Samba TNG and Unix Accounts with LDAP

Created on: 2001/01/09
Last revised on: 2001/06/20
DST, University of Verona, Italy
Author: Mirko Manea <mami@arena.sci.univr.it>, mami
Url: http://www.mami.net/univr/tng-ldap/howto/howto.html
Url: http://arena.sci.univr.it/~mami/tng-ldap/howto/howto.html

WORK STILL IN PROGRESS... USE AT YOUR OWN RISK!!!

YOUR HELP IS WELCOME

WARNING: The LDAPv2 schemata have been changed! Please check the changelog.

Table of contents

Changelog

Tested platforms and requirements

This howto is based on Redhat Linux 7.0 because, at the time of this writing, this is one of the wider used Linux distribution which is shipped with OpenLDAP 1.2.11 (a free LDAPv2 implementation service) and PAM (Pluggable Authentication Module). It is also easy to setup standard unix authentication against LDAP.
You need to install the latest updates. Be sure to install the following packages: openldap-servers-1.2.11-15, auth_ldap-1.4.5-1, openldap-devel-1.2.11-15, nss_ldap-122-1.7, openldap-1.2.11-15 and openldap-clients-1.2.11-15.

I think this will work on every platform where these packages run.

I tested Windows 2000 Pro clients with SP1 and Windows NT workstations. With Windows NT you need at least SP5.

How to setup OpenLDAP

Setting up OpenLDAP server requires editing slapd.conf (usually in /etc/openldap/slapd.conf). Just get it and change suffix, rootdn, rootpw and access sections to meet your needs.

To create the crypt password used in slapd.conf you can use something like this:

$ perl -e "print crypt('passwd', join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]);"

where passwd is your text password.

Then download unix.schema-v2 and sambatng.schema-v2 and move it to /etc/openldap/. This file contains schemata's definitions for unix and sambatng accounts.

Now edit ldap.conf, which is used by the ldap command line utilities and change values of BASE and HOST to meet your previous settings.

Finally check that OpenLDAP starts automatically (ie /sbin/chkconfig ldap on) and start it (ie /etc/init.d/ldap start). To check that things are working you can invoke it by typing /usr/sbin/slapd -d 3.

Ldap entries for Samba TNG

Before starting to create users you need to import some basic ldap entries which defines standard users and groups. Download and import the following files:
Replace dc=sci,dc=univr,dc=it with your suffix and then import in your LDAP database. A quick way is:
$ cat basic-users.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | sed 's/o: univr/o: <YOUR_ORG_NAME>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"
$ cat builtin.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"

The password you are prompted is the one you choose in the previous step, ie the root's LDAP passwd.

To make things easier it is useful to create an organizationalUnit where users will be inserted. In my example it is called Students. Just download Students.ldif and then import:

$ cat Students.ldif | sed 's/dc=sci,dc=univr,dc=it/<YOUR_SUFFIX>/' | ldapadd -W -r -D "<YOUR_ROOT_DN>"

Now you can create your users by importing a LDIF like (importing this will create a user manea with password manea):

dn: uid=manea,ou=Students,dc=sci,dc=univr,dc=it
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
objectclass: sambaAccount
acctflags: [U          ]
userpassword: {crypt}$1$LjbaxE00$g7.4JsK6qfEalTny7XpDc/
ntpassword: A763993FC42F396664EBD053BA326D41
lmpassword: F6818657596D3B35AAD3B435B51404EE
uid: manea
uidnumber: 1002
gidnumber: 1992
cn: manea
ntuid: manea
rid: 2712
grouprid: 201
gecos: Mirko Manea
loginshell: /bin/bash
smbhome: \\arena\homes
profile: \\arena\profiles\default
homedrive: H:
script: scripts\startup.bat
homedirectory: /home/info93/manea
logontime: 00000000
logofftime: 00000000
kickofftime: 00000000
pwdlastset: 3A561FEC
pwdcanchange: 3A2CEBFF
pwdmustchange: FFFFFFFF
shadowmax: 99999
shadowwarning: 7
shadowlastchange: 11270
I wrote a simple useradd-like script: ldapuseradd.pl. Feel free to test and improve it. Be sure to grab mkntpwd utility (source) or my binaries (Linux/i386 glibc2, Linux/PPC).

Note: "nt/lm passwords are cleartext equivalent, that means, if someone gets the hex string, he can directly connect to any nt machine and to your tng-pdc.
(This might be of interest to your local users too: they could query your ldapserver for the ntpw of Administrator... et voila...)". Elrond <elrond@samba.org>
So it is necessary to set up properly the access section in slapd.conf.

Download and compile Samba TNG

Download Samba TNG from the cvs as described at
http://www.samba-tng.org/cvs.html or get this snapshot samba-tng-20010427-patched.tar.bz2 (older and no more in sync with this howto: samba-tng-20010112.tar.bz2). I used the following steps:
$ cd tng/source/
$ ./configure --prefix=/usr/local/tng --with-ldap --with-quotas
  (or if you want to use the depreciated LDAPv2 schema: 
  ./configure --prefix=/usr/local/tng --with-ldap --enable-old-ldap-schema --with-quotas
  )
$ make
$ make install

If you have problems making tng work with Linux Red Hat 7.1 use --enable-static.

Configuring Samba TNG

Configuring samba requires only few steps. Under tng root (/usr/local/tng) I create the following additional directories:
$ cd /usr/local/tng/
$ mkdir private
$ chmod 700 private
$ mkdir -p profiles/default
$ mkdir -p netlogon/scripts

In ./private I created a file ldappasswd with the ldap password needed to bind to LDAP server (in clear text).

In ./profiles/default I put a mandatory profile. To create a mandatory profile just rename NTUSER.DAT to NTUSER.MAN, which is created the first time you log in. Be careful to create this profile by using a template user, whose grouprid must be the same as the users that are going to use that profile. You can also use a directory ending with .man to do not allow users to login if profile is not available (see Q168476).

In ./netlogon you can put your policy templates (ie NtConfig.pol under Windows NT and 2000).

In ./netlogon/scripts you can put your logon scripts.

Finally put smb.conf in ./lib/. The relevant section for LDAP is in global:

ldap suffix = "ou=Students,dc=sci,dc=univr,dc=it"
ldap bind as = "uid=root,dc=sci,dc=univr,dc=it"
ldap passwd file = /usr/local/tng/private/ldappasswd 
ldap server = localhost 
ldap port = 389 
ldap scope = sub

How to change password

A user's ldif contains three user password's fileds, which should be kept in sync. One can change his/her password from Windows 2000 applet (with CTRL+ALT+DEL) or from Linux (by invoking a passwd replacement program).

Put this ldapsync.pl script into /usr/local/sbin which will be used as passwd program from samba. Be sure that in your smb.conf there are these lines:

; sync samba with unix password
unix password sync = Yes
passwd program = /usr/local/sbin/ldapsync.pl -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *modifying*

Please change the first lines to reflect your LDAP settings. It also should be readable only by root:

$ chmod 0700 /usr/local/sbin/ldapsync.pl

ldapsync.pl contains ldap root's password so I wrote another small script to change unix password instead of using standard password changing programs (passwd, yppasswd): ldapchpasswd. This program binds as the user requesting password change, so only providing the right password will grant access (if you configured acl as above). Please change the first lines to reflect your LDAP settings.

Until someone tells me how to generate nt/lm passwords, an extern utility (mkntpwd) is required to use both programs. Source code can be obtained here. Binary is available for: Linux/i386 glibc2, Linux/PPC.

How to configure Linux

RedHat 7.0 makes configuration very easy. Once you have installed openldap-clients and nss_ldap packages, you should invoke /usr/sbin/authconfig: select 'Use LDAP', specify your Server (for example 127.0.0.1 for localhost) and your Base DN (for example dc=sci,dc=univr,dc=it). Then click next and check that 'Use Shadow Passwords', 'Use MD5 Passwords' and 'Use LDAP Authentication' are selected; Server and Base DN are the same as you wrote before.

RedHat 6.2 or other unix using nss_ldap works too (I've tested with 122-1.6 from RH62). Just add ldap after files to the passwd, shadow and group fields in /etc/nsswitch.conf. Then add the proper DN to the base field in /etc/ldap.conf (ie your LDAP suffix):

/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
/etc/ldap.conf:
host 127.0.0.1
base dc=sci,dc=univr,dc=it

Setting up system auth against LDAP is important! If not you must create an Administrator account in /etc/passwd, ie in Red Hat 6.2 type:

# adduser -u 0 -g 0 -d /dev/null -s /dev/null -c 'Administrator' -M -n Administrator

Now your should be able to logon using users you created with ldapuseradd.pl.

How to join Windows 2000 to domain

I use this procedure, which maybe it is buggy, but it works.

It is necessary to set a password to Administrator:

# samedit -S . -U root -c 'samuserset Administrator -p my_password'

For each machine you need an entry in /etc/passwd:

# groupadd -g 10000 ntmachine
# adduser -u 10001 -g 10000 -d /dev/null -s /dev/null -c 'Windows NT machine' -M -n w2k$

Now from the windows 2000 applet join the domain specifying Administrator as user when prompted. After few seconds (it takes about 15 secs on my machine) the Welcome to DOMAIN window will appear.

I do not know if this is a bug, but when the w2k machine joins the domain, the account created on LDAP is disabled (recent cvs have fixed this). I enabled it with:

# samedit -S . -U root -c 'samuserset2 w2k$ -c D'

In recent cvs this bug has been fixed and this workaroud is no longer needed.

Now you should be able to use the same user account on both Linux and Windows 2000, using the same password!

How to configure Apache with LDAP

The auth_ldap module provides a way to obtain users from LDAP database, ie you can resolve user's home directories (with ~username). Make sure you load the module with something like this:

LoadModule auth_ldap_module   modules/mod_auth_ldap.so
[...]
AddModule auth_ldap.c

Put these directives at the top of LoadModule and AddModule sections in httpd.conf.

Known bugs and TODO list

There are many things which I currenly do not understand well:

Links

Just a few links to useful documents:

Credits

This document is based mainly on the work of Ignacio Coupeau (CTI, University of Navarra).
Many thanks to Elrond <elrond@samba.org> for his feedback.