Ldapsam Editposix: Difference between revisions
m (/* oops missed duplicate 'net sam provision' command) |
|||
(23 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
(First submitted by idra |
(First submitted by idra (a) samba.org) |
||
== Samba and the Editposix/Trusted Ldapsam extension == |
== Samba and the Editposix/Trusted Ldapsam extension == |
||
The ldapsam:editposix extension is based on the ldapsam:trusted optimization. |
|||
WARNING THIS INFORMATION IS BASED ON A NON RELEASED |
|||
The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree. |
|||
DEVELOPMENT BRANCH, THINGS MAY CHANGE BEFORE RELEASE |
|||
The ldapsam:trusted optimization has been developed as |
|||
a performance optimization for server that uses ldap |
|||
as user and group account storage. |
|||
The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts. |
|||
This optimization _requires_ that all users and groups |
|||
posix account are saved on your ldap tree. |
|||
To further help admins we introduced the <b>net sam provision</b> command that helps with creating the basic accounts and groups need to make smbd run. |
|||
The ldapsam:editposix extension is base on this optimization. |
|||
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC. |
|||
This extension has been created with the aim of making it |
|||
easier to configure samba for use with an ldap server, by |
|||
providing means to add the posix accounts and groups on |
|||
the LDAP server without the need to use external scripts. |
|||
You must also use the ldap idmap backend. |
|||
To further help admins we introduced the <b>net sam provision</b> |
|||
command that helps creating the basic accounts and groups |
|||
need to make smbd run. |
|||
A running winbind daemon is required to use ldapsam:editposix |
|||
EVEN ON A SAMBA PDC. |
|||
Using the ldap idmap backend is strongly advised too. |
|||
== Basic LDAP configuration == |
== Basic LDAP configuration == |
||
After the basic slapd installation you should have the following LDAP configuration: |
|||
To use editposix you need a very basic tree. |
|||
Here it is an example base ldif to be loaded on your server |
|||
to create the basic tree structure: |
|||
<pre> |
<pre> |
||
Line 50: | Line 32: | ||
cn: admin |
cn: admin |
||
description: LDAP administrator |
description: LDAP administrator |
||
userPassword: |
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI= |
||
</pre> |
|||
You will now need to Import the samba schema into LDAP: |
|||
dn: ou=users,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
On Debian using the distro Samba packages, you will need to do this: |
|||
dn: ou=groups,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: groups |
|||
cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/ |
|||
dn: ou=idmap,dc=samba,dc=org |
|||
gunzip /etc/ldap/schema/samba.ldif.gz |
|||
objectClass: top |
|||
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif |
|||
objectClass: organizationalUnit |
|||
ou: idmap |
|||
Next create a file called samba_indices.ldif and add the contents as shown below: |
|||
nano /etc/ldap/schema/samba_indices.ldif |
|||
dn: olcDatabase={1}mdb,cn=config |
|||
changetype: modify |
|||
add: olcDbIndex |
|||
olcDbIndex: ou eq |
|||
olcDbIndex: mail eq |
|||
olcDbIndex: surname eq |
|||
olcDbIndex: givenname eq |
|||
olcDbIndex: loginShell eq |
|||
olcDbIndex: uniqueMember eq,pres |
|||
olcDbIndex: sambaSID eq |
|||
olcDbIndex: sambaPrimaryGroupSID eq |
|||
olcDbIndex: sambaGroupType eq |
|||
olcDbIndex: sambaSIDList eq |
|||
olcDbIndex: sambaDomainName eq |
|||
olcDbIndex: default sub |
|||
olcDbIndex: nisMapName eq |
|||
olcDbIndex: nisMapEntry eq |
|||
- |
|||
add: olcAccess |
|||
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read |
|||
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none |
|||
Now import it using the following command: |
|||
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif |
|||
Now you need to add some OU's to the ldap database: |
|||
nano samba.local.ldif |
|||
dn: ou=users,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
dn: ou=groups,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: groups |
|||
dn: ou=idmap,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: idmap |
|||
dn: ou=computers,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: computers |
|||
Now add the ldif with: |
|||
cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:/// |
|||
Enter LDAP Password: |
|||
dn: ou=computers,dc=samba,dc=org |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: computers |
|||
</pre> |
|||
Download it _here_. (this is a place holder, |
|||
is it possible to upload files on mediawiki ?) |
|||
== Configuring smb.conf == |
== Configuring smb.conf == |
||
Line 83: | Line 111: | ||
Here is the bare minimum options to set in smb.conf: |
Here is the bare minimum options to set in smb.conf: |
||
[global] |
|||
encrypt passwords = true |
|||
workgroup = SAMBA |
|||
domain logons = yes |
|||
os level = 65 |
|||
time server = yes |
|||
passdb backend = ldapsam |
passdb backend = ldapsam |
||
ldapsam:editposix = yes |
|||
ldapsam:trusted=yes |
ldapsam:trusted = yes |
||
ldapsam:editposix=yes |
|||
ldap admin dn = cn=admin,dc=samba,dc=org |
ldap admin dn = cn=admin,dc=samba,dc=org |
||
ldap |
ldap suffix = dc=samba,dc=org |
||
ldap group suffix = ou=groups |
ldap group suffix = ou=groups |
||
ldap idmap suffix = ou=idmap |
|||
ldap machine suffix = ou=computers |
ldap machine suffix = ou=computers |
||
ldap user suffix = ou=users |
ldap user suffix = ou=users |
||
ldap |
ldap ssl = off |
||
idmap config *: backend = tdb |
|||
idmap |
idmap config *: range = 3000-7999 |
||
idmap config SAMBA: backend = ldap |
|||
idmap |
idmap config SAMBA: range = 10000-19999 |
||
idmap |
idmap config SAMBA: ldap_url = ldap://localhost/ |
||
idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org |
|||
idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org |
|||
ldap delete dn = yes |
|||
ldap password sync = yes |
|||
winbind use default domain = yes |
|||
wins support = yes |
|||
template shell = /bin/bash |
|||
template homedir = /home/%U |
|||
obey pam restrictions = yes |
|||
logon home = |
|||
logon path = |
|||
dns proxy = no |
|||
printing = bsd |
|||
printcap name = /dev/null |
|||
store dos attributes = yes |
|||
map read only = no |
|||
map archive = no |
|||
dos filetime resolution = yes |
|||
fake directory create times = yes |
|||
csc policy = disable |
|||
== A quick setup == |
== A quick setup == |
||
Line 116: | Line 164: | ||
Configure smb.conf |
Configure smb.conf |
||
Add the ldap admin password to the samba secrets |
Add the ldap admin password to the required samba secrets databases: |
||
# smbpasswd -w secret |
# smbpasswd -w secret |
||
# net idmap set secret '*' secret |
|||
# net idmap set secret 'SAMBA' secret |
|||
Start winbindd only. |
Start winbindd only. |
||
# /etc/init.d/winbindd start |
# /etc/init.d/winbindd start |
||
provision the |
Now provision the domain in ldap: |
||
# net sam provision |
|||
# net sam provision |
|||
Give a password to the newly created Administrator user enabling it. |
|||
# smbpasswd Administrator |
|||
New SMB password: |
|||
Retype new SMB password: |
|||
This should result in: |
|||
Now start also nmbd and smbd: |
|||
# /etc/init.d/nmbd start |
|||
# /etc/init.d/smbd start |
|||
Checking for Domain Users group. |
|||
Adding the Domain Users group. |
|||
Checking for Domain Admins group. |
|||
Adding the Domain Admins group. |
|||
Check for Administrator account. |
|||
Adding the Administrator user. |
|||
Checking for Guest user. |
|||
Adding the Guest user. |
|||
Checking Guest's group. |
|||
Adding the Domain Guests group. |
|||
If the the command returns: |
|||
"Unable to allocate a new gid to create Domain Admins group" then make sure |
|||
idmap is properly configured and the idmap range is large enough to hold the |
|||
predicted number of unique users+groups you will have in your system life time. |
|||
On a new system you should never get this error, if you have to |
|||
increase the idmap range in a production system, just increase the highest value, |
|||
NEVER change the lowest value. |
|||
Give a password to the newly created Administrator user enabling it. |
|||
# smbpasswd Administrator |
|||
New SMB password: |
|||
Retype new SMB password: |
|||
Now start also nmbd and smbd: |
|||
# /etc/init.d/nmbd start |
|||
# /etc/init.d/smbd start |
|||
Grant yourself some privileges: |
|||
# net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator |
|||
# net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator |
|||
== Managing your DB == |
|||
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user. |
|||
There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap. |
|||
---- |
|||
[[Category:Category Configuration]] |
|||
[[Category:Category Documentation]] |
Latest revision as of 12:59, 7 May 2017
(First submitted by idra (a) samba.org)
Samba and the Editposix/Trusted Ldapsam extension
The ldapsam:editposix extension is based on the ldapsam:trusted optimization. The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.
The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.
To further help admins we introduced the net sam provision command that helps with creating the basic accounts and groups need to make smbd run.
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.
You must also use the ldap idmap backend.
Basic LDAP configuration
After the basic slapd installation you should have the following LDAP configuration:
dn: dc=samba,dc=org objectClass: top objectClass: dcObject objectClass: organization o: samba.org dc: samba dn: cn=admin,dc=samba,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=
You will now need to Import the samba schema into LDAP:
On Debian using the distro Samba packages, you will need to do this:
cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/ gunzip /etc/ldap/schema/samba.ldif.gz ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
Next create a file called samba_indices.ldif and add the contents as shown below:
nano /etc/ldap/schema/samba_indices.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: ou eq olcDbIndex: mail eq olcDbIndex: surname eq olcDbIndex: givenname eq olcDbIndex: loginShell eq olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: nisMapName eq olcDbIndex: nisMapEntry eq - add: olcAccess olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none
Now import it using the following command:
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif
Now you need to add some OU's to the ldap database:
nano samba.local.ldif
dn: ou=users,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: users dn: ou=groups,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: ou=idmap,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: idmap dn: ou=computers,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: computers
Now add the ldif with:
cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:/// Enter LDAP Password:
Configuring smb.conf
you need to properly configure smb.conf before running any daemon or command.
Here is the bare minimum options to set in smb.conf:
[global] workgroup = SAMBA domain logons = yes os level = 65 time server = yes passdb backend = ldapsam ldapsam:editposix = yes ldapsam:trusted = yes ldap admin dn = cn=admin,dc=samba,dc=org ldap suffix = dc=samba,dc=org ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap ssl = off idmap config *: backend = tdb idmap config *: range = 3000-7999 idmap config SAMBA: backend = ldap idmap config SAMBA: range = 10000-19999 idmap config SAMBA: ldap_url = ldap://localhost/ idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap password sync = yes winbind use default domain = yes wins support = yes template shell = /bin/bash template homedir = /home/%U obey pam restrictions = yes logon home = logon path = dns proxy = no printing = bsd printcap name = /dev/null store dos attributes = yes map read only = no map archive = no dos filetime resolution = yes fake directory create times = yes csc policy = disable
A quick setup
Do not run any daemon until told, use a fresh install or wipe out any previously created tdb before starting.
To quickly set up and test this feature follow these steps as root:
Configure and run your ldap server, you may use the above base ldif as a starting point. Make sure the defined ldap admin works correctly.
Configure smb.conf
Add the ldap admin password to the required samba secrets databases:
# smbpasswd -w secret # net idmap set secret '*' secret # net idmap set secret 'SAMBA' secret
Start winbindd only.
# /etc/init.d/winbindd start
Now provision the domain in ldap:
# net sam provision
This should result in:
Checking for Domain Users group. Adding the Domain Users group. Checking for Domain Admins group. Adding the Domain Admins group. Check for Administrator account. Adding the Administrator user. Checking for Guest user. Adding the Guest user. Checking Guest's group. Adding the Domain Guests group.
If the the command returns: "Unable to allocate a new gid to create Domain Admins group" then make sure idmap is properly configured and the idmap range is large enough to hold the predicted number of unique users+groups you will have in your system life time. On a new system you should never get this error, if you have to increase the idmap range in a production system, just increase the highest value, NEVER change the lowest value.
Give a password to the newly created Administrator user enabling it.
# smbpasswd Administrator New SMB password: Retype new SMB password:
Now start also nmbd and smbd:
# /etc/init.d/nmbd start # /etc/init.d/smbd start
Grant yourself some privileges:
# net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator # net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator
Managing your DB
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.
There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap.