Difference between revisions of "Ldapsam Editposix"

m (Removed category)
m (/* update to work with Samba4)
Line 4: Line 4:
  
 
The ldapsam:editposix extension is based on the ldapsam:trusted optimization.
 
The ldapsam:editposix extension is based on the ldapsam:trusted optimization.
The ldapsam:trusted optimization has been developed as a performance optimization for server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.
+
The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.
  
  
The ldapsam:editposix extension has been created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without the need to use external scripts.
+
The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.
  
To further help admins we introduced the <b>net sam provision</b> command that helps creating the basic accounts and groups need to make smbd run.
+
To further help admins we introduced the <b>net sam provision</b> command that helps with creating the basic accounts and groups need to make smbd run.
  
 
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.
 
A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.
  
Using the ldap idmap backend is strongly advised too.
+
You must also use the ldap idmap backend.
  
 
== Basic LDAP configuration ==
 
== Basic LDAP configuration ==
  
We will not get into the specific of LDAP configuration.
+
After the basic slapd installation you should have the following LDAP configuration:
To use editposix you need a very basic tree.
 
 
 
Here it is an example base ldif to be loaded on your server
 
to create the basic tree structure:
 
  
 
<pre>
 
<pre>
Line 36: Line 32:
 
cn: admin
 
cn: admin
 
description: LDAP administrator
 
description: LDAP administrator
userPassword: secret
+
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=
 +
</pre>
 +
 
 +
You will now need to Import the samba schema into LDAP:
 +
 
 +
On Debian using the distro Samba packages, you will need to do this:
 +
 
 +
cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
 +
gunzip /etc/ldap/schema/samba.ldif.gz
 +
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
 +
 
 +
Next create a file called samba_indices.ldif and add the contents as shown below:
 +
 
 +
nano /etc/ldap/schema/samba_indices.ldif
 +
 
 +
dn: olcDatabase={1}mdb,cn=config
 +
changetype: modify
 +
add: olcDbIndex
 +
olcDbIndex: ou eq
 +
olcDbIndex: mail eq
 +
olcDbIndex: surname eq
 +
olcDbIndex: givenname eq
 +
olcDbIndex: loginShell eq
 +
olcDbIndex: uniqueMember eq,pres
 +
olcDbIndex: sambaSID eq
 +
olcDbIndex: sambaPrimaryGroupSID eq
 +
olcDbIndex: sambaGroupType eq
 +
olcDbIndex: sambaSIDList eq
 +
olcDbIndex: sambaDomainName eq
 +
olcDbIndex: default sub
 +
olcDbIndex: nisMapName eq
 +
olcDbIndex: nisMapEntry eq
 +
-
 +
add: olcAccess
 +
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
 +
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none
 +
 
 +
Now import it using the following command:
 +
 
 +
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif
  
dn: ou=users,dc=samba,dc=org
+
Now you need to add some OU's to the ldap database:
objectClass: top
+
 
objectClass: organizationalUnit
+
nano samba.local.ldif
ou: users
+
 
 +
dn: ou=users,dc=samba,dc=org
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: users
 +
 +
dn: ou=groups,dc=samba,dc=org
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: groups
 +
 +
dn: ou=idmap,dc=samba,dc=org
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: idmap
 +
 +
dn: ou=computers,dc=samba,dc=org
 +
objectClass: top
 +
objectClass: organizationalUnit
 +
ou: computers
  
dn: ou=groups,dc=samba,dc=org
+
Now add the ldif with:
objectClass: top
 
objectClass: organizationalUnit
 
ou: groups
 
  
dn: ou=idmap,dc=samba,dc=org
+
cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
objectClass: top
+
Enter LDAP Password:  
objectClass: organizationalUnit
 
ou: idmap
 
  
dn: ou=computers,dc=samba,dc=org
 
objectClass: top
 
objectClass: organizationalUnit
 
ou: computers
 
</pre>
 
  
Download it [[Media:Basic_LDAP_configuration.ldif.txt|Basic_LDAP_configuration.ldif]]
 
  
 
== Configuring smb.conf ==
 
== Configuring smb.conf ==
Line 68: Line 111:
 
Here is the bare minimum options to set in smb.conf:
 
Here is the bare minimum options to set in smb.conf:
  
   workgroup = MYGROUP
+
[global]
 
+
   workgroup = SAMBA
   encrypt passwords = true
+
  domain logons = yes
 +
  os level = 65
 +
   time server = yes
 
   passdb backend = ldapsam
 
   passdb backend = ldapsam
 
+
   ldapsam:editposix = yes
   ldapsam:trusted=yes
+
   ldapsam:trusted = yes
   ldapsam:editposix=yes
 
 
 
 
   ldap admin dn = cn=admin,dc=samba,dc=org
 
   ldap admin dn = cn=admin,dc=samba,dc=org
   ldap delete dn = yes
+
   ldap suffix = dc=samba,dc=org
 
   ldap group suffix = ou=groups
 
   ldap group suffix = ou=groups
 
   ldap machine suffix = ou=computers
 
   ldap machine suffix = ou=computers
 
   ldap user suffix = ou=users
 
   ldap user suffix = ou=users
   ldap suffix = dc=samba,dc=org
+
   ldap ssl = off
 
+
  idmap config *: backend = tdb
 
+
   idmap config *: range = 3000-7999
Old idmap syntax (pre 3.0.25):
+
   idmap config SAMBA: backend = ldap
  ldap idmap suffix = ou=idmap
+
   idmap config SAMBA: range = 10000-19999
   idmap backend = ldap:"ldap://localhost"
+
   idmap config SAMBA: ldap_url = ldap://localhost/
  idmap uid = 50000-500000
+
   idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org
  idmap gid = 50000-500000
+
   idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
 
+
   ldap delete dn = yes
New idmap syntax (post 3.0.25):
+
  ldap password sync = yes
  idmap domains = DEFAULT
+
  winbind use default domain = yes
   idmap config DEFAULT:backend = ldap
+
  wins support = yes
   idmap config DEFAULT:readonly = no
+
  template shell = /bin/bash
   idmap config DEFAULT:default = yes
+
   template homedir = /home/%U
   idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=samba,dc=org
+
  obey pam restrictions = yes
   idmap config DEFAULT:ldap_user_dn = cn=admin,dc=samba,dc=org
+
   logon home =
   idmap config DEFAULT:ldap_url = ldap://localhost
+
   logon path =
   idmap config DEFAULT:range = 50000-500000
+
  dns proxy = no
 
+
  printing = bsd
   idmap alloc backend = ldap
+
  printcap name = /dev/null
   idmap alloc config:ldap_base_dn = ou=idmap,dc=samba,dc=org
+
   store dos attributes = yes
   idmap alloc config:ldap_user_dn = cn=admin,dc=samba,dc=org
+
  map read only = no
   idmap alloc config:ldap_url = ldap://localhost
+
  map archive = no
   idmap alloc config:range = 50000-500000
+
  dos filetime resolution = yes
 +
   fake directory create times = yes
 +
   csc policy = disable
  
 
== A quick setup ==
 
== A quick setup ==
Line 119: Line 164:
 
Configure smb.conf
 
Configure smb.conf
  
Add the ldap admin password to the samba secrets database:
+
Add the ldap admin password to the required samba secrets databases:
 
   # smbpasswd -w secret
 
   # smbpasswd -w secret
 +
  # net idmap set secret '*' secret
 +
  # net idmap set secret 'SAMBA' secret
  
NOTE: If you are using the new style idmap syntax (post 3.0.25) you will need to store the password into a security store. (See man idmap_ldap)
 
  # net idmap secret DOMAIN <password>
 
  # net idmap secret alloc <password>
 
 
 
Start winbindd only.
 
Start winbindd only.
 
   # /etc/init.d/winbindd start
 
   # /etc/init.d/winbindd start
Line 140: Line 183:
 
NEVER change the lowest value.
 
NEVER change the lowest value.
  
Create the default windows built-in groups to avoid this: [https://bugzilla.samba.org/show_bug.cgi?id=6537 Bug 6537].
+
Now provision the domain in ldap:
  # net sam createbuiltingroup Administrators
+
 
  # net sam createbuiltingroup Users
+
  # net sam provision
  # net sam createbuiltingroup Guests
+
 
 +
This should result in:
 +
 
 +
Checking for Domain Users group.
 +
Adding the Domain Users group.
 +
Checking for Domain Admins group.
 +
Adding the Domain Admins group.
 +
Check for Administrator account.
 +
Adding the Administrator user.
 +
Checking for Guest user.
 +
Adding the Guest user.
 +
Checking Guest's group.
 +
Adding the Domain Guests group.
  
 
Give a password to the newly created Administrator user enabling it.
 
Give a password to the newly created Administrator user enabling it.
Line 161: Line 216:
  
 
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.
 
At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user.
 +
There is one problem (or not, depending on your view), you cannot login via ssh or at the console etc using a Samba user stored in ldap.

Revision as of 12:51, 7 May 2017

(First submitted by idra (a) samba.org)

Samba and the Editposix/Trusted Ldapsam extension

The ldapsam:editposix extension is based on the ldapsam:trusted optimization. The ldapsam:trusted optimization was developed as a performance optimization for a server that uses ldap as user and group account storage. This optimization _requires_ that all samba users and group accounts store their posix account information in the ldap tree.


The ldapsam:editposix extension was created with the aim of making it easier to configure samba for use with an ldap server, by providing means to add the posix accounts and groups on the LDAP server without needing to use external scripts.

To further help admins we introduced the net sam provision command that helps with creating the basic accounts and groups need to make smbd run.

A running winbind daemon is required to use ldapsam:editposix EVEN ON A SAMBA PDC.

You must also use the ldap idmap backend.

Basic LDAP configuration

After the basic slapd installation you should have the following LDAP configuration:

dn: dc=samba,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: samba.org
dc: samba

dn: cn=admin,dc=samba,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aGxQZ0g2bDF4aGJLWFIydENuV1BabXFXY3Y2TEdHUzI=

You will now need to Import the samba schema into LDAP:

On Debian using the distro Samba packages, you will need to do this:

cp /usr/share/doc/samba/examples/LDAP/samba.ldif.gz /etc/ldap/schema/
gunzip /etc/ldap/schema/samba.ldif.gz
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif

Next create a file called samba_indices.ldif and add the contents as shown below:

nano /etc/ldap/schema/samba_indices.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
-
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=samba,dc=org" write by self write by * read
olcAccess: to attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=admin,dc=samba,dc=org" write by self write by * none

Now import it using the following command:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba_indices.ldif

Now you need to add some OU's to the ldap database:

nano samba.local.ldif
dn: ou=users,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=idmap,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: idmap

dn: ou=computers,dc=samba,dc=org
objectClass: top
objectClass: organizationalUnit
ou: computers

Now add the ldif with:

cat samba.local.ldif | ldapadd -D cn=admin,dc=samba,dc=org -W -x -H ldapi:///
Enter LDAP Password: 


Configuring smb.conf

you need to properly configure smb.conf before running any daemon or command.

Here is the bare minimum options to set in smb.conf:

[global]
  workgroup = SAMBA
  domain logons = yes
  os level = 65
  time server = yes
  passdb backend = ldapsam
  ldapsam:editposix = yes
  ldapsam:trusted = yes
  ldap admin dn = cn=admin,dc=samba,dc=org
  ldap suffix = dc=samba,dc=org
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap user suffix = ou=users
  ldap ssl = off
  idmap config *: backend = tdb
  idmap config *: range = 3000-7999
  idmap config SAMBA: backend = ldap
  idmap config SAMBA: range = 10000-19999
  idmap config SAMBA: ldap_url = ldap://localhost/
  idmap config SAMBA: ldap_base_dn = ou=idmap,dc=samba,dc=org
  idmap config SAMBA: ldap_user_dn = cn=admin,dc=samba,dc=org
  ldap delete dn = yes
  ldap password sync = yes
  winbind use default domain = yes
  wins support = yes
  template shell = /bin/bash
  template homedir = /home/%U
  obey pam restrictions = yes
  logon home =
  logon path =
  dns proxy = no
  printing = bsd
  printcap name = /dev/null
  store dos attributes = yes
  map read only = no
  map archive = no
  dos filetime resolution = yes
  fake directory create times = yes
  csc policy = disable

A quick setup

Do not run any daemon until told, use a fresh install or wipe out any previously created tdb before starting.

To quickly set up and test this feature follow these steps as root:

Configure and run your ldap server, you may use the above base ldif as a starting point. Make sure the defined ldap admin works correctly.

Configure smb.conf

Add the ldap admin password to the required samba secrets databases:

 # smbpasswd -w secret
 # net idmap set secret '*' secret
 # net idmap set secret 'SAMBA' secret

Start winbindd only.

 # /etc/init.d/winbindd start

provision the tree:

 # net sam provision

Should the command returns: "Unable to allocate a new gid to create Domain Admins group" then make sure idmap is properly configured and the idmap range is large enough to hold the predicted number of unique users+groups you will have in your system life time. On a new system you should never incur into this error, in case you have to increase the idmap range in a production system, just increase the highest value, NEVER change the lowest value.

Now provision the domain in ldap:

 # net sam provision

This should result in:

Checking for Domain Users group.
Adding the Domain Users group.
Checking for Domain Admins group.
Adding the Domain Admins group.
Check for Administrator account.
Adding the Administrator user.
Checking for Guest user.
Adding the Guest user.
Checking Guest's group.
Adding the Domain Guests group.

Give a password to the newly created Administrator user enabling it.

 # smbpasswd Administrator
 New SMB password:
 Retype new SMB password:

Now start also nmbd and smbd:

 # /etc/init.d/nmbd start
 # /etc/init.d/smbd start

Grant yourself some privileges:

 # net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
 # net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator

Managing your DB

At this point you will be able to connect from any windows client or use any samba tool to manage your users groups and machines with the Administrator user. There is one problem (or not, depending on your view), you cannot login via ssh or at the console etc using a Samba user stored in ldap.