Accueil

Installing Samba with OpenLDAP on Ubuntu

Mon, 06/18/2007 - 23:06 — Dallas Vogels

The following guide describes how to install Samba with OpenLDAP support on an Ubuntu server. This guide assumes that OpenLDAP is already installed and is running on the same server as the Samba installation. The Samba installation is an extension of the Installing Secure LDAP (OpenLDAP with SSL) on Ubuntu using a Self-signed Certificate HOWTO.

See Also:

Index:

System Used

  • Ubuntu 6.10 (server install)
  • Samba 3.0.22
  • OpenLDAP 2.2.26

Install Samba and Related Tools

Run the following from the command line:

sudo apt-get install slapd ldap-utils libnss-ldap libpam-ldap samba smbldap-tools smbclient samba-doc

Configure OpenLDAP for Samba Authentication

Add a localhost OpenLDAP to /etc/default/slapd:

SLAPD_SERVICES="ldaps://HOSTNAMEHERE/ ldap://localhost"
Replace HOSTNAMEHERE with your appropriate hostname.

Copy the samba.schema to be used in the LDAP server:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz

Update /etc/ldap/slapd.conf to include the following schemas:

include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
The misc.schema allows for using LDAP email lookups in email clients.

Add indexes to optimize Samba access (optional):

index uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
Ensure that the indexes appear after the first backend directive.

Allow users to change their passwords by updating the line:

access to attribute=userPassword

to:

access to attrs=userPassword,sambaNTPassword,sambaLMPassword

Restart the OpenLDAP server:

/etc/init.d/slapd restart

Configure smbldap-tools

Copy necessary files for configuration:

cd /usr/share/doc/smbldap-tools/examples/
cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/
gzip -d /etc/smbldap-tools/smbldap.conf.gz

Determine your SID:

net getlocalsid
Use the SID that is generated in the following step.

Edit the following parameters in the smbldap.conf file:

SID="YOUR_SID_HERE"
slaveLDAP="127.0.0.1"
masterLDAP="127.0.0.1"
ldapTLS="0"
mailDomain="yourdomain.com"
suffix="dc=YOURDOMAIN,dc=COM"
Set the YOUR_SID_HERE to the value generated in the previous step. mailDomain should be set to the email domain you wish to use for LDAP lookups in email clients. Set the suffix parameter to your LDAD settings.

Set the authentication paramters in the smbldap_bind.conf file:

slaveDN="cn=admin,dc=YOURDOMAIN,dc=COM"
slavePw="YOURPASSWORDHERE"
masterDN="cn=admin,dc=YOURDOMAIN,dc=COM"
masterPw="YOURPASSORDHERE"
Be sure to set the slaveDN and masterDN to your LDAP server parameters. YOURPASSHERE needs to be set to the LDAP admin user's password.

Set the approprite file permissions:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Populate the OpenLDAP server:

smbldap-populate -u 30000 -g 30000
You will be prompted for the root username and password. This is the root user that will be inserted into the LDAP server.

The -u flag sets the first user uidNumber to allocate. The -g flag sets the first group gidNumber to allocate. Set these to appropriate values as you see fit.

For more options to set in smbldap-populate run:

smbldap-populate -?

Configure Samba

Edit /etc/samba/smb.conf and change:

passdb backend = tdbsam guest

to:

passdb backend = ldapsam:ldap://localhost/

All directives listed below must be placed in the [globals] section of /etc/samba/smb.conf.

Add the following:

obey pam restrictions = no

ldap admin dn = cn=admin,dc=HOSTNAME,dc=HERE
ldap suffix = dc=HOSTNAME, dc=HERE
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
Replace HOSTNAMEHERE with your LDAP server.

Allow passwd sync with smbldap-passwd:

; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*

To administer user and groups from Windows add:

add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

Enable domain logins by adding the following to the [globals] section:

domain logons = yes

Restart Samba and set the smbldap admin password:

/etc/init.d/samba restart
smbpasswd -w ADMIN_PASSWORD
Replace ADMIN_PASSWORD with your LDAP server admin password.

Configure NSS to work with LDAP

Update /etc/libnss-ldap.conf and set the following values:

WARNING: As of Ubuntu 7.10 the /etc/libnss-ldap.conf file is obsolete and is replaced by the PAM and NSS global /etc/ldap.conf file (thanks loeppel!). For 7.10 update the /etc/ldap.conf file with the same settings as listed in the /etc/libnss-ldap.conf below.

base dc=YOURDOMAIN,dc=HERE
uri ldaps://YOURLDAPSERVER
ldap_version 3
During the initial install of libnss-ldap.conf you will be prompted with questions
that will set the directives as listed above. This may work for you. However I have found that sometimes the file
does not get updated and rely on updating the configuration file directly.

Update /etc/nsswitch.conf as follows:

passwd: files ldap
group: files ldap
shadow: files ldap



WARNING: There is a serious bug with Ubuntu 6.10 when rebooting. The boot process will hang on boot with the following message:

udevd[374]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server

To solve the nss_ldap: could not connect to any LDAP server as (null) issue create a group called nvram:

sudo addgroup nvram
See Troubleshooting (refer to "When rebooting the server the boot stalled") for more details about this issue.

Troubleshooting

Could not authenticate on the Samba server when accessing a share

When attempting to access a Samba share from a Windows/Mac/Linux workstation I was denied access. Repeated attempts with a user/pass combination I knew should work did not work.

When I turned on degugging in the /etc/ldap/slapd.conf file I found the following error message:

bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:45936 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=49 text=
conn=0 op=1 UNBIND
conn=0 fd=10 closed

I had placed the Samba ldap parameters (see the Configure Samba section) at the end of the configuration file. The solution was to move the confuration directives into the [global] section of /etc/samba/smb.conf and restart Samba.

When rebooting the server the boot stalled

After updating /etc/nsswitch.conf (see Configure NSS to work with LDAP) rebooting the server stalled with the following message:

udevd[]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
udevd[]: nss_ldap: failed to bind to LDAP server ldaps://LDAPSERVER.HERE: Can't contact LDAP server
udevd[]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
udevd[]: nss_ldap: failed to bind to LDAP server ldaps://LDAPSERVER.HERE: Can't contact LDAP server
udevd[]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
udevd[]: nss_ldap: failed to bind to LDAP server ldaps://LDAPSERVER.HERE: Can't contact LDAP server
udevd[]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)

The sleep interval is doubled each time (4,8,16,32,64 seconds) and takes a very long time to boot up.

A bug report can be found here.

The issue and proposed solution is as follows:

The problem is caused by the usage of the non existing group 'nvram' 
in /etc/udev/rules.d/40-permissions.rules: KERNEL=="nvram", GROUP="nvram"

When udev starts, is looks up 'nvram'. While 'nvram' could not be found 
in /etc/group NSS tries to connect the ldap server. As result the boot sequence stops.

To fix this problem is very easy: Add the local group 'nvram' to /etc/groups

Type in the following:

sudo addgroup nvram

Restarting BIND fails

If you are running BIND on the same computer as you are running Samba you may run into an issue when restarting/starting the BIND service. This may be an issue when rebooting however I have not tested that yet.

When restarting the BIND server (/etc/init.d/bind9 restart) the service stalls on start. Determined that the /etc/nsswitch.conf ldap settings were the point of failure. Restoring the nsswitch.conf setting back to using files temporarily fixed the issue.

This is a temporary solution. See TODO for notes.

Could not authenticate to the domain on WinXP

The following error occured validating the name "DOMAINHERE":

This condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=5171

The specified domain either does not exist or could not be contacted.

The Samba log (/var/log/samba/log.nmdb) gave the error message:

Unable to find the Domain Master Browser name DOMAINHERE<1b> for the workgroup DOMAINHERE.
Unable to sync browse lists in this workgroup.

The resolution is to set the domain logons to yes in the /etc/samba/smb.conf configuration file. Be sure to place the following directive in the [global] section of /etc/samba/smb.conf:

domain logons = yes

Cannot join domain (Windows XP)

When attempting to join a domain from a Windows XP computer the following error is displayed:

The following error occurred attempting to join the domain "DOMAINHERE":

The user name could not be found.

The computer log file generated by Samba (/var/log/samba/log.COMPUTERNAME) gave the error message:

Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1056.
[2007/04/19 11:06:46, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2415)
_samr_create_user: Running the command /usr/sbin/smbldap-useradd -w "COMPUTERNAME$"' gave 127
Replace COMPUTERNAME with the NetBIOS name on your Windows computer.
WARNING: This issue has not been fixed. Use the smbldap-adduser command to add computers to the domain.

Refer here for more details.

Adding Users, Groups, and Users to Groups

Refer to the Useful Commands section below.

Useful Commands

While debugging the Samba installation I found the following commands useful for testing purposes.

Client Commands

net use * /DELETE

Deletes local connections; useful for testing multiple users.

Server Commands

net status sessions

Useful for showing sessions on the server. You can see what/who/where the connection is originating from.

For adding users, groups, and adding users to groups the following commands create the necessary entries in the openLDAP
server.

Adding users:

sudo smbldap-useradd -a -m -M george.zappa -c "George Zappa" gzappa
  • -a allows Windows as well as Linux login
  • -m makes a home directory, leave this off if you do not need local access
  • -M sets up the username part of their email address
  • -c specifies their full name

To update/set a users password:

sudo smbldap-passwd gzappa

Creating a group:

sudo smbldap-groupadd SOME_GROUP

To add a user to a group:

smbldap-usermod -G SOME_GROUP gzappa
Replace SOME_GROUP with an existing group. Note that this command will overwrite any existing group designations.

TODO

  • Update the guide to allow for seperation of the Samba installation from the OpenLDAP installation so that each service can run on seperate servers
  • Create guide for linking email clients to look up emails from the LDAP server (aka misc.schema)
  • Set up TLS in smbldap-tools
  • Provide guide(s) for administrating LDAP server via phpldapdmin or other GUI
  • Test layout in Internet Explorer 6/7
  • Find underlying issue for stall on restarting of BIND server
  • Find fix for adding computers to domains

Resources

Version History

  • 0.8 - November 23rd, 2007:
    - added notice regarding Ubuntu 7.10 global /etc/ldap.conf change
  • 0.7 - June 18th, 2007:
    - added domain login directives to smb.conf configuration
    - added clarrification to BIND restart issue
    - fixed some minor spelling and layout issues
  • 0.6 - June 11th, 2007:
    - Added smbldap commands for creating and editing users and groups
  • 0.5 - June 10th, 2007:
    - Added useful commands section for Samba testing and debugging
  • 0.4 - May 6th, 2007:
    - Added "Could not authenticate to the domain on WinXP" and "Cannot join domain (Windows XP)" to Troubleshooting section
  • 0.3 - May 2nd, 2007:
    - Implemented and tested nvram group fix for LDAP server boot
  • 0.2 - May 1st, 2007:
    - Added BIND restart/start issue
  • 0.1 - April 22nd, 2007:
    - Initial Release

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Wed, 02/02/2011 - 21:31 — Zippie97 (not verified)

thanks...

thanks, that helped me a lot!
regards,
chantal

Mon, 05/25/2009 - 09:43 — Anonymous (not verified)

I want to thank dvogels for

I want to thank dvogels for making this guide that's just work. I think you should have included roaming profile and home share settings in your guide though. I'm guessing it's all related to the same issue.

Fri, 10/10/2008 - 22:10 — Brennan Wheeler (not verified)

Why use OpenLDAP and Samba?

Hi,
So I know a few things about technology and I have found a few tutorials about setting up opensource domain controllers, a part of which is configuring OpenLDAP and Samba to work together. My question is this: why are you configuring them to work together? I thought LDAP was supposed to hold user and group information (permissions, etc...) but it seems that this tutorial (and others) are saying let Samba hold that information. So what exactly is OpenLDAP's role after that rather than being a very thin part of the application that is essentially the "doorway" to authentication? Why can't OpenLDAP just holds the user/group information and not use SAMBA?

THANKS!!!

-Brennan Wheeler

Post new comment

The content of this field is kept private and will not be shown publicly.
By submitting this form, you accept the Mollom privacy policy.