- Joined
- Jan 24, 2006
- Location
- South Dakota
Purpose: This guide is meant to be just that, a guide. It is not the authority on the subject, but rather it should give you some idea of how to mold this for your own setup.
NOTE: I did not enable TLS/SSL and I probably wont for my own purposes.
NOTE 2: This is not a setup guide for a Directory Server. (You can see here for more on that)
Without further ado here is the down and dirty.
On a CentOS box you need to have samba.schema and ol-schema-migrate.pl in order to continue. I believe this is provided by the samba-doc package. If you are doing this on Ubuntu you need to install the sudo-ldap package to get the required files.
The following are for a CentOS Directory Server:
This puts the samba schema into place for the Directory server to understand.
Both the client and the server need to have the following information:
/etc/ldap.conf
NOTE: the host will change, the local host address is for the directory server, change this to point to the directory server when placing this file on the client (if the samba server is on a different machine)
The next lines are placed in /ect/openldap/ldap.conf on CentOS and /etc/ldap/ldap.conf on Ubuntu
On the samba server (In my case it was a Linux Mint machine) you need to install the following packages:
!!!IMPORTANT!!! as of the time of writing (Apr 2013), there is an open bug which effects Mint 13/Ubuntu 12.04. Essentially the binary file is missing the smbldap-config file.
To work around this we are going to remove the smbldap-tools and install it from source. We install smbldap-tools from the repo to pull in its dependencies.
This requires some leg work until the bug is fixed. Change into the directory where the source package exists and run
After the configure completes, open up the Makefile and ensure that smbldap-config.pl is under the PERL_CMD_SOURCES stanza. Run
Now look in the Makefile.in for the same line. Add it if it is missing and then run
You should see a line scroll by that says
Now you are ready to edit your smb.conf file. It should look something like this
After that run
And follow the prompts. The only thing you should need to change is the master and slave bind password. If you dont have a slave, thats fine, just re-input the master.
Next you need to add "ldap" (in the case of Ubuntu) or "sss" (in the case of CentOS) to /etc/nsswitch.conf. It should look something like this:
Next run the following command to tell samba what your bind user (ldap administrator) password is
To allow password changes to sync with samba you need to edit /etc/pam.d/common-password and remove the word use_authok. Your common-password should look something like this:
Now edit, /etc/pam.d/samba and add the following line: @iNCLUDE common-password. The file should now look something like this:
Finally you need to populate LDAP with the samba information
Thats it, you did it! You should now have a working Samba share which is using your LDAP passwords for access.
Final NOTE: you may have to first create your users with the exact same password as your LDAP password
This is a one time creation that is not necessary going forward
NOTE: I did not enable TLS/SSL and I probably wont for my own purposes.
NOTE 2: This is not a setup guide for a Directory Server. (You can see here for more on that)
Without further ado here is the down and dirty.
On a CentOS box you need to have samba.schema and ol-schema-migrate.pl in order to continue. I believe this is provided by the samba-doc package. If you are doing this on Ubuntu you need to install the sudo-ldap package to get the required files.
The following are for a CentOS Directory Server:
Code:
cp /usr/share/doc/samba*/examples/LDAP/samba.schema.gz .
cp /usr/share/doc/samba*/examples/LDAP/ol-schema-migrate.pl.gz .
gunzip samba.schema.gz
gunzip ol-schema-migrate.pl.gz
perl ol-schema-migrate.pl -b /usr/share/doc/samba-*/LDAP/samba.schema > /etc/dirsrv/slapd-<server>/schema/61samba.ldif
/etc/init.d/dirsrv restart
This puts the samba schema into place for the Directory server to understand.
Both the client and the server need to have the following information:
/etc/ldap.conf
Code:
uri ldap://ds.stratus.local
ldap_version 3
pam_password md5
host 127.0.0.1
base dc=stratus,dc=local
binddn cn=Directory Manager
bindpw password
port 389
NOTE: the host will change, the local host address is for the directory server, change this to point to the directory server when placing this file on the client (if the samba server is on a different machine)
The next lines are placed in /ect/openldap/ldap.conf on CentOS and /etc/ldap/ldap.conf on Ubuntu
Code:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldap://ds.stratus.local/
BASE dc=stratus,dc=local
On the samba server (In my case it was a Linux Mint machine) you need to install the following packages:
Code:
apt-get install samba samba-doc libnss-ldap ldap-utils libpam-ldap libpam-smbpass smbldap-tools build-essential
!!!IMPORTANT!!! as of the time of writing (Apr 2013), there is an open bug which effects Mint 13/Ubuntu 12.04. Essentially the binary file is missing the smbldap-config file.
To work around this we are going to remove the smbldap-tools and install it from source. We install smbldap-tools from the repo to pull in its dependencies.
Code:
apt-get remove smbldap-tools
apt-get source smbldap-tools
This requires some leg work until the bug is fixed. Change into the directory where the source package exists and run
Code:
./configure
After the configure completes, open up the Makefile and ensure that smbldap-config.pl is under the PERL_CMD_SOURCES stanza. Run
Code:
make
Now look in the Makefile.in for the same line. Add it if it is missing and then run
Code:
make install
You should see a line scroll by that says
Code:
smbldap-config.cmd
Now you are ready to edit your smb.conf file. It should look something like this
Code:
[global]
workgroup = STRATUS.LOCAL
security = domain
passdb backend = ldapsam:ldap://ds.stratus.local
ldap admin dn = cn=Directory Manager
ldap suffix = dc=stratus,dc=local
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
log file = /var/log/%m.log
unix password sync = yes
pam password change = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 33
domain logons = yes
template shell = /bin/false
[Videos]
browsable = no
writable = yes
path = /home/test/Videos
force user = test
valid users = stratus
guest ok = no
available = yes
After that run
Code:
smbldap-config
And follow the prompts. The only thing you should need to change is the master and slave bind password. If you dont have a slave, thats fine, just re-input the master.
Next you need to add "ldap" (in the case of Ubuntu) or "sss" (in the case of CentOS) to /etc/nsswitch.conf. It should look something like this:
Code:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Next run the following command to tell samba what your bind user (ldap administrator) password is
Code:
smbpasswd -w <password>
To allow password changes to sync with samba you need to edit /etc/pam.d/common-password and remove the word use_authok. Your common-password should look something like this:
Code:
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_smbpass.so nullok use_authtok use_first_pass
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Now edit, /etc/pam.d/samba and add the following line: @iNCLUDE common-password. The file should now look something like this:
Code:
@include common-auth
@include common-account
@include common-session-noninteractive
@include common-password
Finally you need to populate LDAP with the samba information
Code:
smbldap-populate
Thats it, you did it! You should now have a working Samba share which is using your LDAP passwords for access.
Final NOTE: you may have to first create your users with the exact same password as your LDAP password
Code:
smbpasswd -a <username>
This is a one time creation that is not necessary going forward