Upline: Infos & Dokus Administration Linux

Integration von Samba in OpenLDAP 2.x


Diese Doku habe ich nie ganz beendet, nutzt sie als Anregung, aber erwartet nicht, daß nach der Abarbeitung der hier aufgeführten Schritte bereits alles funktioniert.
Um den Samba-Server in LDAP zu integrieren, kommt man nicht drum herum, sich die aktuellen Sourcen von http://samba.org zu ziehen und neu zu kompilieren. Ich nutzte zu diesem Zweck die Version 3.0.0beta. Befindet sich bereits eine Samba-Installation auf dem System, so muß diese gründlich entfernt werden, um spätere Unklarheiten darüber, welche Dateien Verwendung finden auszuräumen. Natürlich sollte man soweit notwendig sich die enthaltenen Daten sichern. Ich gehe im folgenden davon aus, daß man das gezogene tar.bz2-Archiv von Samba als "samba.tar.bz2" unter "/usr/src" abgelegt hat. Dann sind die notwendigen Schritte folgende:
# cd /usr/src
# tar -xjf samba.tar.bz2
# cd samba/source
# ./configure --with-ldapsam && make && make install
# cp /usr/src/samba/packaging/Debian/debian/samba.init /etc/init.d/samba
# chmod a+x /etc/init.d/samba
# cp /usr/src/samba/examples/LDAP/samba.schema /etc/ldap/schema
Die Schema-Datei "samba.schema" muß in der Datei "/etc/ldap/slapd.conf" per "include samba.schema" integriert werden, siehe Dateiauszug. Die zu kopierende Init-Datei in der drittletzten Zeile ist natürlich abhängig von der verwendeten Distribution und sollte entsprechend ausgewählt werden. Der Samba-Server ist jetzt unter "/usr/local/samba" installiert, die Konfigurationsdatei smb.conf liegt gegenüber der "normalen" Installation nicht unter "/etc" sondern unter "/usr/local/samba/lib/smb.conf". Da in der Datei "/etc/init.d/samba" die Pfadangaben für eine nicht-selbstkompilierte Version stehen, müssen diese noch angepaßt werden. Hierzu müssen alle "/usr/sbin" in "usr/local/samba/sbin" und alle "/var/run/samba" in "/usr/local/samba/var/locks" geändert werden.
Da das System auch von der geänderten Authentifizierung erfahren muss, ist es nötig, in der Datei /etc/nsswitch.conf die Verwendung des ldap-Servers zu aktivieren. Hierzu sind die entsprechenden Zeilen auf folgenden Inhalt zu ändern:
passwd: files, ldap
shadow: files, ldap
group:  files, ldap
Da man für die Unterstützung des Nameservice-Switch im LDAP auch das entsprechende Modul benötigt und auch das für die PAM-Autentisierung noch fehlt, müssen diese noch mit
# apt-get install libnss-ldap libpam-ldap
installiert werden. Beide Module fragen diverse Einstellungen ab, von denen bis auf die Distinguished Names in der Regel die Standardeinstellungen übernommen werden können.


Jetzt kann man slapd und samba starten und eine (leere) Grundkonfiguration sollte hiermit zur Verfügung stehen. Um Einträge hinzuzufügen, sind je nach Installation die Befehle ldapadd und/oder slapadd vorhanden. In der Debian-Standardinstallation existiert nur slapadd, daher gehe ich hier auch nur auf diesen ein. Als erstes sollte die LDAP-Datenbank mit einem Initialisierungs-ldif gefüllt werden. Eine Beispieldatei ist als Listing weiter unten aufgeführt. Davon ausgehend, daß ldif-Dateien in der Regel unter "/etc/ldap/ldif" abgelegt werden, läßt sich mit dem folgenden Befehl diese Datei in die Datenbank integrieren:
# slapadd -l /etc/ldap/ldif/initial.ldif
Soll die Datenbank mit der "initial.ldif" öfter mal komplett neu angelegt werden (in der "Test- und Bastelphase"), so verkürzt einem das folgende kleine Script die Tiparbeit: /etc/ldap/ldif/machneu
#!/bin/bash
# Die LDAP-Datenbank löschen und wieder neu initialisieren ...
#
/etc/init.d/slapd stop
rm -r /var/lib/ldap/*
/etc/init.d/slapd start
slapadd -f /etc/ldap/slapd.conf -l /etc/ldap/ldif/initial.ldif
Achtung: Beim Kopieren von ldif-Scripten von Windows nach Linux kann je nach Konfiguration das Windows-typische Steuerzeichen 0Dh (Carriage Return) enthalten sein - dies führt zu Fehlern beim Einfügen in die LDAP-Datenbank!

Wichtige OpenLDAP- und Samba-Dateien

/etc/ldap/slapd.conf
# This is the main ldapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Where to store the replica logs
replogfile      /var/lib/ldap/replog

# Read slapd.conf(5) for possible values
loglevel        0

#######################################################################
# ldbm database definitions
#######################################################################

# The backend type, ldbm, is the default standard
database        ldbm
cachesize 500
dbcachesize 50000

# The base of your directory
suffix          "dc=proteino,dc=local"
rootdn          "cn=admin,dc=proteino,dc=local"
rootpw          secret

# Where the database file are physically stored
directory       "/var/lib/ldap"

# Indexing options
index objectClass eq

# Save the time that the entry gets modified
lastmod on

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
access to attribute=userPassword
        by dn="@ADMIN@" write
        by anonymous auth
        by self write
        by * none

# The admin dn has full write access
access to *
        by dn="@ADMIN@" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
access to dn=".*,ou=Roaming,o=morsnet"
        by dn="@ADMIN@" write
        by dnattr=owner write
/etc/ldap/ldap.conf
# Die ldap.conf ist standardmäßig schöööön leer ...
#
# ... und nu mach'n wa 'se voll ...
#
# /etc/ldap.conf

# pam - Pluggin configuration
# created by Roland Huber
# in 2002.01

# Host Adress of the LDAP-Server - here localhost
host 127.0.0.1

# Base of the LDAP Server
base dc=proteino,dc=local

# On connection in all objects, which have the objectClass
# posixAccount or the attribute uid,
# will be searched for the username.
pam_filter objectclass=posixAccount
pam_login_attribute uid

# Configuration of the place that holds login data
nss_base_passwd o=auth_user,dc=linux-tin,dc=org?one
nss_base_shadow o=auth_user,dc=linux-tin,dc=org?one
nss_base_group o=auth_user,dc=linux-tin,dc=org?one

# No ssl encrypted connection
sslno
/usr/local/samba/lib/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
# $Id: smb.conf,v 1.2.4.6 2002/03/13 18:56:16 peloy Exp $
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic
# errors.
#

#======================= Global Settings =======================

[global]

# Change this for the workgroup/NT-domain name your Samba server will part of
   workgroup = samba
   netbios name = SambaServer
   encrypt passwords = yes
   domain logons = yes
   domain master = yes

# server string is the equivalent of the NT Description field
   server string = %h server (Samba %v)

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
;   load printers = yes

# You may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# 'printing = cups' works nicely
;   printing = bsd

;   guest account = nobody
   invalid users = root

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to log though syslog only then set the following
# parameter to 'yes'. Please note that logging through syslog in
# Samba is still experimental.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smb,nmb} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# security_level.txt for details.
   security = user

# You may wish to use password encryption. Please read ENCRYPTION.txt,
# Win95.txt and WinNT.txt in the Samba documentation. Do not enable this
# option unless you have read those documents
#   encrypt passwords = no

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# --- Browser Control Options ---

# Please _read_ BROWSING.txt and set the next four parameters according
# to your network setup. The defaults are specified below (commented
# out.) It's important that you read BROWSING.txt so you don't break
# browsing in your network!

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 20

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = auto

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = auto

# --- End of Browser Control Options ---

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast

# Name mangling options
;   preserve case = yes
;   short preserve case = yes

# This boolean parameter controlls whether Samba attempts to sync. the Unix
# password with the SMB password when the encrypted SMB password in the
# /etc/samba/smbpasswd file is changed.
;   unix password sync = false

# For Unix password sync. to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton eMail-Adr. vom prote entfert for
# sending the correct chat script for the passwd program in Debian Potato).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

   obey pam restrictions = yes

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   winbind uid = 10000-20000
;   winbind gid = 10000-20000
;   template shell = /bin/bash

ldap server = localhost
ldap port = 389
ldap suffix = dc=liad
ldap admin dn = cn=admin,dc=liad
ldap filter = (&(objectclass=sambaaccount)(uid=%u))
ldap ssl = no

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
   writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

# A sample share for sharing your CD-ROM with others.
;[cdrom]
;   comment = Samba server's CD-ROM
;   writable = no
;   locking = no
;   path = /cdrom
;   public = yes

# The next two parameters show how to auto-mount a CD-ROM when the
#        cdrom share is accesed. For this to work /etc/fstab must contain
#        an entry like this:
#
#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
#        is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom
/etc/ldap/ldif/initial.ldif (als Organisation)
# Wurzel
dn: dc=proteino,dc=local
objectClass: dcObject
objectClass: organization
o: proteino
dc: local

# admin
dn: cn=admin,dc=proteino,dc=local
objectClass: person
cn: admin
sn: admin
description: "LDAP Administrator"

# auth_user
dn: o=auth_user,dc=proteino,dc=local
o: auth_user
objectClass: organization
objectClass: top

# auth_group
dn: o=auth_group,dc=proteino,dc=local
o: auth_group
objectClass: organization
objectClass: top
/etc/ldap/ldif/grp.smbusers.ldif
# Gruppe smbusers einfügen
dn: o=smbusers,o=auth_group,dc=proteino,dc=local
objectClass: posixGroup
objectClass: top
userPassword: {crypt}x
gidNumber: 100
cn:smbusers
/etc/ldap/ldif/initial.ldif (als OrganisationalUnit)
# Wurzel
dn: dc=proteino,dc=local
objectClass: dcObject
objectClass: organization
o: proteino
dc: local

# admin
dn: cn=admin,dc=proteino,dc=local
objectClass: person
cn: admin
sn: admin
description: "LDAP Administrator"

# auth_usesr
dn: ou=auth_users,dc=proteino,dc=local
ou: auth_users
objectClass: organizationalUnit
objectClass: top

# auth_groups
dn: ou=auth_groups,dc=proteino,dc=local
ou: auth_groups
objectClass: organizationalUnit
objectClass: top

# auth_machines
dn: ou=auth_machines,dc=proteino,dc=local
ou: auth_machines
objectClass: organizationalUnit
objectClass: top

# users
dn: cn=users,ou=auth_groups,dc=proteino,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 100
cn: users

# testing
dn: cn=testing,ou=auth_groups,dc=proteino,dc=local
objectClass: posixGroup
objectClass: top
gidNumber: 500
cn: testing

# lisa
dn: uid=lisa,ou=auth_users,dc=proteino,dc=local
cn: lisa
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10000
gidNumber: 100
shadowLastChange: 11660
shadowMax: 99999
shadowWarning: 0
homeDirectory: /home/lisa
loginShell: /bin/bash
userPassword: {crypt}wertfred
uid: lisa

# lara
dn: uid=lara,ou=auth_users,dc=proteino,dc=local
cn: lara
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 10001
gidNumber: 100
shadowLastChange: 11660
shadowMax: 99999
shadowWarning: 0
homeDirectory: /home/lara
loginShell: /bin/bash
userPassword: {crypt}wertfred
uid: lara

/etc/ldap/ldif/newuser.ldif (fehlerhaft)
# Gruppe users einfügen
dn: cn=users,o=auth_group,dc=server,dc=liad
objectClass: posixGroup
objectClass: top
userPassword: {crypt}x
gidNumber: 100
cn:users

# User ldapgast anlegen
dn: uid=ldapgast,o=auth_user,dc=server,dc=liad
uid: ldapgast
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}wertfred
shadowLastChange: 11660
shadowMax: 99999
shadowWarning: 0
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ldapgast
loginShell: /bin/bash
cn: SuperGast
/etc/ldap/ldif/newuser2.ldif (fehlerhaft)
# User ldapgast anlegen
dn: uid=ldapgast,o=smbusers,o=auth_group,dc=proteino,dc=local
uid: ldapgast
displayName: LDAP-GastAcc
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaAccount
userPassword: {crypt}wertfred
shadowLastChange: 11660
shadowMax: 99999
shadowWarning: 0
uidNumber: 5000
gidNumber: 100
homeDirectory: /home/ldapgast
smbHome: \\193.1.10.2\home\ldapgast
homeDrive: X:
rid: 19000
primaryGroupID: 1201
acctFlags: [UX         ]
loginShell: /bin/bash
cn: ldapgast