by Adam Stokes draft 1 Purpose? This document is a rough draft intended on integrating Samba 3 with Red Hat Directory Server 7.1 (RHDS).

Transcription

1 Samba & Red Hat Directory Server Integration by Adam Stokes draft 1 Purpose? This document is a rough draft intended on integrating Samba 3 with Red Hat Directory Server 7.1 (RHDS). What will you gain from this document? By the end of this document you will have a fully working Samba PDC using RHDS as its backend for storing Domain Administrators, Users, Guests, Computers. At this time this document does not cover authentication, encryption implementations, or indexing (yet). Requirements: From the requirements below this article will assume you have installed and are familiar with RHDS (starting/stopping server/navigating/adding/deleting entries), Samba, and basic knowledge of Linux) Red Hat Enterprise Linux 4 or later Packages needed : openldap-servers (contains migration utilities used in this document) redhat-ds (the directory server) samba, samba-client, samba-common (samba server, also provides schema needed for storing samba information) schema to ldif migration script (provided in this document used to convert provided schemas to an ldif format RHDS understands) RHDS Setup: First off we need to provide RHDS with a samba schema that it understands. Now lets break down how RHDS implements extending schemas : All schema files are in ldif format and loaded during server start All schema s are located in /opt/redhat-ds/slapd- <server>/config/schema Filenames are sequential and loaded in order and 99user.ldif is always the last schema to be loaded. For this document we are going to name our schema file 61samba.ldif. As stated above we need to provide RHDS with a schema it understands which involves converting the provided /usr/share/doc/samba/ldap/samba.schema to ldif format. Luckily, there is a utility provided 3 rd party that will assist in

2 doing this : #!/usr/bin/perl -w # # Convert OpenLDAP schema files into RHDS format with pretty printing # # Mike Jackson <mj@sci.fi> 14 June 2005 # # GPL license # use strict; = <>; my $at = 0; my $oc = 0; my $at_string; my $oc_string; for (@lines) { next if (/^\s*\#/); # skip comments if ($at) { s/\n//; s/ +/ /; s/\t/ /; $at_string.= $_; if ( /\)$/ ) { $at_string; $at = 0; $at_string = ""; if ($oc) { s/ +/ /; s/\t/ /; $oc_string.= $_; if ( /^\n/ ) { $oc_string =~ s/\n//; $oc_string; $oc = 0; $oc_string = ""; $oc_string =~ s/\n//; if ( /attribute[t T]ype/ ) { $at = 1; s/\n//; s/attribute[t T]ype/attributeTypes:/; $at_string.= $_;

3 if ( /object[c C]lass/ ) { $oc = 1; s/\n//; s/object[c C]lass/objectClasses:/; $oc_string.= $_; &seperator; print "dn: cn=schema\n"; &seperator; for (@at) { s/attributetypes: \(/attributetypes: \(\n /; s/name/\n NAME/; s/equality/\n EQUALITY/; s/substring/\n SUBSTRING/; s/desc/\n DESC/; s/syntax/\n SYNTAX/; s/sup/\n SUP/; s/substr/\n SUBSTR/; s/single-value/\n SINGLE-VALUE/; s/\)$/\n )/; s/ \n/\n/g; print "$_\n"; &seperator; for (@oc) { s/objectclasses: \(/objectclasses: \(\n /; s/name/\n NAME/; s/sup/\n SUP/; s/auxiliary/\n AUXILIARY/; s/structural/\n STRUCTURAL/; s/desc/\n DESC/; s/must/\n MUST/; s/may/\n MAY/; s/\)$/\n )/; s/ \n/\n/g; print "$_\n"; &seperator; ## subs sub seperator { print "#\n"; print "#********************************************************************\n"; print "#\n";

4 For convenience I have uploaded this script to my people page Use of this script is straight forward : # perl ol-schema-migrate.pl /usr/share/doc/samba/ldap/samba.schema > /opt/redhat-ds/slapd-<server>/config/schema/61samba.ldif Once the ldif is in place restart the slapd service : # /opt/redhat-ds/slapd-<server>/restart-slapd Samba Setup: Modify /etc/samba/smb.conf to have the following values [global] workgroup = YOURWORKGROUP security = user passdb backend = ldapsam:ldap://example.com ldap admin dn = cn=directory Manager ldap suffix = dc=example,dc=com ldap user suffix = ou=people ldap machine suffix = ou=computers ldap group suffix = ou=groups log file = /var/log/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home = \\%L\%u\profiles logon path = \\%L\profiles\%u logon drive = H: template shell = /bin/false winbind use default domain = no [netlogon] path = /var/lib/samba/netlogon read only = yes browsable = no [profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 [homes] browsable = no writable = yes

5 Test your Samba configuration for any problems : # testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Processing section "[profiles]" Processing section "[homes]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Create appropriate directories/permissions for the Samba shares defined in your configuration : # mkdir /var/lib/samba # mkdir /var/lib/samba/{netlogon,profiles # chown root:root -R /var/lib/samba # chmod 0755 /var/lib/samba/netlogon # chmod 1755 /var/lib/samba/profiles Create a password for the ldap admin dn in Samba s secret file: # smbpasswd -w password Populating RHDS with PDC Entry: At this point you should have a Samba PDC and a properly configured RHDS ready to take the appropriate Samba entires. Now we are going to provide an entry into RHDS for your PDC. First get the Samba SID for your PDC : # net getlocalsid SID for domain YOURWORKGROUP is: S (your SID will vary) Next create your Samba Domain ldif(/tmp/sambadomainname.ldif) for entry : dn: sambadomainname=yourworkgroup,dc=example,dc=com objectclass: sambadomain objectclass: sambaunixidpool objectclass: top sambadomainname: YOURWORKGROUP sambasid: S uidnumber: 550 gidnumber: 550 Populate your RHDS with the above entry : # /opt/redhat-ds/slapd-<server>/ldif2ldap "cn=directory manager" password /tmp/sambadomainname.ldif Migrating Samba groups and populating RHDS with Samba Users: This is where the openldap migration scripts are going to come in handy. Lets modify the file /usr/share/openldap/migration/migrate_common.ph to apply our default domain and base. Search for and apply the following : $NAMINGCONTEXT{'group' = "ou=groups";

6 # Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.com"; # Default base $DEFAULT_BASE = "dc=example,dc=com"; # turn this on to support more general object clases # such as person. (not needed for our excerise but generally good idea # to set to 1 adam) $EXTENDED_SCHEMA = 1; Once complete we are now going to create our Samba Domain Groups. Open up a new file /tmp/sambagroups and add the following : Domain Admins:x:2512: Domain Users:x:2513: Domain Guests:2514: Domain Computers:2515: Next convert /tmp/sambagroups into an ldif to be imported into RHDS : # /usr/share/openldap/migration/migrate_group.pl /tmp/sambagroups /tmp/sambagroups.ldif # cat /tmp/sambagroups.ldif dn: cn=domain Admins,ou=Groups,dc=example,dc=com objectclass: posixgroup cn: Domain Admins userpassword: {cryptx gidnumber: 2512 dn: cn=domain Users,ou=Groups,dc=example,dc=com objectclass: posixgroup cn: Domain Users userpassword: {cryptx gidnumber: 2513 dn: cn=domain Guests,ou=Groups,dc=example,dc=com objectclass: posixgroup cn: Domain Guests userpassword: {cryptx gidnumber: 2514 dn: cn=domain Computers,ou=Groups,dc=example,dc=com objectclass: posixgroup cn: Domain Computers userpassword: {cryptx gidnumber: 2515 Now import /tmp/sambagroups.ldif into RHDS : # /opt/redhat-ds/slapd-<server>/ldif2ldap "cn=directory manager" password /tmp/sambagroups.ldif Map the Samba groups to the Linux groups : # net groupmap add rid=512 ntgroup= Domain Admins unixgroup= Domain Admins

7 # net groupmap add rid=513 ntgroup= Domain Users unixgroup= Domain Users # net groupmap add rid=514 ntgroup= Domain Guests unixgroup= Domain Guests # net groupmap add rid=515 ntgroup= Domain Computers unixgroup= Domain Computers Verify : # net groupmap list Lets create a Samba Administrator account with an RID of 500. Create a file /tmp/sambaadmin with the following : Administrator:x:0:0:Samba Admin:/root:/bin/bash Migrate /tmp/sambaadmin to the formatted ldif and import into RHDS : # /usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaadmin > /tmp/sambaadmin.ldif # /opt/redhat-ds/slapd-<server>/ldif2ldap "cn=directory manager" password /tmp/sambaadmin.ldif Create a Samba Administrator account and modify the account to use the correct Samba SID : # smbpasswd -a Administrator # pdbedit -U $( net getlocalsid sed s/sid for domain YOURWORKGROUP is: // )-500 -u Administrator -r Finally start the Samba service and map an existing user entry to a Samba user : # service smb start; chkconfig smb on # smbpasswd -a testuser Compare accounts : # ldapsearch -x -Z (uid=testuser) dn: uid=testuser,ou=people,dc=gexample,dc=com uid: testuser cn: Test User SMB objectclass: account objectclass: posixaccount objectclass: shadowaccount objectclass: sambasamaccount shadowlastchange: shadowmax: shadowwarning: 7 loginshell: /bin/bash uidnumber: 500 gidnumber: 500 homedirectory: /home/testuser gecos: Test User SMB sambasid: S sambaprimarygroupsid: S displayname: Test User SMB sambapwdcanchange: sambapwdmustchange: sambalmpassword: CFA95C51F11AB11DC2265B23734E0DAC sambantpassword: B2D88A4A9B0DAEE170E75F67D54918F6 sambapasswordhistory:

8 sambapwdlastset: sambaacctflags: [U ] # pdbedit -v -u testuser Unix username: testuser NT username: testuser Account Flags: [U ] User SID: S Primary Group SID: S Full Name: Test User SMB Home Directory: \\directory\%u\profiles HomeDir Drive: H: Logon Script: Profile Path: \\directory\profiles\%u Domain: YOURWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan :14:07 GMT Kickoff time: Mon, 18 Jan :14:07 GMT Password last set: Thu, 07 Jul :40:04 GMT Password can change: Thu, 07 Jul :40:04 GMT Password must change: Mon, 18 Jan :14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Questions, Comments, Additions, Modifications? I would love to have additions to this article and please send me all modifications, additions you wish to see in it and I will get them up. Direct all items to either fedora-directory-users mailing list or adam.stokes@gmail.com.