Misc Config Notes on LDAP and SMB configuration:
OS installation prerequisites
$ sudo apt-get install attr build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate
OS authentication installations
$ sudo apt-get install libnss-ldap libpam-ldap ldap-utils
Samba Installations
$ sudo apt-get install samba krb5-config winbind smbldap-config smbldap-tools
/etc/pam.d/common-password
 See update to ldap.so line
See update to ldap.so line:
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
/etc/pam.d/common-sessionSee added ldap.so line
See added ldap.so line
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel umask=077
# end of pam-auth-update config
/etc/pam.d/common-session-noninteractiveSee added ldap.so line
See added ldap.so line
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_ldap.so
# end of pam-auth-update config
/etc/nsswitch.confService Switch
Service Switch
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# passwd: compat
# pre_auth-client-config # passwd: ldap compat files
passwd: compat ldap
# group: compat
# pre_auth-client-config # group: ldap compat files
group: compat ldap
# shadow: compat
# pre_auth-client-config # shadow: ldap compat files
shadow: compat ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# netgroup: nis
# pre_auth-client-config # netgroup: nis
netgroup: nis
/etc/ldap.confDebConf
DebConf
# The distinguished name of the search base.
base dc=mindwateringdemo,dc=local
# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=myadminid,dc=mindateringdemo,dc=local
# The credentials to bind with.
# Optional: default is no credential.
# bindpw
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=myadminid,dc=mindwateringdemo,dc=local
rootpw {SSHA}qea123gasdg123598723533ddeb
# The port.
# Optional: default is 389.
#port 389
/etc/ldap.secret
myldappasswordformyadminid
/etc/ldap/ldap.confLDAP config for Slapd
LDAP config for Slapd
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=mindwateringdemo,dc=local
URI ldap://localhost ldap://localhost:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Use the LDAPSearch tool to confirm LDAP config is working.
$ sudo ldapsearch -x -W -D 'cn=myadminid,dc=mindwateringdemo,dc=local' -b "" -s base -H ldap://127.0.0.1
Use the following command to set the SSH password for LDAP, if need to do again after the installation wizard.
$ sudo slappasswd -h {SSH}
Ubuntu had two Kerberos config files which was confusing, w/the /etc/ location seemingly unused. Therefore, we linked them so that the standard /etc/ location is used.
$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
$ sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
Use ktest and kinit to test your Kerberos OS authentication:
e.g.
$ sudo klist
$ sudo kinit administrator@MINDWATERINGDEMO.LOCAL
After you instal LDAP, you have to then extend the schema for the samba objects.
See the Ubuntu LDAP and Samba page for all the LDIF updates, and adding the LDIF files to Slapd.
e.g.
$ sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema/
$ sudo gzip -d /etc/ldap/schema/samba.schema.gz
$ cd /etc/ldap/
$ sudo mkdir ldif_output
$ sudo slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema
or
$ sudo slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema dn: n={14}samba,cn=schema,cn=config
$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
$ sudo ldapadd -x -D "cn=myadminid,dc=yourdomain,dc=tld" -f sogo.ldif -W
To populate the data, use the smbldap-populate command.
$ sudo smbldap-populate
$ sudo auth-client-config
or
$ sudo auth-client-config -t nss -p lac_ldap
Use auth-client-config to set-up authentication w/LDAP
$ sudo pam-auth-update
Use to add check mark to use ldap. Also edit files as below.
Test LDAP users make it to OS (This will include both local and LDAP users)
$ sudo getent passwd
Confirm that OS and SMB can see SIDs.
$ sudo net getlocalsid
/etc/samba/smb.confSamba Configuration
[global]
workgroup = MINDWATERINGDEMO
server string = %h server (Samba, Ubuntu)
unix extensions = no
wide links = yes
case sensitive = no
default case = lower
preserve case = yes
short preserve case = yes
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
; name resolve order = lmhosts host wins bcast
protocol = SMB3
#### Networking ####
hosts allow = 127.0.0.1, 192.168.99.0/24, 192.168.98.0/24, 192.168.111.0/24, 192.168.122.0/24
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 2000
log level = 3 passdb:5 auth:5
# Samba crashes script: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = user
encrypt passwords = true
# LDAP entries
passdb backend = ldapsam:"ldap://127.0.0.1/"
## method 1
ldap password sync = yes
## method 2
; ldap password sync = no
; unix password sync = yes
; passwd program = /usr/bin/smbldap-passwd -u '%u'
; passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
ldap suffix = dc=mindwateringdemo,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap password sync = yes
ldap admin dn = cn=admin,dc=mindwateringdemo,dc=local
ldap delete dn = no
ldap ssl = off
ldap passwd sync = yes
obey pam restrictions = yes
# For Unix password sync to work on a Debian, following needed
map to guest = bad user
########## Domains ###########
domain logons = yes
domain master =yes
preferred master = yes
os level = 65
wins support = yes
# Store the profile in the user's home directory
logon path = \\%N\%U\profile
logon drive = U:
logon home = \\%N\%U
# Specify the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/sbin/smbldap-usermod -r '%new' '%old'
delete user script = /usr/sbin/smbldap-userdel '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
# add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
add group script = /usr/sbin/smbldap-groupadd -p '%g'
After you install samba and configure the smb.conf file with the admin id, you must also set the password.
$ sudo smbpasswd -w myhardtoguesspassword
If you don't want SMB administrator password to expire:
$ sudo /usr/bin/samba-tool user setexpiry administrator --noexpiry
Test SMB w/
$ sudo pdbedit -Lv -d 3 auserid
and
$ wbinfo -K auserid
____________________________________
If users are getting a message that they need to change their password before they login, then you need to set an attribute and check the pam.d settings below.
1. sambaPwdLastSet
Add a record attribute for each user, sambaPwdLastSet, with the hexadecimal date.
- sambaPwdLastSet: 1498079313
( 1498079313 is the number of seconds from Jan. 1, 1970 to now if now is 2017/06/21 at 5:07 PM EDT )
Optionally set the rest:
- sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
- sambaMaxPwdAge: -1
- sambaMinPwdAge: 0
- sambaPwdCanChange: 1
-- 1 = user can change password
- sambaPwdMustChange: 0
-- 1 = user must change password
2. We had to update the pam.d session file and remove the use_authtok for the ldap.so line.
____________________________________
previous page
|