Ldapsam Editposix: Difference between revisions

From SambaWiki
m (Removed category)
m (/* oops missed duplicate 'net sam provision' command)
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:


The ldapsam:editposix extension is based on the ldapsam:trusted optimization.
The ldapsam:editposix extension is based on the ldapsam:trusted optimization.
The ldapsam:trusted optimization has been developed as a performance optimization for server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.
The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.




The ldapsam:editposix extension has been created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without the need to use external scripts.
The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.


To further help admins we introduced the <b>net sam provision</b> command that helps creating the basic accounts and groups need to make smbd run.
To further help admins we introduced the <b>net sam provision</b> command that helps with creating the basic accounts and groups need to make smbd run.


A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.


Using the ldap idmap backend is strongly advised too.
You must also use the ldap idmap backend.


== Basic LDAP configuration ==
== Basic LDAP configuration ==


We will not get into the specific of LDAP configuration.
After the basic slapd installation you should have the following LDAP configuration:
To use editposix you need a very basic tree.

Here it is an example base ldif to be loaded on your server
to create the basic tree structure:


<pre>
<pre>
Line 36: Line 32:
cn: admin
cn: admin
description: LDAP administrator
description: LDAP administrator
userPassword: secret
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=
</pre>


You will now need to Import the samba schema into LDAP:
dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users


On Debian using the distro Samba packages, you will need to do this:
dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups


cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
dn: ou=idmap,dc=samba,dc=org
gunzip /etc/ldap/schema/samba.ldif.gz
objectClass: top
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
objectClass: organizationalUnit

ou: idmap
Next create a file called samba_indices.ldif and add the contents as shown below:

nano /etc/ldap/schema/samba_indices.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none

Now import it using the following command:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif

Now you need to add some OU's to the ldap database:

nano samba.local.ldif

dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap
dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Now add the ldif with:

cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
Enter LDAP Password:


dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers
</pre>


Download it [[Media:Basic_LDAP_configuration.ldif.txt|Basic_LDAP_configuration.ldif]]


== Configuring smb.conf ==
== Configuring smb.conf ==
Line 68: Line 111:
Here is the bare minimum options to set in smb.conf:
Here is the bare minimum options to set in smb.conf:


[global]
workgroup = MYGROUP
workgroup = SAMBA

encrypt passwords = true
domain logons = yes
os level = 65
time server = yes
passdb backend = ldapsam
passdb backend = ldapsam
ldapsam:editposix = yes

ldapsam:trusted=yes
ldapsam:trusted = yes
ldapsam:editposix=yes

ldap admin dn = cn=admin,dc=samba,dc=org
ldap admin dn = cn=admin,dc=samba,dc=org
ldap delete dn = yes
ldap suffix = dc=samba,dc=org
ldap group suffix = ou=groups
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap user suffix = ou=users
ldap suffix = dc=samba,dc=org
ldap ssl = off
idmap config *: backend = tdb

idmap config *: range = 3000-7999

idmap config SAMBA: backend = ldap
Old idmap syntax (pre 3.0.25):
ldap idmap suffix = ou=idmap
idmap config SAMBA: range = 10000-19999
idmap backend = ldap:"ldap://localhost"
idmap config SAMBA: ldap_url = ldap://localhost/
idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org
idmap uid = 50000-500000
idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
idmap gid = 50000-500000
ldap delete dn = yes

ldap password sync = yes
New idmap syntax (post 3.0.25):
winbind use default domain = yes
idmap domains = DEFAULT
wins support = yes
idmap config DEFAULT:backend = ldap
template shell = /bin/bash
idmap config DEFAULT:readonly = no
template homedir = /home/%U
idmap config DEFAULT:default = yes
obey pam restrictions = yes
idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=samba,dc=org
logon home =
idmap config DEFAULT:ldap_user_dn = cn=admin,dc=samba,dc=org
logon path =
idmap config DEFAULT:ldap_url = ldap://localhost
dns proxy = no
idmap config DEFAULT:range = 50000-500000
printing = bsd

printcap name = /dev/null
idmap alloc backend = ldap
store dos attributes = yes
idmap alloc config:ldap_base_dn = ou=idmap,dc=samba,dc=org
map read only = no
idmap alloc config:ldap_user_dn = cn=admin,dc=samba,dc=org
map archive = no
idmap alloc config:ldap_url = ldap://localhost
dos filetime resolution = yes
idmap alloc config:range = 50000-500000
fake directory create times = yes
csc policy = disable


== A quick setup ==
== A quick setup ==
Line 119: Line 164:
Configure smb.conf
Configure smb.conf


Add the ldap admin password to the samba secrets database:
Add the ldap admin password to the required samba secrets databases:
# smbpasswd -w secret
# smbpasswd -w secret
# net idmap set secret '*' secret
# net idmap set secret 'SAMBA' secret


NOTE: If you are using the new style idmap syntax (post 3.0.25) you will need to store the password into a security store. (See man idmap_ldap)
# net idmap secret DOMAIN <password>
# net idmap secret alloc <password>
Start winbindd only.
Start winbindd only.
# /etc/init.d/winbindd start
# /etc/init.d/winbindd start


provision the tree:
Now provision the domain in ldap:

# net sam provision
# net sam provision


This should result in:
Should the command returns:

Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

If the the command returns:
"Unable to allocate a new gid to create Domain Admins group" then make sure
"Unable to allocate a new gid to create Domain Admins group" then make sure
idmap is properly configured and the idmap range is large enough to hold the
idmap is properly configured and the idmap range is large enough to hold the
predicted number of unique users+groups you will have in your system life time.
predicted number of unique users+groups you will have in your system life time.
On a new system you should never incur into this error, in case you have to
On a new system you should never get this error, if you have to
increase the idmap range in a production system, just increase the highest value,
increase the idmap range in a production system, just increase the highest value,
NEVER change the lowest value.
NEVER change the lowest value.


Create the default windows built-in groups to avoid this: [https://bugzilla.samba.org/show_bug.cgi?id=6537 Bug 6537].
# net sam createbuiltingroup Administrators
# net sam createbuiltingroup Users
# net sam createbuiltingroup Guests


Give a password to the newly created Administrator user enabling it.
Give a password to the newly created Administrator user enabling it.
Line 161: Line 214:


At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.

There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap.

Latest revision as of 12:59, 7 May 2017

(First submitted by idra (a) samba.org)

Samba and the Editposix/Trusted Ldapsam extension

The ldapsam:editposix extension is based on the ldapsam:trusted optimization. The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.


The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.

To further help admins we introduced the net sam provision command that helps with creating the basic accounts and groups need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.

You must also use the ldap idmap backend.

Basic LDAP configuration

After the basic slapd installation you should have the following LDAP configuration:

dn: dc=samba,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: samba.org
dc: samba

dn: cn=admin,dc=samba,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=

You will now need to Import the samba schema into LDAP:

On Debian using the distro Samba packages, you will need to do this:

cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
gunzip /etc/ldap/schema/samba.ldif.gz
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif

Next create a file called samba_indices.ldif and add the contents as shown below:

nano /etc/ldap/schema/samba_indices.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none

Now import it using the following command:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif

Now you need to add some OU's to the ldap database:

nano samba.local.ldif
dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Now add the ldif with:

cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
Enter LDAP Password: 


Configuring smb.conf

you need to properly configure smb.conf before running any daemon or command.

Here is the bare minimum options to set in smb.conf:

[global]
  workgroup = SAMBA
  domain logons = yes
  os level = 65
  time server = yes
  passdb backend = ldapsam
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  ldap admin dn = cn=admin,dc=samba,dc=org
  ldap suffix = dc=samba,dc=org
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  ldap ssl = off
  idmap config *: backend = tdb
  idmap config *: range = 3000-7999
  idmap config SAMBA: backend = ldap
  idmap config SAMBA: range = 10000-19999
  idmap config SAMBA: ldap_url = ldap://localhost/
  idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org
  idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
  ldap delete dn = yes
  ldap password sync = yes
  winbind use default domain = yes
  wins support = yes
  template shell = /bin/bash
  template homedir = /home/%U
  obey pam restrictions = yes
  logon home =
  logon path =
  dns proxy = no
  printing = bsd
  printcap name = /dev/null
  store dos attributes = yes
  map read only = no
  map archive = no
  dos filetime resolution = yes
  fake directory create times = yes
  csc policy = disable

A quick setup

Do not run any daemon until told, use a fresh install or wipe out any previously created tdb before starting.

To quickly set up and test this feature follow these steps as root:

Configure and run your ldap server, you may use the above base ldif as a starting point. Make sure the defined ldap admin works correctly.

Configure smb.conf

Add the ldap admin password to the required samba secrets databases:

 # smbpasswd -w secret
 # net idmap set secret '*' secret
 # net idmap set secret 'SAMBA' secret

Start winbindd only.

 # /etc/init.d/winbindd start

Now provision the domain in ldap:

 # net sam provision

This should result in:

Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

If the the command returns: "Unable to allocate a new gid to create Domain Admins group" then make sure idmap is properly configured and the idmap range is large enough to hold the predicted number of unique users+groups you will have in your system life time. On a new system you should never get this error, if you have to increase the idmap range in a production system, just increase the highest value, NEVER change the lowest value.


Give a password to the newly created Administrator user enabling it.

 # smbpasswd Administrator
 New SMB password:
 Retype new SMB password:

Now start also nmbd and smbd:

 # /etc/init.d/nmbd start
 # /etc/init.d/smbd start

Grant yourself some privileges:

 # net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
 # net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator

Managing your DB

At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.

There is one problem (or not, depending on your view), you cannot log into the PDC via ssh or at the console etc using a Samba user stored in ldap.