http:///https:///api.php?action=feedcontributions&user=Carragom&feedformat=atomSambaWiki - User contributions [en]2024-03-29T05:34:38ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=Ldapsam_Editposix&diff=5879Ldapsam Editposix2011-04-27T22:57:44Z<p>Carragom: /* A quick setup */</p>
<hr />
<div>(First submitted by idra (a) samba.org)<br />
<br />
== Samba and the Editposix/Trusted Ldapsam extension ==<br />
<br />
The ldapsam:editposix extension is based on the ldapsam:trusted optimization.<br />
The ldapsam:trusted optimization has been developed as a performance optimization for server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.<br />
<br />
<br />
The ldapsam:editposix extension has been created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without the need to use external scripts.<br />
<br />
To further help admins we introduced the <b>net sam provision</b> command that helps creating the basic accounts and groups need to make smbd run.<br />
<br />
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.<br />
<br />
Using the ldap idmap backend is strongly advised too.<br />
<br />
== Basic LDAP configuration ==<br />
<br />
We will not get into the specific of LDAP configuration.<br />
To use editposix you need a very basic tree.<br />
<br />
Here it is an example base ldif to be loaded on your server<br />
to create the basic tree structure:<br />
<br />
<pre><br />
dn: dc=samba,dc=org<br />
objectClass: top<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: samba.org<br />
dc: samba<br />
<br />
dn: cn=admin,dc=samba,dc=org<br />
objectClass: simpleSecurityObject<br />
objectClass: organizationalRole<br />
cn: admin<br />
description: LDAP administrator<br />
userPassword: secret<br />
<br />
dn: ou=users,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: users<br />
<br />
dn: ou=groups,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: groups<br />
<br />
dn: ou=idmap,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: idmap<br />
<br />
dn: ou=computers,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: computers<br />
</pre><br />
<br />
Download it [[Media:Basic_LDAP_configuration.ldif.txt|Basic_LDAP_configuration.ldif]]<br />
<br />
== Configuring smb.conf ==<br />
<br />
you need to properly configure smb.conf before running any daemon<br />
or command.<br />
<br />
Here is the bare minimum options to set in smb.conf:<br />
<br />
workgroup = MYGROUP<br />
<br />
encrypt passwords = true<br />
passdb backend = ldapsam<br />
<br />
ldapsam:trusted=yes<br />
ldapsam:editposix=yes<br />
<br />
ldap admin dn = cn=admin,dc=samba,dc=org<br />
ldap delete dn = yes<br />
ldap group suffix = ou=groups<br />
ldap machine suffix = ou=computers<br />
ldap user suffix = ou=users<br />
ldap suffix = dc=samba,dc=org<br />
<br />
<br />
Old idmap syntax (pre 3.0.25):<br />
ldap idmap suffix = ou=idmap<br />
idmap backend = ldap:"ldap://localhost"<br />
idmap uid = 50000-500000<br />
idmap gid = 50000-500000<br />
<br />
New idmap syntax (post 3.0.25):<br />
idmap domains = DEFAULT<br />
idmap config DEFAULT:backend = ldap<br />
idmap config DEFAULT:readonly = no<br />
idmap config DEFAULT:default = yes<br />
idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=samba,dc=org<br />
idmap config DEFAULT:ldap_user_dn = cn=admin,dc=samba,dc=org<br />
idmap config DEFAULT:ldap_url = ldap://localhost<br />
idmap config DEFAULT:range = 50000-500000<br />
<br />
idmap alloc backend = ldap<br />
idmap alloc config:ldap_base_dn = ou=idmap,dc=samba,dc=org<br />
idmap alloc config:ldap_user_dn = cn=admin,dc=samba,dc=org<br />
idmap alloc config:ldap_url = ldap://localhost<br />
idmap alloc config:range = 50000-500000<br />
<br />
== A quick setup ==<br />
<br />
Do not run any daemon until told, use a fresh install or<br />
wipe out any previously created tdb before starting.<br />
<br />
To quickly set up and test this feature follow these steps as root:<br />
<br />
Configure and run your ldap server, you may use the above base ldif<br />
as a starting point. Make sure the defined ldap admin works<br />
correctly.<br />
<br />
Configure smb.conf<br />
<br />
Add the ldap admin password to the samba secrets database:<br />
# smbpasswd -w secret<br />
<br />
NOTE: If you are using the new style idmap syntax (post 3.0.25) you will need to store the password into a security store. (See man idmap_ldap)<br />
# net idmap secret DOMAIN <password> <br />
# net idmap secret alloc <password><br />
<br />
Start winbindd only.<br />
# /etc/init.d/winbindd start<br />
<br />
provision the tree:<br />
# net sam provision<br />
<br />
Should the command returns:<br />
"Unable to allocate a new gid to create Domain Admins group" then make sure<br />
idmap is properly configured and the idmap range is large enough to hold the<br />
predicted number of unique users+groups you will have in your system life time.<br />
On a new system you should never incur into this error, in case you have to<br />
increase the idmap range in a production system, just increase the highest value,<br />
NEVER change the lowest value.<br />
<br />
Create the default windows built-in groups to avoid this: [https://bugzilla.samba.org/show_bug.cgi?id=6537 Bug 6537].<br />
# net sam createbuiltingroup Administrators<br />
# net sam createbuiltingroup Users<br />
# net sam createbuiltingroup Guests<br />
<br />
Give a password to the newly created Administrator user enabling it.<br />
# smbpasswd Administrator<br />
New SMB password:<br />
Retype new SMB password:<br />
<br />
Now start also nmbd and smbd:<br />
# /etc/init.d/nmbd start<br />
# /etc/init.d/smbd start<br />
<br />
Grant yourself some privileges:<br />
# net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator<br />
# net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator<br />
<br />
== Managing your DB ==<br />
<br />
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Category Configuration]]<br />
[[Category:Category Documentation]]</div>Carragomhttps://wiki.samba.org/index.php?title=Ldapsam_Editposix&diff=5878Ldapsam Editposix2011-04-27T22:55:43Z<p>Carragom: /* A quick setup */</p>
<hr />
<div>(First submitted by idra (a) samba.org)<br />
<br />
== Samba and the Editposix/Trusted Ldapsam extension ==<br />
<br />
The ldapsam:editposix extension is based on the ldapsam:trusted optimization.<br />
The ldapsam:trusted optimization has been developed as a performance optimization for server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.<br />
<br />
<br />
The ldapsam:editposix extension has been created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without the need to use external scripts.<br />
<br />
To further help admins we introduced the <b>net sam provision</b> command that helps creating the basic accounts and groups need to make smbd run.<br />
<br />
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.<br />
<br />
Using the ldap idmap backend is strongly advised too.<br />
<br />
== Basic LDAP configuration ==<br />
<br />
We will not get into the specific of LDAP configuration.<br />
To use editposix you need a very basic tree.<br />
<br />
Here it is an example base ldif to be loaded on your server<br />
to create the basic tree structure:<br />
<br />
<pre><br />
dn: dc=samba,dc=org<br />
objectClass: top<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: samba.org<br />
dc: samba<br />
<br />
dn: cn=admin,dc=samba,dc=org<br />
objectClass: simpleSecurityObject<br />
objectClass: organizationalRole<br />
cn: admin<br />
description: LDAP administrator<br />
userPassword: secret<br />
<br />
dn: ou=users,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: users<br />
<br />
dn: ou=groups,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: groups<br />
<br />
dn: ou=idmap,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: idmap<br />
<br />
dn: ou=computers,dc=samba,dc=org<br />
objectClass: top<br />
objectClass: organizationalUnit<br />
ou: computers<br />
</pre><br />
<br />
Download it [[Media:Basic_LDAP_configuration.ldif.txt|Basic_LDAP_configuration.ldif]]<br />
<br />
== Configuring smb.conf ==<br />
<br />
you need to properly configure smb.conf before running any daemon<br />
or command.<br />
<br />
Here is the bare minimum options to set in smb.conf:<br />
<br />
workgroup = MYGROUP<br />
<br />
encrypt passwords = true<br />
passdb backend = ldapsam<br />
<br />
ldapsam:trusted=yes<br />
ldapsam:editposix=yes<br />
<br />
ldap admin dn = cn=admin,dc=samba,dc=org<br />
ldap delete dn = yes<br />
ldap group suffix = ou=groups<br />
ldap machine suffix = ou=computers<br />
ldap user suffix = ou=users<br />
ldap suffix = dc=samba,dc=org<br />
<br />
<br />
Old idmap syntax (pre 3.0.25):<br />
ldap idmap suffix = ou=idmap<br />
idmap backend = ldap:"ldap://localhost"<br />
idmap uid = 50000-500000<br />
idmap gid = 50000-500000<br />
<br />
New idmap syntax (post 3.0.25):<br />
idmap domains = DEFAULT<br />
idmap config DEFAULT:backend = ldap<br />
idmap config DEFAULT:readonly = no<br />
idmap config DEFAULT:default = yes<br />
idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=samba,dc=org<br />
idmap config DEFAULT:ldap_user_dn = cn=admin,dc=samba,dc=org<br />
idmap config DEFAULT:ldap_url = ldap://localhost<br />
idmap config DEFAULT:range = 50000-500000<br />
<br />
idmap alloc backend = ldap<br />
idmap alloc config:ldap_base_dn = ou=idmap,dc=samba,dc=org<br />
idmap alloc config:ldap_user_dn = cn=admin,dc=samba,dc=org<br />
idmap alloc config:ldap_url = ldap://localhost<br />
idmap alloc config:range = 50000-500000<br />
<br />
== A quick setup ==<br />
<br />
Do not run any daemon until told, use a fresh install or<br />
wipe out any previously created tdb before starting.<br />
<br />
To quickly set up and test this feature follow these steps as root:<br />
<br />
Configure and run your ldap server, you may use the above base ldif<br />
as a starting point. Make sure the defined ldap admin works<br />
correctly.<br />
<br />
Configure smb.conf<br />
<br />
Add the ldap admin password to the samba secrets database:<br />
# smbpasswd -w secret<br />
<br />
NOTE: If you are using the new style idmap syntax (post 3.0.25) you will need to store the password into a security store. (See man idmap_ldap)<br />
# net idmap secret DOMAIN <password> <br />
# net idmap secret alloc <password><br />
<br />
Start winbindd only.<br />
# /etc/init.d/winbindd start<br />
<br />
provision the tree:<br />
# net sam provision<br />
<br />
Should the command returns:<br />
"Unable to allocate a new gid to create Domain Admins group" then make sure<br />
idmap is properly configured and the idmap range is large enough to hold the<br />
predicted number of unique users+groups you will have in your system life time.<br />
On a new system you should never incur into this error, in case you have to<br />
increase the idmap range in a production system, just increase the highest value,<br />
NEVER change the lowest value.<br />
<br />
Create the default windows built-in groups to avoid this bug [https://bugzilla.samba.org/show_bug.cgi?id=6537]:<br />
# net sam createbuiltingroup Administrators<br />
# net sam createbuiltingroup Users<br />
# net sam createbuiltingroup Guests<br />
<br />
Give a password to the newly created Administrator user enabling it.<br />
# smbpasswd Administrator<br />
New SMB password:<br />
Retype new SMB password:<br />
<br />
Now start also nmbd and smbd:<br />
# /etc/init.d/nmbd start<br />
# /etc/init.d/smbd start<br />
<br />
Grant yourself some privileges:<br />
# net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator<br />
# net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator<br />
<br />
== Managing your DB ==<br />
<br />
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Category Configuration]]<br />
[[Category:Category Documentation]]</div>Carragom