

This is a screen shot depicting the TLS being enabled through authconfig.

Figure 4. LDAP Authentication over TLS in authconfig

Here is a listing of ldap.conf with TLS enabled.

Listing 12. ldap.conf with TLS enabled

## IMPORTANT## The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in





## /etc/openldap.## The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch.## If you intend to use those tools you will need to add a TLS_CACERT directive to that## file also.

# Your LDAP server. Must be resolvable without using LDAP.# Multiple hosts may be specified, each separated by a# space.host 127.0.0.1

# MODIFY# The distinguished name of the search base.base dc=somedomain,dc=com

# MODIFY# The distinguished name to bind to the server with.# We will not be using the root dn. Instead we will create# lesser privileged user.binddn uid=samba,ou=Users,dc=somedomain,dc=combindpw <your password here>

# MODIFY# Note: "ou=Users" and "ou=Groups" should match what# you entered in smb.conf for "ldap group suffix"# and "ldap user suffix"nss_base_passwd ou=Users,dc=somedomain,dc=com?onenss_base_passwd ou=Computers,dc=somedomain,dc=com?onenss_base_shadow ou=Users,dc=somedomain,dc=com?onenss_base_group ou=Groups,dc=somedomain,dc=com?one

ssl start_tlspam_password md5# We need to tell PAM where the certificate used to authenticate the LDAP# server (i.e. is the LDAP server the one we think it is).tls_cacertfile /etc/openldap/cacert.pem

# If you experience difficulty authenticating after enabling TLS, try uncommenting# the next line. You will know that you are having problems if you# issue "getent group" and do not see any of the MS Windows groups# that have been created in your LDAP database.tls_checkpeer no

Step 3: Enable TLS for Samba

Finally, we will enable Samba to communicate with the LDAP server over TLS. Toaccomplish this, we need to configure the IDEALX scripts to use TLS whencommunicating with the LDAP server. Make the following modifications to/var/lib/samba/sbin/smbldap.conf.

Listing 13. Getting Samba to talk to LDAP server via TLS

# Set this variable to 1 to enable TLSldapTLS="1"# Require that the client (i.e. samba) verify the authenticity of the LDAP serververify="require"# You should have already created this certificate during the LDAP configuration phase.cafile="/etc/openldap/slapd-cert.pem"

You may have noticed that there are other options in the smbldap.conf file for





authentication, clientcert and client key. These two options are there for thetruly paranoid and would allow the LDAP server to authenticate the client.

Step 4: Test the configuration

Now it is time to test the secured configuration; however, we should restart ourLDAP server and our Samba server. Execute:

Listing 14. To test, restart LDAP and Samba servers

/etc/init.d/ldap restart/etc/init.d/smb restart

To test a TLS security between Samba and LDAP try the following:

1. Execute /var/lib/samba/sbin/smbldap-usershow dilbert. Thisshould cause the IDEALX scripts to communicate with the LDAP serverover a TLS connection and return all of the information the LDAP serverhas about the user dilbert.

2. Next, try to log in to the BIGTIME domain from a Windows workstation.





Resources

Learn

• Linux-powered networking, Part 3: Integrate Linux and Windows with Samba(developerWorks, December 2004) is a tutorial that shows how to use Samba tointegrate your Linux and Windows networks with sample code and configurationfiles.

• Common threads: Samba domain controller support (developerWorks, August2000) demonstrates how to use Samba's domain controller function to control aWindows NT domain.

• Common threads: Introduction to Samba, Part 1 (developerWorks, June 2000),Part 2 (July 2000), and Part 3 (July 2000) is an excellent guide to installing andconfiguring Samba.

• Find more resources for Linux developers in the developerWorks Linux zone.

Get products and technologies

• Samba provides print and file services for SMB/CIFS clients.

• OpenLDAP is an open source implementation of the Lightweight DirectoryAccess Protocol.

• Pick up the Samba LDAP toolkit.

• Access the UNIX man pages for Samba.

• Build your next development project on Linux with IBM trial software, availablefor download directly from developerWorks.

Discuss

• Get involved in the developerWorks community by participating indeveloperWorks blogs.

About the author

Keith RobertsonKeith Robertson is an Advisory Software Engineer at IBM in ResearchTriangle Park, NC. He is pursuing a master's degree in computernetworking at North Carolina State University in Raleigh, NC. Hisbackground includes experience with networking technologies andsoftware-development techniques. He has a working knowledge oflow-level telecom networking protocols (such as SIP and MEGACO)and IP networking management protocols (such as SNMP and ICMP).



http://www.ibm.com/developerworks/edu/l-dw-linux-lpnsamba-i.html

http://www.ibm.com/developerworks/linux/library/l-samba-tng.html

http://www.ibm.com/developerworks/linux/library/l-sambaint/

http://www.ibm.com/developerworks/linux/library/l-samba2.html

http://www.ibm.com/developerworks/linux/library/l-samba3.html

http://www.ibm.com/developerworks/linux/

http://us2.samba.org/samba/

http://www.openldap.org/

http://www.idealx.org/prj/samba/index.fr.html

http://www.samba.org/samba/docs/

http://www.ibm.com/developerworks/downloads/?S_TACT=105AGX03

http://www.ibm.com/developerworks/blogs/



He is also skilled at C/C++ and the Java programming language. Youcan contact Keith at [email protected].

Trademarks

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.DB2, Lotus, Rational, Tivoli, and WebSphere are trademarks of IBM Corporation inthe United States, other countries, or both.Intel is a trademark of Intel Corporation or its subsidiaries in the United States andother countries.



mailto:[email protected]



Documents

IBM-LDAP