Samba TNG and Unix Accounts with LDAP

Created on: 2001/01/09
Last revised on: 2001/06/20
DST, University of Verona, Italy
Author: Mirko Manea <mami@arena.sci.univr.it>, <mami@mami.net>
Url: http://www.mami.net/univr/tng-ldap/howto/howto.html
Url: http://arena.sci.univr.it/~mami/tng-ldap/howto/howto.html

WORK STILL IN PROGRESS... USE AT YOUR OWN RISK!!!

YOUR HELP IS WELCOME

WARNING: The LDAPv2 schemata have been changed! Please check the changelog.

Changelog
Tested platforms and requirements
How to setup OpenLDAP
Ldap entries for Samba TNG
Download and compile Samba TNG
Configuring Samba TNG
How to change password
How to configure Linux
How to join Windows 2000 to domain
How to configure Apache with LDAP
Known bugs and TODO list
Links
Credits

Changelog

2001/06/20: updated ldapchpasswd to handle pwdlastset and shadowlastchange attribute. This will not work on system without shadowpasswords, but who isn't using them?;
2001/06/10: Samba-tng-alpha 2.6.1 is out. Grab it instead of cvs: things are going to be broken;
2001/05/24: added a link section;
2001/05/16: time to make some statistics: since this howto has been published, it has received 13604 hits and the cvs snapshots have been downloaded 581 times. Not bad ;-)...;
2001/05/15:
- updated LDAPv2 schemata and ldif files. These are only cleaned up versions of unix.schema-v2, sambatng.schema-v2, basic-users.ldif and builtin.ldif;
- some new utilities to manage account with samba-tng and unix was developed by Christoph Lukas <christoph.lukas@gmx.net>. Grab them from http://www.pingworks.de/tech/ldaputils/;
- added features to ldapuseradd.pl;
- added some hints on how to setup minimal unix auth (nsswitch.conf);
- LDAPv3 schemata files have been available since 2001/04/17, but I have not tried them yet. They are available in tng/source/ldap/sambatng.schema-v3 and you need OpenLDAP 2.0.x;
2001/05/12: I tried to setup tng with Red Hat Linux 6.2 and everything works fine. Be sure to add an Administrator account to /etc/passwd, because with *standard* 6.2 you cannot setup unix auth against ldap;
2001/05/10: added links to mkntpwd utility;
2001/05/07: added hint on how to compile tng on redhat 7.1 (Tarjei Huse <tarjei@nu.no>);
2001/04/27: a new snapshot has been provided: samba-tng-20010427-patched.tar.bz2. This is a patched cvs, with contributions from Pierangelo Masarati <ando@sys-net.it> (passdb/ldap.c and ldap/sambatng.schema-v3) and Gavin Bravery <bravery@lucent.com> (passdb/sampassldap.c). These patches fix problems with null value with OpenLDAP v2.0, schema definition and %U with LDAP. I've replaced lib/system.c with a previous worked one too; these fixes seem to work. I hope something similar will be included in cvs;
2001/04/24:
- the old slapd.samba+unix.conf has been splitted. Now we use two files (unix.schema-v2 and sambatng.schema-v2). Moreover the schema has been changed (attribute member has become sambaMember). So you cannot use a previous ldap database and you have to create another one. There will be some migration utilities someday. This document explains how to use the old tng schema too;
2001/04/22:
- the frozen tng needs Administrator with the same privileges as root (ie uid=0, gid=0). So basic-users.ldif has been fixed;
- fixed ACL section in slapd.conf: needs to be 'by * search' not 'by * read';
- added gecos field to user.ldif;
- I removed the --with-utmp from the configure, because it is not reliable. Quotas support works well;
- added a note to say that it is important to setup system auth against LDAP. Otherwise an Administrator account must be defined in /etc/passwd;
- the schema file has been modified because of schema violation when trying to join the domain (removed cn and gidNumber from requires, and moved homeDirectory to allows in objectclass sambaAccount);
2001/04/20:
- fixed some problems with spaces: LDIF files should not have neither trailing spaces, nor multiple spaces, nor multiple blank lines between entries, nor a blank line at the end. Moreover the DN in the acl directive should not contains extra spaces and commas (ie should be "normalized" to the RFC2253 restricted DN form);
- the provided smb.conf has been cleaned up;
2001/03/30: removed trailing spaces from each line of basic-users.ldif and builtin.ldif, because LDAP queries can fail. So it is better to remove the bad entries and import these ldif files again. Thanks to Yves Benigot <ybenigot@lexbase.fr> for this hint;
2001/03/27: added a link to ldapchpasswd, a /bin/passwd replacement;
2001/03/23: added a note on how to setup mandatory profiles (Q168476);
2001/03/21: modified slapd.samba+unix.conf (added logOnTime, logOffTime, kickOffTime attributes to sambaAccount) to allow schemacheck on option in slapd.conf. Because of this I added some fields to basic-users.ldif too. Thanks to Shanker Balan <shanu@exocore.com> for this hint;
2001/03/06: added how to configure apache with ldap;
2001/02/26: Nikhil Datta <nikk@iimk.ren.nic.in> wrote some cool utilities (LDAPUtils) to manage the ldap backend;
2001/02/15: limited access to password fields in slapd.conf;
2001/01/26: a bug in ldapuseradd.pl was fixed.

Tested platforms and requirements

This howto is based on Redhat Linux 7.0 because, at the time of this writing, this is one of the wider used Linux distribution which is shipped with OpenLDAP 1.2.11 (a free LDAPv2 implementation service) and PAM (Pluggable Authentication Module). It is also easy to setup standard unix authentication against LDAP.
You need to install the latest updates. Be sure to install the following packages: openldap-servers-1.2.11-15, auth_ldap-1.4.5-1, openldap-devel-1.2.11-15, nss_ldap-122-1.7, openldap-1.2.11-15 and openldap-clients-1.2.11-15.

I think this will work on every platform where these packages run.

I tested Windows 2000 Pro clients with SP1 and Windows NT workstations. With Windows NT you need at least SP5.

How to setup OpenLDAP

Setting up OpenLDAP server requires editing slapd.conf (usually in /etc/openldap/slapd.conf). Just get it and change suffix, rootdn, rootpw and access sections to meet your needs.

To create the crypt password used in slapd.conf you can use something like this:

$ perl -e "print crypt('passwd', join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]);"

where passwd is your text password.

Then download unix.schema-v2 and sambatng.schema-v2 and move it to /etc/openldap/. This file contains schemata's definitions for unix and sambatng accounts.

Now edit ldap.conf, which is used by the ldap command line utilities and change values of BASE and HOST to meet your previous settings.

Finally check that OpenLDAP starts automatically (ie /sbin/chkconfig ldap on) and start it (ie /etc/init.d/ldap start). To check that things are working you can invoke it by typing /usr/sbin/slapd -d 3.

Ldap entries for Samba TNG

Before starting to create users you need to import some basic ldap entries which defines standard users and groups. Download and import the following files:

basic users entries: basic-users.ldif
standard groups: builtin.ldif (or builtin.ldif.depreciated if you want to use the depreciated schema)

Replace dc=sci,dc=univr,dc=it with your suffix and then import in your LDAP database. A quick way is:

$ cat basic-users.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | sed 's/o: univr/o: <YOUR_ORG_NAME>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"
$ cat builtin.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"

The password you are prompted is the one you choose in the previous step, ie the root's LDAP passwd.

To make things easier it is useful to create an organizationalUnit where users will be inserted. In my example it is called Students. Just download Students.ldif and then import:

$ cat Students.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"

Now you can create your users by importing a LDIF like (importing this will create a user manea with password manea):

dn: uid=manea,ou=Students,dc=sci,dc=univr,dc=it
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
objectclass: sambaAccount
acctflags: [U          ]
userpassword: {crypt}$1$LjbaxE00$g7.4JsK6qfEalTny7XpDc/
ntpassword: A763993FC42F396664EBD053BA326D41
lmpassword: F6818657596D3B35AAD3B435B51404EE
uid: manea
uidnumber: 1002
gidnumber: 1992
cn: manea
ntuid: manea
rid: 2712
grouprid: 201
gecos: Mirko Manea
loginshell: /bin/bash
smbhome: \\arena\homes
profile: \\arena\profiles\default
homedrive: H:
script: scripts\startup.bat
homedirectory: /home/info93/manea
logontime: 00000000
logofftime: 00000000
kickofftime: 00000000
pwdlastset: 3A561FEC
pwdcanchange: 3A2CEBFF
pwdmustchange: FFFFFFFF
shadowmax: 99999
shadowwarning: 7
shadowlastchange: 11270

I wrote a simple useradd-like script: ldapuseradd.pl. Feel free to test and improve it. Be sure to grab mkntpwd utility (source) or my binaries (Linux/i386 glibc2, Linux/PPC).

Note: "nt/lm passwords are cleartext equivalent, that means, if someone gets the hex string, he can directly connect to any nt machine and to your tng-pdc.
(This might be of interest to your local users too: they could query your ldapserver for the ntpw of Administrator... et voila...)". Elrond <elrond@samba.org>
So it is necessary to set up properly the access section in slapd.conf.

Download and compile Samba TNG

Download Samba TNG from the cvs as described at http://www.samba-tng.org/cvs.html or get this snapshot samba-tng-20010427-patched.tar.bz2 (older and no more in sync with this howto: samba-tng-20010112.tar.bz2). I used the following steps:

$ cd tng/source/
$ ./configure --prefix=/usr/local/tng --with-ldap --with-quotas
  (or if you want to use the depreciated LDAPv2 schema: 
  ./configure --prefix=/usr/local/tng --with-ldap --enable-old-ldap-schema --with-quotas
  )
$ make
$ make install

If you have problems making tng work with Linux Red Hat 7.1 use --enable-static.

Configuring Samba TNG

Configuring samba requires only few steps. Under tng root (/usr/local/tng) I create the following additional directories:

$ cd /usr/local/tng/
$ mkdir private
$ chmod 700 private
$ mkdir -p profiles/default
$ mkdir -p netlogon/scripts

In ./private I created a file ldappasswd with the ldap password needed to bind to LDAP server (in clear text).

In ./profiles/default I put a mandatory profile. To create a mandatory profile just rename NTUSER.DAT to NTUSER.MAN, which is created the first time you log in. Be careful to create this profile by using a template user, whose grouprid must be the same as the users that are going to use that profile. You can also use a directory ending with .man to do not allow users to login if profile is not available (see Q168476).

In ./netlogon you can put your policy templates (ie NtConfig.pol under Windows NT and 2000).

In ./netlogon/scripts you can put your logon scripts.

Finally put smb.conf in ./lib/. The relevant section for LDAP is in global:

ldap suffix = "ou=Students,dc=sci,dc=univr,dc=it"
ldap bind as = "uid=root,dc=sci,dc=univr,dc=it"
ldap passwd file = /usr/local/tng/private/ldappasswd 
ldap server = localhost 
ldap port = 389 
ldap scope = sub

How to change password

A user's ldif contains three user password's fileds, which should be kept in sync. One can change his/her password from Windows 2000 applet (with CTRL+ALT+DEL) or from Linux (by invoking a passwd replacement program).

Put this ldapsync.pl script into /usr/local/sbin which will be used as passwd program from samba. Be sure that in your smb.conf there are these lines:

; sync samba with unix password
unix password sync = Yes
passwd program = /usr/local/sbin/ldapsync.pl -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *modifying*

Please change the first lines to reflect your LDAP settings. It also should be readable only by root:

$ chmod 0700 /usr/local/sbin/ldapsync.pl

ldapsync.pl contains ldap root's password so I wrote another small script to change unix password instead of using standard password changing programs (passwd, yppasswd): ldapchpasswd. This program binds as the user requesting password change, so only providing the right password will grant access (if you configured acl as above). Please change the first lines to reflect your LDAP settings.

Until someone tells me how to generate nt/lm passwords, an extern utility (mkntpwd) is required to use both programs. Source code can be obtained here. Binary is available for: Linux/i386 glibc2, Linux/PPC.

How to configure Linux

RedHat 7.0 makes configuration very easy. Once you have installed openldap-clients and nss_ldap packages, you should invoke /usr/sbin/authconfig: select 'Use LDAP', specify your Server (for example 127.0.0.1 for localhost) and your Base DN (for example dc=sci,dc=univr,dc=it). Then click next and check that 'Use Shadow Passwords', 'Use MD5 Passwords' and 'Use LDAP Authentication' are selected; Server and Base DN are the same as you wrote before.

RedHat 6.2 or other unix using nss_ldap works too (I've tested with 122-1.6 from RH62). Just add ldap after files to the passwd, shadow and group fields in /etc/nsswitch.conf. Then add the proper DN to the base field in /etc/ldap.conf (ie your LDAP suffix):

/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

/etc/ldap.conf:

host 127.0.0.1
base dc=sci,dc=univr,dc=it

Setting up system auth against LDAP is important! If not you must create an Administrator account in /etc/passwd, ie in Red Hat 6.2 type:

# adduser -u 0 -g 0 -d /dev/null -s /dev/null -c 'Administrator' -M -n Administrator

Now your should be able to logon using users you created with ldapuseradd.pl.

How to join Windows 2000 to domain

I use this procedure, which maybe it is buggy, but it works.

It is necessary to set a password to Administrator:

# samedit -S . -U root -c 'samuserset Administrator -p my_password'

For each machine you need an entry in /etc/passwd:

# groupadd -g 10000 ntmachine
# adduser -u 10001 -g 10000 -d /dev/null -s /dev/null -c 'Windows NT machine' -M -n w2k$

Now from the windows 2000 applet join the domain specifying Administrator as user when prompted. After few seconds (it takes about 15 secs on my machine) the Welcome to DOMAIN window will appear.

I do not know if this is a bug, but when the w2k machine joins the domain, the account created on LDAP is disabled (recent cvs have fixed this). I enabled it with:

# samedit -S . -U root -c 'samuserset2 w2k$ -c D'

In recent cvs this bug has been fixed and this workaroud is no longer needed.

Now you should be able to use the same user account on both Linux and Windows 2000, using the same password!

How to configure Apache with LDAP

The auth_ldap module provides a way to obtain users from LDAP database, ie you can resolve user's home directories (with ~username). Make sure you load the module with something like this:

LoadModule auth_ldap_module   modules/mod_auth_ldap.so
[...]
AddModule auth_ldap.c

Put these directives at the top of LoadModule and AddModule sections in httpd.conf.

Known bugs and TODO list

There are many things which I currenly do not understand well:

Q: How to generate rids and gids ?
A: "rids in NT are like UIDs in Unix. If you have the same rid as another user, you have the same access rights as that user. (at least, you can access his files on nt)." Elrond <elrond@samba.org>.
Q: What is the right meaning/format of logontime, logofftime, kickofftime, pwdlastset, pwdcanchange, pwdmustchange, shadowmax, shadowwarning, shadowlastchange ?
Q: What is the problem of not autoincrementing rid (in uid=root,dc=...) ?
A: "If you create a user from samba, samba will use the rid from that entry to generate the next rid. If that rid already exists, you will have two users with the same rid. Bad. So the best way to generate rids is to get the next one from this entry and incrementing this entry." Elrond <elrond@samba.org>.
So ldapuseradd.pl must increment the rid entry: todo.

Credits

This document is based mainly on the work of Ignacio Coupeau (CTI, University of Navarra).
Many thanks to Elrond <elrond@samba.org> for his feedback.