Ldapsam Editposix: Difference between revisions

From SambaWiki
No edit summary
m (/* oops missed duplicate 'net sam provision' command)
 
(24 intermediate revisions by 8 users not shown)
Line 1: Line 1:
(First submitted by idra@samba.org)
(First submitted by idra (a) samba.org)


== Samba and the Editposix/Trusted Ldapsam extension ==
== Samba and the Editposix/Trusted Ldapsam extension ==


The ldapsam:editposix extension is based on the ldapsam:trusted optimization.
WARNING THIS INFORMATION IS BASED ON A NON RELEASED
The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.
DEVELOPMENT BRANCH, THINGS MAY CHANGE BEFORE RELEASE


The ldapsam:trusted optimization has been developed as
a performance optimization for server that uses ldap
as user and group account storage.


The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.
This optimization _requires_ that all users and groups
posix account are saved on your ldap tree.


To further help admins we introduced the <b>net sam provision</b> command that helps with creating the basic accounts and groups need to make smbd run.
The ldapsam:editposix extension is base on this optimization.


A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.
This extension has been created with the aim of making it
easier to configure samba for use with an ldap server, by
providing means to add the posix accounts and groups on
the LDAP server without the need to use external scripts.


You must also use the ldap idmap backend.
To further help admins we introduced the <b>net sam provision</b>
command that helps creating the basic accounts and groups
need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix
EVEN ON A SAMBA PDC.

Using the ldap idmap backend is strongly advised too.


== Basic LDAP configuration ==
== Basic LDAP configuration ==


We will not get into the specific of LDAP configuration.
After the basic slapd installation you should have the following LDAP configuration:
To use editposix you need a very basic tree.

Here it is an example base ldif to be loaded on your server
to create the basic tree structure:


<pre>
dn: dc=samba,dc=org
dn: dc=samba,dc=org
objectClass: top
objectClass: top
Line 49: Line 32:
cn: admin
cn: admin
description: LDAP administrator
description: LDAP administrator
userPassword: secret
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=
</pre>


You will now need to Import the samba schema into LDAP:
dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users


On Debian using the distro Samba packages, you will need to do this:
dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups


cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
dn: ou=idmap,dc=samba,dc=org
gunzip /etc/ldap/schema/samba.ldif.gz
objectClass: top
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
objectClass: organizationalUnit

ou: idmap
Next create a file called samba_indices.ldif and add the contents as shown below:

nano /etc/ldap/schema/samba_indices.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none

Now import it using the following command:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif

Now you need to add some OU's to the ldap database:

nano samba.local.ldif

dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap
dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Now add the ldif with:

cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
Enter LDAP Password:


dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers


Download it _here_. (this is a place holder,
is it possible to upload files on mediawiki ?)


== Configuring smb.conf ==
== Configuring smb.conf ==
Line 81: Line 111:
Here is the bare minimum options to set in smb.conf:
Here is the bare minimum options to set in smb.conf:


[global]
encrypt passwords = true
workgroup = SAMBA
domain logons = yes
os level = 65
time server = yes
passdb backend = ldapsam
passdb backend = ldapsam
ldapsam:editposix = yes

ldapsam:trusted=yes
ldapsam:trusted = yes
ldapsam:editposix=yes

ldap admin dn = cn=admin,dc=samba,dc=org
ldap admin dn = cn=admin,dc=samba,dc=org
ldap delete dn = yes
ldap suffix = dc=samba,dc=org
ldap group suffix = ou=groups
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap user suffix = ou=users
ldap suffix = dc=samba,dc=org
ldap ssl = off
idmap config *: backend = tdb

idmap backend = ldap:"ldap://localhost"
idmap config *: range = 3000-7999
idmap config SAMBA: backend = ldap

idmap uid = 5000-50000
idmap config SAMBA: range = 10000-19999
idmap gid = 5000-50000
idmap config SAMBA: ldap_url = ldap://localhost/
idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org

idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
ldap delete dn = yes
ldap password sync = yes
winbind use default domain = yes
wins support = yes
template shell = /bin/bash
template homedir = /home/%U
obey pam restrictions = yes
logon home =
logon path =
dns proxy = no
printing = bsd
printcap name = /dev/null
store dos attributes = yes
map read only = no
map archive = no
dos filetime resolution = yes
fake directory create times = yes
csc policy = disable


== A quick setup ==
== A quick setup ==
Line 114: Line 164:
Configure smb.conf
Configure smb.conf


Add the ldap admin password to the samba secrets database:
Add the ldap admin password to the required samba secrets databases:
# smbpasswd -w secret
# smbpasswd -w secret
# net idmap set secret '*' secret
# net idmap set secret 'SAMBA' secret


Start winbindd only.
Start winbindd only.
# /etc/init.d/winbindd start
# /etc/init.d/winbindd start


provision the tree:
Now provision the domain in ldap:
# net sam provision


# net sam provision
Give a password to the newly created Administrator user enabling it.
# smbpasswd Administrator
New SMB password:
Retype new SMB password:


This should result in:
Now start also nmbd and smbd:
# /etc/init.d/nmbd start
# /etc/init.d/smbd start


Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.


If the the command returns:
"Unable to allocate a new gid to create Domain Admins group" then make sure
idmap is properly configured and the idmap range is large enough to hold the
predicted number of unique users+groups you will have in your system life time.
On a new system you should never get this error, if you have to
increase the idmap range in a production system, just increase the highest value,
NEVER change the lowest value.




Give a password to the newly created Administrator user enabling it.
# smbpasswd Administrator
New SMB password:
Retype new SMB password:

Now start also nmbd and smbd:
# /etc/init.d/nmbd start
# /etc/init.d/smbd start


Grant yourself some privileges:
# net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
# net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator


== Managing your DB ==


At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.


There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap.
----
[[Category:Category Configuration]]
[[Category:Category Documentation]]

Latest revision as of 12:59, 7 May 2017

(First submitted by idra (a) samba.org)

Samba and the Editposix/Trusted Ldapsam extension

The ldapsam:editposix extension is based on the ldapsam:trusted optimization. The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.


The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.

To further help admins we introduced the net sam provision command that helps with creating the basic accounts and groups need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.

You must also use the ldap idmap backend.

Basic LDAP configuration

After the basic slapd installation you should have the following LDAP configuration:

dn: dc=samba,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: samba.org
dc: samba

dn: cn=admin,dc=samba,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=

You will now need to Import the samba schema into LDAP:

On Debian using the distro Samba packages, you will need to do this:

cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
gunzip /etc/ldap/schema/samba.ldif.gz
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif

Next create a file called samba_indices.ldif and add the contents as shown below:

nano /etc/ldap/schema/samba_indices.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none

Now import it using the following command:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif

Now you need to add some OU's to the ldap database:

nano samba.local.ldif
dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Now add the ldif with:

cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
Enter LDAP Password: 


Configuring smb.conf

you need to properly configure smb.conf before running any daemon or command.

Here is the bare minimum options to set in smb.conf:

[global]
  workgroup = SAMBA
  domain logons = yes
  os level = 65
  time server = yes
  passdb backend = ldapsam
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  ldap admin dn = cn=admin,dc=samba,dc=org
  ldap suffix = dc=samba,dc=org
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  ldap ssl = off
  idmap config *: backend = tdb
  idmap config *: range = 3000-7999
  idmap config SAMBA: backend = ldap
  idmap config SAMBA: range = 10000-19999
  idmap config SAMBA: ldap_url = ldap://localhost/
  idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org
  idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
  ldap delete dn = yes
  ldap password sync = yes
  winbind use default domain = yes
  wins support = yes
  template shell = /bin/bash
  template homedir = /home/%U
  obey pam restrictions = yes
  logon home =
  logon path =
  dns proxy = no
  printing = bsd
  printcap name = /dev/null
  store dos attributes = yes
  map read only = no
  map archive = no
  dos filetime resolution = yes
  fake directory create times = yes
  csc policy = disable

A quick setup

Do not run any daemon until told, use a fresh install or wipe out any previously created tdb before starting.

To quickly set up and test this feature follow these steps as root:

Configure and run your ldap server, you may use the above base ldif as a starting point. Make sure the defined ldap admin works correctly.

Configure smb.conf

Add the ldap admin password to the required samba secrets databases:

 # smbpasswd -w secret
 # net idmap set secret '*' secret
 # net idmap set secret 'SAMBA' secret

Start winbindd only.

 # /etc/init.d/winbindd start

Now provision the domain in ldap:

 # net sam provision

This should result in:

Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

If the the command returns: "Unable to allocate a new gid to create Domain Admins group" then make sure idmap is properly configured and the idmap range is large enough to hold the predicted number of unique users+groups you will have in your system life time. On a new system you should never get this error, if you have to increase the idmap range in a production system, just increase the highest value, NEVER change the lowest value.


Give a password to the newly created Administrator user enabling it.

 # smbpasswd Administrator
 New SMB password:
 Retype new SMB password:

Now start also nmbd and smbd:

 # /etc/init.d/nmbd start
 # /etc/init.d/smbd start

Grant yourself some privileges:

 # net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
 # net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator

Managing your DB

At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.

There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap.