Ubuntu Server Guide

Merge lp:~ahasenack/serverguide/samba-ldap-fixes into lp:serverguide/trunk

  1. samba-ldap-fixes
  2. Merge into trunk
Proposed by Andreas Hasenack
Status: Merged
Approved by: Doug Smythies
Approved revision: 344
Merged at revision: 332
Proposed branch: lp:~ahasenack/serverguide/samba-ldap-fixes
Merge into: lp:serverguide/trunk
Diff against target: 347 lines (+117/-128)
1 file modified
serverguide/C/network-auth.xml (+117/-128)
To merge this branch: bzr merge lp:~ahasenack/serverguide/samba-ldap-fixes
Reviewer Review Type Date Requested Status
Doug Smythies Approve
Review via email: mp+324433@code.launchpad.net

Commit message

Update the samba-ldap.html guide to current Ubuntu Xenial.

Description of the change

Update the samba-ldap.html guide to current Ubuntu Xenial.

Many changes here:
- clarify the shown commands assume ldap and samba are on the same server. In that way we can use the -Y EXTERNAL SASL mechanism which we use all over the place in the server guide already
- the samba schema is already shipped as an ldif file in the samba package, so we don't have to go through all the hops of converting the schema into ldif and then importing it
- call attention to netbios name and workgroup config options before running smbldap-config, because if these parameters are changed afterwards the configuration will be inconsistent and odd errors like "invalid SID" will be shown when trying to authenticate users
- quickly explain some of the smbldap-config questions
- use a better smbldap-populate command that will avoid overlapping uids/gids with local users. Without it, the moment you create your first user with smbldap-useradd, for example, he will have uid=1000 which is the same uid of the first local non-root user in any ubuntu system.
- only restart smbd and nmbd after having set the ldap password with smbpasswd -W, or else there will be authentication errors in smbd's log
- change smbpasswd to use -W (upper case) instead of -w (lowercase) so we don't have to supply the password in the command line. This parameter probably wasn't available when this section of the guide was first written.
- call out the need to install libnss-ldap, and show how to. Without this, user authentication against this samba server won't work.
- added test commands for libnss-ldap, to make sure it's working
- add "-m" to the smbldap-useradd command so that the user's home directory is created
- switched the list of smbldap example commands from a numbered list to a bullet list, since it's not a sequence of commands that have to be run one after the other
- removed the add machine command from smb.conf since that is only used for domain controllers, which we are not configuring here

To post a comment you must log in.
Revision history for this message
Doug Smythies (dsmythies) wrote :

O.K. great, thanks.

See line 207 below, I'm going to change that tab character to a space.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'serverguide/C/network-auth.xml'
--- serverguide/C/network-auth.xml 2017-05-12 00:46:00 +0000
+++ serverguide/C/network-auth.xml 2017-05-22 19:41:33 +0000
@@ -2196,6 +2196,10 @@
2196 that can accept authentication requests. See <xref linkend="openldap-server"/> for details on fulfilling this requirement. Once this2196 that can accept authentication requests. See <xref linkend="openldap-server"/> for details on fulfilling this requirement. Once this
2197 section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.2197 section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.
2198 </para>2198 </para>
2199 <para>
2200 This guide will assume that the LDAP and Samba services are running on the same server and therefore use SASL EXTERNAL authentication
2201 whenever changing something under <emphasis>cn=config</emphasis>. If that is not your scenario, you will have to run those ldap
2202 commands on the LDAP server.</para>
21992203
2200 <sect2 id="samba-ldap-installation" status="review">2204 <sect2 id="samba-ldap-installation" status="review">
2201 <title>Software Installation</title>2205 <title>Software Installation</title>
@@ -2261,116 +2265,20 @@
22612265
2262 <step>2266 <step>
2263 <para>2267 <para>
2264 The schema is found in the now-installed <application>samba</application> package. It needs to be unzipped and copied to 2268 The schema is found in the now-installed <application>samba</application> package and is already in the ldif format.
2265 the <filename>/etc/ldap/schema</filename> directory:2269 We can import it with one simple command:
2266 </para>2270 </para>
2267 2271
2268<screen>2272<screen>
2269<command>sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema</command>2273<command>zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | sudo ldapadd -Q -Y EXTERNAL -H ldapi:///</command>
2270<command>sudo gzip -d /etc/ldap/schema/samba.schema.gz</command>
2271</screen>2274</screen>
22722275
2273 </step>2276 </step>
22742277
2275 <step>2278 <step>
2276 <para> 2279 <para>
2277 Have the configuration file <filename>schema_convert.conf</filename> that contains the following lines:2280 To query and view this new schema:
2278 </para>2281 </para>
2279
2280<programlisting>
2281include /etc/ldap/schema/core.schema
2282include /etc/ldap/schema/collective.schema
2283include /etc/ldap/schema/corba.schema
2284include /etc/ldap/schema/cosine.schema
2285include /etc/ldap/schema/duaconf.schema
2286include /etc/ldap/schema/dyngroup.schema
2287include /etc/ldap/schema/inetorgperson.schema
2288include /etc/ldap/schema/java.schema
2289include /etc/ldap/schema/misc.schema
2290include /etc/ldap/schema/nis.schema
2291include /etc/ldap/schema/openldap.schema
2292include /etc/ldap/schema/ppolicy.schema
2293include /etc/ldap/schema/ldapns.schema
2294include /etc/ldap/schema/pmi.schema
2295include /etc/ldap/schema/samba.schema
2296</programlisting>
2297
2298 </step>
2299
2300 <step>
2301 <para>
2302 Have the directory <filename>ldif_output</filename> hold output.
2303 </para>
2304 </step>
2305
2306 <step>
2307 <para>
2308 Determine the index of the schema:
2309 </para>
2310
2311<screen>
2312<command>slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema</command>
2313<computeroutput>
2314dn: cn={14}samba,cn=schema,cn=config
2315</computeroutput>
2316</screen>
2317
2318 </step>
2319
2320 <step>
2321 <para>
2322 Convert the schema to LDIF format:
2323 </para>
2324
2325<screen>
2326<command>slapcat -f schema_convert.conf -F ldif_output -n0 -H \
2327ldap:///cn={14}samba,cn=schema,cn=config -l cn=samba.ldif</command>
2328</screen>
2329
2330 </step>
2331
2332 <step>
2333 <para>
2334 Edit the generated <filename>cn=samba.ldif</filename> file by removing index information to arrive at:
2335 </para>
2336
2337<programlisting>
2338dn: cn=samba,cn=schema,cn=config
2339...
2340cn: samba
2341</programlisting>
2342
2343 <para>
2344 Remove the bottom lines:
2345 </para>
2346
2347<programlisting>
2348structuralObjectClass: olcSchemaConfig
2349entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
2350creatorsName: cn=config
2351createTimestamp: 20080827045234Z
2352entryCSN: 20080827045234.341425Z#000000#000#000000
2353modifiersName: cn=config
2354modifyTimestamp: 20080827045234Z
2355</programlisting>
2356
2357 <para>
2358 Your attribute values will vary.
2359 </para>
2360 </step>
2361
2362 <step>
2363 <para>
2364 Add the new schema:
2365 </para>
2366
2367<screen>
2368<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif</command>
2369</screen>
2370
2371 <para>
2372 To query and view this new schema:
2373 </para>
23742282
2375<screen>2283<screen>
2376<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'</command>2284<command>sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'</command>
@@ -2436,9 +2344,50 @@
2436 2344
2437 <para>2345 <para>
2438 Next, configure the <application>smbldap-tools</application> package to match your environment. The package 2346 Next, configure the <application>smbldap-tools</application> package to match your environment. The package
2439 comes with a configuration helper script, smbldap-config.pl, that will ask questions.2347 comes with a configuration helper script called <application>smbldap-config</application>. Before running it,
2440 </para>2348 though, you should decide on two important configuration settings in <filename>/etc/samba/smb.conf</filename>:
24412349 </para>
2350 <itemizedlist mark='bullet'>
2351 <listitem>
2352 <para><emphasis>netbios name</emphasis>: how this server will be known. The default value is derived
2353 from the server's hostname, but truncated at 15 characters.</para>
2354 </listitem>
2355 <listitem>
2356 <para><emphasis>workgroup</emphasis>: the workgroup name for this server, or, if you later decide to make it
2357 a domain controller, this will be the domain.</para>
2358 </listitem>
2359 </itemizedlist>
2360 <para>It's important to make these choices now because <application>smbldap-config</application> will use them
2361 to generate the config that will be later stored in the LDAP directory. If you run
2362 <application>smbldap-config</application> now and later change these values in <filename>/etc/samba/smb.conf</filename>
2363 there will be an inconsistency.
2364 </para>
2365
2366 <para>Once you are happy with <emphasis>netbios name</emphasis> and <emphasis>workgroup</emphasis>, proceed to generat
2367 the <application>smbldap-tools</application> configuration by running the configuration script which will ask you
2368 some questions:
2369 </para>
2370<screen>
2371<command>sudo smbldap-config</command>
2372</screen>
2373
2374 <para>Some of the more important ones:</para>
2375 <itemizedlist>
2376 <listitem>
2377 <para><emphasis>workgroup name</emphasis>: has to match what you will configure in
2378 <filename>/etc/samba/smb.conf</filename> later on.</para>
2379 </listitem>
2380 <listitem>
2381 <para><emphasis>ldap suffix</emphasis>: has to match the ldap suffix you chose when you configured the LDAP server.</para>
2382 </listitem>
2383 <listitem>
2384 <para>other ldap suffixes: they are all relative to <emphasis>ldap suffix</emphasis> above. For example, for
2385 <emphasis>ldap user suffix</emphasis> you should use <emphasis>ou=People</emphasis>.</para>
2386 </listitem>
2387 <listitem>
2388 <para><emphasis>ldap master bind dn</emphasis> and <emphasis>bind password</emphasis>: use the rootDN credentials.</para>
2389 </listitem>
2390 </itemizedlist>
2442 <para>2391 <para>
2443 The <application>smbldap-populate</application> script will then add the LDAP objects required for Samba. It is a good idea to first2392 The <application>smbldap-populate</application> script will then add the LDAP objects required for Samba. It is a good idea to first
2444 make a backup of your DIT using <application>slapcat</application>:2393 make a backup of your DIT using <application>slapcat</application>:
@@ -2449,13 +2398,18 @@
2449</screen>2398</screen>
2450 2399
2451 <para>2400 <para>
2452 Once you have a backup proceed to populate your directory:2401 Once you have a backup proceed to populate your directory. It will ask you for a password for the "domain root"
2402 user, which is also the "root" user stored in LDAP:
2453 </para>2403 </para>
24542404
2455<screen>2405<screen>
2456<command>sudo smbldap-populate</command>2406<command>sudo smbldap-populate -g 10000 -u 10000 -r 10000</command>
2457</screen>2407</screen>
24582408
2409 <para>The <emphasis>-g</emphasis>, <emphasis>-u</emphasis> and <emphasis>-r</emphasis> parameters tell
2410 <application>smbldap-tools</application> where to start the numeric uid and gid allocation for the LDAP
2411 users. You should pick a range start that does not overlap with your local
2412 <emphasis>/etc/passwd</emphasis> users.</para>
2459 <para>2413 <para>
2460 You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>.2414 You can create a LDIF file containing the new Samba objects by executing <command>sudo smbldap-populate -e samba.ldif</command>.
2461 This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e'2415 This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e'
@@ -2476,11 +2430,13 @@
2476 <para>2430 <para>
2477 There are multiple ways to configure Samba. For details on some common configurations see <xref linkend="samba"/>. 2431 There are multiple ways to configure Samba. For details on some common configurations see <xref linkend="samba"/>.
2478 To configure Samba to use LDAP, edit its configuration file <filename>/etc/samba/smb.conf</filename> commenting out2432 To configure Samba to use LDAP, edit its configuration file <filename>/etc/samba/smb.conf</filename> commenting out
2479 the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones:2433 the default <emphasis>passdb backend</emphasis> parameter and adding some ldap-related ones. Make sure to use the
2434 same values you used when running <application>smbldap-populate</application>:
2480 </para>2435 </para>
24812436
2482<programlisting>2437<programlisting>
2483# passdb backend = tdbsam2438# passdb backend = tdbsam
2439 workgroup = EXAMPLE
24842440
2485# LDAP Settings2441# LDAP Settings
2486 passdb backend = ldapsam:ldap://hostname2442 passdb backend = ldapsam:ldap://hostname
@@ -2490,37 +2446,64 @@
2490 ldap machine suffix = ou=Computers2446 ldap machine suffix = ou=Computers
2491 ldap idmap suffix = ou=Idmap2447 ldap idmap suffix = ou=Idmap
2492 ldap admin dn = cn=admin,dc=example,dc=com2448 ldap admin dn = cn=admin,dc=example,dc=com
2449 # or off if TLS/SSL is not configured
2493 ldap ssl = start tls2450 ldap ssl = start tls
2494 ldap passwd sync = yes2451 ldap passwd sync = yes
2495...
2496 add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
2497</programlisting>2452</programlisting>
24982453
2499 <para>2454 <para>
2500 Change the values to match your environment.2455 Change the values to match your environment.
2501 </para>2456 </para>
25022457 <note>
2503 <para>2458 <para>The <filename>smb.conf</filename> as shipped by the package is quite long and has many configuration
2504 Restart <application>samba</application> to enable the new settings:2459 examples. An easy way to visualize it without any comments is to run <application>testparm -s</application>.</para>
2505 </para>2460 </note>
2506
2507<screen>
2508<command>sudo systemctl restart smbd.service nmbd.service</command>
2509</screen>
25102461
2511 <para>2462 <para>
2512 Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):2463 Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):
2513 </para>2464 </para>
25142465
2515<screen>2466<screen>
2516<command>sudo smbpasswd -w password</command>2467<command>sudo smbpasswd -W</command>
2517</screen>2468</screen>
25182469
2470 <para>
2471 As a final step to have your LDAP users be able to connect to samba and authenticate, we need these users to also show up
2472 in the system as "unix" users. One way to do this is to use <application>libnss-ldap</application>. Detailed instructions
2473 can be found in the <xref linkend="openldap-auth-config"/> section, but we only need the NSS part.
2474 </para>
2475
2476 <procedure>
2477 <step>
2478 <para>Install <application>libnss-ldap</application></para>
2479 <screen>sudo apt install libnss-ldap</screen>
2480 <para>There is no need to use the LDAP rootDN login credentials, so you can skip that step.</para>
2481 </step>
2482 <step>
2483 <para>Configure the LDAP profile for NSS:</para>
2484 <screen>sudo auth-client-config -t nss -p lac_ldap</screen>
2485 </step>
2486 <step>
2487 <para>Restart the Samba services:</para>
2488 <screen>sudo systemctl restart smbd.service nmbd.service</screen>
2489 </step>
2490 <step>
2491 <para>To quickly test the setup, see if <application>getent</application> can list the Samba groups:</para>
2492<screen>
2493<command>getent group</command>
2494<computeroutput>
2495...
2496Account Operators:*:548:
2497Print Operators:*:550:
2498Backup Operators:*:551:
2499Replicators:*:552:
2500</computeroutput>
2501</screen>
2502 </step>
2503 </procedure>
2519 <para>2504 <para>
2520 If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given2505 If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given
2521 some of the extra attributes. The <application>smbpasswd</application> utility can do this as well (your host will need to be2506 some of the extra Samba specific attributes. The <application>smbpasswd</application> utility can do this for you:
2522 able to see (enumerate) those users via NSS; install and configure either <application>libnss-ldapd</application> or
2523 <application>libnss-ldap</application>):
2524 </para>2507 </para>
25252508
2526<screen>2509<screen>
@@ -2529,6 +2512,8 @@
25292512
2530 <para>2513 <para>
2531 You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable.2514 You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable.
2515 Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using <emphasis>ldapsam:trusted</emphasis>
2516 and <emphasis>ldapsam:editposix</emphasis>, not covered in this guide).
2532 </para>2517 </para>
25332518
2534 <para>2519 <para>
@@ -2536,21 +2521,25 @@
2536 Here are some examples:2521 Here are some examples:
2537 </para> 2522 </para>
25382523
2539 <itemizedlist>2524 <itemizedlist mark='bullet'>
25402525
2541 <listitem>2526 <listitem>
2542 <para>2527 <para>
2543 To add a new user:2528 To add a new user with a home directory:
2544 </para>2529 </para>
25452530
2546<screen>2531<screen>
2547<command>sudo smbldap-useradd -a -P username</command>2532<command>sudo smbldap-useradd -a -P -m username</command>
2548</screen>2533</screen>
25492534
2550 <para>2535 <para>
2551 The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the 2536 The <emphasis>-a</emphasis> option adds the Samba attributes, and the <emphasis>-P</emphasis> option calls the
2552 <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user.2537 <application>smbldap-passwd</application> utility after the user is created allowing you to enter a password for the user.
2538 Finally, <emphasis>-m</emphasis> creates a local home directory.
2539 Test with the <application>getent</application> command:
2553 </para>2540 </para>
2541 <screen>getent passwd username</screen>
2542 <para>If you don't get a response, then your <application>libnss-ldap</application> configuration is incorrect.</para>
2554 </listitem>2543 </listitem>
25552544
2556 <listitem>2545 <listitem>

Subscribers

People subscribed via source and target branches