This is the third part of this tutorial.
For part 1 click here
For part 2 click here
Now that we
have an LDAP server up and running, we can make it authenticate with Samba.
First we
need to install the Samba packages:
apt-get install samba samba-doc
smbldap-tools
Now we can configure LDAP so it can hold Samba data. In
order to do this we need to do three things:
- · Import the Samba scheme
- · Index entries
- · Add objects
The Samba schema needs to be added to LDAP in order for the
DIT to be able to use attributes that properly describe Samba.
The schema is located in the samba-doc package that we have
just installed. We need to unzip and copy it to /etc/ldap/schema:
cp
/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
gzip -d /etc/ldap/schema/samba.schema.gz
Now you need to create the file /etc/ldap/schema/schema_convert.conf, with the following data:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
include /etc/ldap/schema/samba.schema
Create the directory /etc/ldap/schema/ldif_output to hold output:
mkdir
/etc/ldap/schema/ldif_output
Now you need to determine the index of the schema. First you need to change to the schema directory:
cd
/etc/ldap/schema
slapcat
-f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema
You should see:
dn:
cn={14}samba,cn=schema,cn=config
Now you need to convert the schema into LDIF format.
slapcat
-f schema_convert.conf -F ldif_output -n0 -H
ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif
Now edit the generated cn=samba.ldif file
vi
/etc/ldap/schema/cn=samba.ldif
On the first and third line of the first shot you will see the number 14 in curly brackets {}. You need to delete this from both lines.
You will need to delete to bottom lines from the same file.
Now you're ready to add the LDAP Samba schema. To do this run:
ldapadd
-Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif
You should see:
adding
new entry "cn=samba,cn=schema,cn=config"
You can now query and view this schema by running:
sudo
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
Now that slapd knows about the Samba attributes, we can index entries in order to improve performance when a client performs a search on the DIT.
You will need to create an ldif file called samba_indices, or something equally descriptive, and use the following contents:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
Then you use the ldapmodify utility to load the new indices:
ldapmodify
-Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
You should see:
modifying entry "olcDatabase={1}hdb,cn=config"
If this has worked properly you should be able to see the new indexes using ldapsearch:
ldapsearch
-Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex
Before you do anything else you will need to install the dpkg-dev package and the smbldap-tools source, and then you need to move it the /etc directory.
apt-get
install dpkg-dev
apt-get
source smbldap-tools
cd
smbldap-tools-0.9.7
cp
-R * /etc/smbldap-tools
cd
/etc/smbldap-tools
Now you need to edit the smbldap_bind.conf file, and enter in your rootDN and password.
Now you will need to run:
net
getlocalsid
The result should look something like:
SID
for domain EU5B is: S-1-5-21-4273260595-1488099775-4236836672
You will need to copy the long number and then edit the smbldap.conf file
Delete the SID that is already in the file and replace it with the SID that you have just copied from the getlocalsid command.
Change the Samba domain to match your Samba domain.
You then need to change the slaveLDAP and masterLDAP to match your servers hostname. We are only using one server so the slave and masterLDAP servers are the same.
Next you need to select the TLS options. We won't be using TLS as we will be setting up SSL in the
next section, so everything will be turned off here. The cafile and clientcert lines have been commented out with a '#'
The clientkey line at the top is commented out with a '#' at the beginning of the line. You need to change the suffix to match your domain name.
The last thing you need to change in this file is the mailDomain, you need to ensure it matches your domain name.
Now type:
smbldap-populate
and you
should see the database populate.
Now you will
be able to use commands like 'smbldap-useradd
<username>' and 'smbldap-userdel <username>'.
On the
Ubuntu website, they suggest that you edit the smb.conf file, however every
time I do this, no matter how exactly I follow the instruction, the whole
system crashes, so my Samba server is set to automatically create a new Samba
user when a Unix user is created. This means when I add an LDAP user, their
Samba entry is automatically created. This means I can create a load.ldif file
with the information of all of my users on, and add that, instead of adding all
of the users individually with the smbldap-useradd command, I haven't found a
solution for adding all users in bulk with Samba, but maybe I'm just looking in
the wrong place, so if you guys have any suggestions on that, it would be
really helpful!
Now onto
part 4, how to back up and restore the database.
<3
No comments:
Post a Comment