Search This Blog

Debian Samba LDAP Integration

 






  1. install samba

    • aptitude install samba




  2. install smbldap-tools

    • aptitude install smbldap-tools




  3. read smbldap-tools documentation

    • gunzip /usr/share/doc/smbldap-tools/README.Debian.gz


    • less /usr/share/doc/smbldap-tools/README.Debian





I. LDAP Server Configuration



  1. Copy the 'samba.schema' to be used in your LDAP server (you can find it in '/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz' after installing the samba-doc package):


    • zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema




  2. Modify the file '/etc/ldap/slapd.conf' to include the samba schema:

    • include /etc/ldap/schema/samba.schema




  3. Optionally add indexes to optimize SAMBA access:

    • index uid,uidNumber,gidNumber,memberUid eq


    • index cn,mail,surname,givenname eq,subinitial


    • index sambaSID eq


    • index sambaPrimaryGroupSID eq


    • index sambaDomainName eq




  4. Allow users to change their NT and LM Passwords changing the line: access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword


  5. Restart the LDAP server.

    • /etc/init.d/slapd restart





II. Samba Server Configuration



  1. Edit the '/etc/samba/smb.conf' to change the passdb backend from the original to:

    • passdb backend = ldapsam:ldap://localhost




  2. Add configuration directives for the passdb system:

    • obey pam restrictions = no


    • ldap admin dn = cn=admin,dc=neuroimaging,dc=org,dc=au


    • ldap delete dn = no


    • ldap suffix = dc=neuroimaging,dc=org,dc=au


    • ldap machine suffix = ou=Computers


    • ldap user suffix = ou=Users


    • ldap idmap suffix = ou=Users


    • ldap group suffix = ou=Groups




  3. More to use the smbldap-tools to change passwords:

    • ; Do ldap passwd sync


    • ldap passwd sync = Yes


    • passwd program = /usr/sbin/smbldap-passwd %u


    • passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*




  4. And if you want to administer user and groups from windows add:

    • add user script = /usr/sbin/smbldap-useradd -m "%u"


    • ldap delete dn = Yes


    • delete user script = /usr/sbin/smbldap-userdel "%u"


    • add machine script = /usr/sbin/smbldap-useradd -w "%u"


    • add group script = /usr/sbin/smbldap-groupadd -p "%g"


    • delete group script = /usr/sbin/smbldap-groupdel "%g"


    • add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"


    • delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"


    • set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"




  5. Restart samba and add the smbldap admin password to let SAMBA use it:

    • /etc/init.d/samba restart


    • smbpasswd -w LDAP_ADMIN_PASSWORD





smbldap-tools Configuration



  1. Start copying the files 'smbldap.conf' and 'smbldap_bind.conf' from '/usr/share/doc/smbldap-tools/examples/' to '/etc/smbldap-tools/':

    • zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf


    • cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf




  2. Edit the 'smbldap.conf' file; the main parameters to watch out are the 'SID', the ldap servers addresses, the TLS settings and the LDAP suffix.

    • NOTE: To obtain the SID execute the following command with your SAMBA server Running:


      • net getlocalsid






  3. Edit the 'smbldap_bind.conf' file and put there the SMBLDAP administrator's DN and Password.


  4. Fix file permisions:

    • chmod 0644 /etc/smbldap-tools/smbldap.conf


    • chmod 0600 /etc/smbldap-tools/smbldap_bind.conf




  5. To initialize the LDAP database invoque the command:

    • smbldap-populate


    • NOTE: This makes the tool start adding uids and gids from 1000 (hardcoded default), if you want to start from different numbers you can use "-g <firstgid>" or "-u <firstuid>" as options to smbldap-populate.



No comments:

Post a Comment