Ubuntu Server Guide

Merge lp:~ahasenack/serverguide/samba-ldap-fixes into lp:serverguide/trunk

  1. samba-ldap-fixes
  2. Merge into trunk
Proposed by Andreas Hasenack
Status: Merged
Approved by: Doug Smythies
Approved revision: 344
Merged at revision: 332
Proposed branch: lp:~ahasenack/serverguide/samba-ldap-fixes
Merge into: lp:serverguide/trunk
Diff against target: 347 lines (+117/-128)
1 file modified
serverguide/C/network-auth.xml (+117/-128)
To merge this branch: bzr merge lp:~ahasenack/serverguide/samba-ldap-fixes
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Review via email: mp+324433@code.launchpad.net

Commit message

Update the samba-ldap.html guide to current Ubuntu Xenial.

Description of the change

Update the samba-ldap.html guide to current Ubuntu Xenial.

Many changes here:
- clarify the shown commands assume ldap and samba are on the same server. In that way we can use the -Y EXTERNAL SASL mechanism which we use all over the place in the server guide already
- the samba schema is already shipped as an ldif file in the samba package, so we don't have to go through all the hops of converting the schema into ldif and then importing it
- call attention to netbios name and workgroup config options before running smbldap-config, because if these parameters are changed afterwards the configuration will be inconsistent and odd errors like "invalid SID" will be shown when trying to authenticate users
- quickly explain some of the smbldap-config questions
- use a better smbldap-populate command that will avoid overlapping uids/gids with local users. Without it, the moment you create your first user with smbldap-useradd, for example, he will have uid=1000 which is the same uid of the first local non-root user in any ubuntu system.
- only restart smbd and nmbd after having set the ldap password with smbpasswd -W, or else there will be authentication errors in smbd's log
- change smbpasswd to use -W (upper case) instead of -w (lowercase) so we don't have to supply the password in the command line. This parameter probably wasn't available when this section of the guide was first written.
- call out the need to install libnss-ldap, and show how to. Without this, user authentication against this samba server won't work.
- added test commands for libnss-ldap, to make sure it's working
- add "-m" to the smbldap-useradd command so that the user's home directory is created
- switched the list of smbldap example commands from a numbered list to a bullet list, since it's not a sequence of commands that have to be run one after the other
- removed the add machine command from smb.conf since that is only used for domain controllers, which we are not configuring here

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

O.K. great, thanks.

See line 207 below, I'm going to change that tab character to a space.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/network-auth.xml'
2--- serverguide/C/network-auth.xml 2017-05-12 00:46:00 +0000
3+++ serverguide/C/network-auth.xml 2017-05-22 19:41:33 +0000
4@@ -2196,6 +2196,10 @@
5 that can accept authentication requests. See <xref linkend="openldap-server"/> for details on fulfilling this requirement. Once this
6 section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.
7 </para>
8+ <para>
9+ This guide will assume that the LDAP and Samba services are running on the same server and therefore use SASL EXTERNAL authentication
10+ whenever changing something under <emphasis>cn=config</emphasis>. If that is not your scenario, you will have to run those ldap
11+ commands on the LDAP server.</para>
12
13 <sect2 id="samba-ldap-installation" status="review">
14 <title>Software Installation</title>
15@@ -2261,116 +2265,20 @@
16
17 <step>
18 <para>
19- The schema is found in the now-installed <application>samba</application> package. It needs to be unzipped and copied to
20- the <filename>/etc/ldap/schema</filename> directory:
21+ The schema is found in the now-installed <application>samba</application> package and is already in the ldif format.
22+ We can import it with one simple command:
23 </para>
24
25 <screen>
26-<command>sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema</command>
27-<command>sudo gzip -d /etc/ldap/schema/samba.schema.gz</command>
28+<command>zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | sudo ldapadd -Q -Y EXTERNAL -H ldapi:///</command>
29 </screen>
30
31 </step>
32
33 <step>
34- <para>
35- Have the configuration file <filename>schema_convert.conf</filename> that contains the following lines:
36- </para>
37-
38-<programlisting>
39-include /etc/ldap/schema/core.schema
40-include /etc/ldap/schema/collective.schema
41-include /etc/ldap/schema/corba.schema
42-include /etc/ldap/schema/cosine.schema
43-include /etc/ldap/schema/duaconf.schema
44-include /etc/ldap/schema/dyngroup.schema
45-include /etc/ldap/schema/inetorgperson.schema
46-include /etc/ldap/schema/java.schema
47-include /etc/ldap/schema/misc.schema
48-include /etc/ldap/schema/nis.schema
49-include /etc/ldap/schema/openldap.schema
50-include /etc/ldap/schema/ppolicy.schema
51-include /etc/ldap/schema/ldapns.schema
52-include /etc/ldap/schema/pmi.schema
53-include /etc/ldap/schema/samba.schema
54-</programlisting>
55-
56- </step>
57-
58- <step>
59- <para>
60- Have the directory <filename>ldif_output</filename> hold output.
61- </para>
62- </step>
63-
64- <step>
65- <para>
66- Determine the index of the schema:
67- </para>
68-
69-<screen>
70-<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema</command>
71-<computeroutput>
72-dn: cn={14}samba,cn=schema,cn=config
73-</computeroutput>
74-</screen>
75-
76- </step>
77-
78- <step>
79- <para>
80- Convert the schema to LDIF format:
81- </para>
82-
83-<screen>
84-<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
85-ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif</command>
86-</screen>
87-
88- </step>
89-
90- <step>
91- <para>
92- Edit the generated <filename>cn=samba.ldif</filename> file by removing index information to arrive at:
93- </para>
94-
95-<programlisting>
96-dn: cn=samba,cn=schema,cn=config
97-...
98-cn: samba
99-</programlisting>
100-
101- <para>
102- Remove the bottom lines:
103- </para>
104-
105-<programlisting>
106-structuralObjectClass: olcSchemaConfig
107-entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
108-creatorsName: cn=config
109-createTimestamp: 20080827045234Z
110-entryCSN: 20080827045234.341425Z#000000#000#000000
111-modifiersName: cn=config
112-modifyTimestamp: 20080827045234Z
113-</programlisting>
114-
115- <para>
116- Your attribute values will vary.
117- </para>
118- </step>
119-
120- <step>
121- <para>
122- Add the new schema:
123- </para>
124-
125-<screen>
126-<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif</command>
127-</screen>
128-
129- <para>
130- To query and view this new schema:
131- </para>
132+ <para>
133+ To query and view this new schema:
134+ </para>
135
136 <screen>
137 <command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'</command>
138@@ -2436,9 +2344,50 @@
139
140 <para>
141 Next, configure the <application>smbldap-tools</application> package to match your environment. The package
142- comes with a configuration helper script, smbldap-config.pl, that will ask questions.
143- </para>
144-
145+ comes with a configuration helper script called <application>smbldap-config</application>. Before running it,
146+ though, you should decide on two important configuration settings in <filename>/etc/samba/smb.conf</filename>:
147+ </para>
148+ <itemizedlist mark='bullet'>
149+ <listitem>
150+ <para><emphasis>netbios name</emphasis>: how this server will be known. The default value is derived
151+ from the server's hostname, but truncated at 15 characters.</para>
152+ </listitem>
153+ <listitem>
154+ <para><emphasis>workgroup</emphasis>: the workgroup name for this server, or, if you later decide to make it
155+ a domain controller, this will be the domain.</para>
156+ </listitem>
157+ </itemizedlist>
158+ <para>It's important to make these choices now because <application>smbldap-config</application> will use them
159+ to generate the config that will be later stored in the LDAP directory. If you run
160+ <application>smbldap-config</application> now and later change these values in <filename>/etc/samba/smb.conf</filename>
161+ there will be an inconsistency.
162+ </para>
163+
164+ <para>Once you are happy with <emphasis>netbios name</emphasis> and <emphasis>workgroup</emphasis>, proceed to generat
165+ the <application>smbldap-tools</application> configuration by running the configuration script which will ask you
166+ some questions:
167+ </para>
168+<screen>
169+<command>sudo smbldap-config</command>
170+</screen>
171+
172+ <para>Some of the more important ones:</para>
173+ <itemizedlist>
174+ <listitem>
175+ <para><emphasis>workgroup name</emphasis>: has to match what you will configure in
176+ <filename>/etc/samba/smb.conf</filename> later on.</para>
177+ </listitem>
178+ <listitem>
179+ <para><emphasis>ldap suffix</emphasis>: has to match the ldap suffix you chose when you configured the LDAP server.</para>
180+ </listitem>
181+ <listitem>
182+ <para>other ldap suffixes: they are all relative to <emphasis>ldap suffix</emphasis> above. For example, for
183+ <emphasis>ldap user suffix</emphasis> you should use <emphasis>ou=People</emphasis>.</para>
184+ </listitem>
185+ <listitem>
186+ <para><emphasis>ldap master bind dn</emphasis> and <emphasis>bind password</emphasis>: use the rootDN credentials.</para>
187+ </listitem>
188+ </itemizedlist>
189 <para>
190 The <application>smbldap-populate</application> script will then add the LDAP objects required for Samba. It is a good idea to first
191 make a backup of your DIT using <application>slapcat</application>:
192@@ -2449,13 +2398,18 @@
193 </screen>
194
195 <para>
196- Once you have a backup proceed to populate your directory:
197+ Once you have a backup proceed to populate your directory. It will ask you for a password for the "domain root"
198+ user, which is also the "root" user stored in LDAP:
199 </para>
200
201 <screen>
202-<command>sudo smbldap-populate</command>
203+<command>sudo smbldap-populate -g 10000 -u 10000 -r 10000</command>
204 </screen>
205
206+ <para>The <emphasis>-g</emphasis>, <emphasis>-u</emphasis> and <emphasis>-r</emphasis> parameters tell
207+ <application>smbldap-tools</application> where to start the numeric uid and gid allocation for the LDAP
208+ users. You should pick a range start that does not overlap with your local
209+ <emphasis>/etc/passwd</emphasis> users.</para>
210 <para>
211 You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>.
212 This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e'
213@@ -2476,11 +2430,13 @@
214 <para>
215 There are multiple ways to configure Samba. For details on some common configurations see <xref linkend="samba"/>.
216 To configure Samba to use LDAP, edit its configuration file <filename>/etc/samba/smb.conf</filename> commenting out
217- the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones:
218+ the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones. Make sure to use the
219+ same values you used when running <application>smbldap-populate</application>:
220 </para>
221
222 <programlisting>
223-# passdb backend = tdbsam
224+# passdb backend = tdbsam
225+ workgroup = EXAMPLE
226
227 # LDAP Settings
228 passdb backend = ldapsam:ldap://hostname
229@@ -2490,37 +2446,64 @@
230 ldap machine suffix = ou=Computers
231 ldap idmap suffix = ou=Idmap
232 ldap admin dn = cn=admin,dc=example,dc=com
233+ # or off if TLS/SSL is not configured
234 ldap ssl = start tls
235 ldap passwd sync = yes
236-...
237- add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
238 </programlisting>
239
240 <para>
241 Change the values to match your environment.
242 </para>
243-
244- <para>
245- Restart <application>samba</application> to enable the new settings:
246- </para>
247-
248-<screen>
249-<command>sudo systemctl restart smbd.service nmbd.service</command>
250-</screen>
251+ <note>
252+ <para>The <filename>smb.conf</filename> as shipped by the package is quite long and has many configuration
253+ examples. An easy way to visualize it without any comments is to run <application>testparm -s</application>.</para>
254+ </note>
255
256 <para>
257 Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):
258 </para>
259
260 <screen>
261-<command>sudo smbpasswd -w password</command>
262-</screen>
263-
264+<command>sudo smbpasswd -W</command>
265+</screen>
266+
267+ <para>
268+ As a final step to have your LDAP users be able to connect to samba and authenticate, we need these users to also show up
269+ in the system as "unix" users. One way to do this is to use <application>libnss-ldap</application>. Detailed instructions
270+ can be found in the <xref linkend="openldap-auth-config"/> section, but we only need the NSS part.
271+ </para>
272+
273+ <procedure>
274+ <step>
275+ <para>Install <application>libnss-ldap</application></para>
276+ <screen>sudo apt install libnss-ldap</screen>
277+ <para>There is no need to use the LDAP rootDN login credentials, so you can skip that step.</para>
278+ </step>
279+ <step>
280+ <para>Configure the LDAP profile for NSS:</para>
281+ <screen>sudo auth-client-config -t nss -p lac_ldap</screen>
282+ </step>
283+ <step>
284+ <para>Restart the Samba services:</para>
285+ <screen>sudo systemctl restart smbd.service nmbd.service</screen>
286+ </step>
287+ <step>
288+ <para>To quickly test the setup, see if <application>getent</application> can list the Samba groups:</para>
289+<screen>
290+<command>getent group</command>
291+<computeroutput>
292+...
293+Account Operators:*:548:
294+Print Operators:*:550:
295+Backup Operators:*:551:
296+Replicators:*:552:
297+</computeroutput>
298+</screen>
299+ </step>
300+ </procedure>
301 <para>
302 If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given
303- some of the extra attributes. The <application>smbpasswd</application> utility can do this as well (your host will need to be
304- able to see (enumerate) those users via NSS; install and configure either <application>libnss-ldapd</application> or
305- <application>libnss-ldap</application>):
306+ some of the extra Samba specific attributes. The <application>smbpasswd</application> utility can do this for you:
307 </para>
308
309 <screen>
310@@ -2529,6 +2512,8 @@
311
312 <para>
313 You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable.
314+ Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using <emphasis>ldapsam:trusted</emphasis>
315+ and <emphasis>ldapsam:editposix</emphasis>, not covered in this guide).
316 </para>
317
318 <para>
319@@ -2536,21 +2521,25 @@
320 Here are some examples:
321 </para>
322
323- <itemizedlist>
324+ <itemizedlist mark='bullet'>
325
326 <listitem>
327 <para>
328- To add a new user:
329+ To add a new user with a home directory:
330 </para>
331
332 <screen>
333-<command>sudo smbldap-useradd -a -P username</command>
334+<command>sudo smbldap-useradd -a -P -m username</command>
335 </screen>
336
337 <para>
338 The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the
339 <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user.
340+ Finally, <emphasis>-m</emphasis> creates a local home directory.
341+ Test with the <application>getent</application> command:
342 </para>
343+ <screen>getent passwd username</screen>
344+ <para>If you don't get a response, then your <application>libnss-ldap</application> configuration is incorrect.</para>
345 </listitem>
346
347 <listitem>

Subscribers

People subscribed via source and target branches