Installing SaMBa with OpenLDAP support: Difference between revisions

From SaruWiki
Jump to navigation Jump to search
m (→‎OpenLDAP adaptation: added extra indices)
m (Started LDAP authentication)
Line 5: Line 5:


=== Software installation ===
=== Software installation ===
This is easy: using ''aptitude'', install the packages ''samba'', ''samba-tools'' and ''samba-doc'' - note that we NEED ''samba-doc'', as this package contains a configuration file that we need.
This is easy: using ''aptitude'', install the following packages:
* ''samba'', the actual server.
* ''samba-tools'', a set of utilities.
* ''samba-doc'' - note that we NEED ''samba-doc'', as this package contains a configuration file that we need (the LDAP schema file).
* ''smbclient'', that can make your Linux server work with a Windows or SaMBa server; we need this to test our own server.


As usual, Debian is asking us for the configuration details. For SaMBa 3.2, there are only two simple questions:
As usual, Debian is asking us for the configuration details. For SaMBa 3.2, there are only two simple questions:
Line 107: Line 111:
  sudo invoke-rc.d slapd start
  sudo invoke-rc.d slapd start
Check to see if the Samba objects are now usable in your LDAP server, e.g. by opening your LDAP Account Manager, and go to tools > schema browser; you should have objects like "sambaConfig" and "sambaDomain".
Check to see if the Samba objects are now usable in your LDAP server, e.g. by opening your LDAP Account Manager, and go to tools > schema browser; you should have objects like "sambaConfig" and "sambaDomain".
== Samba configuration for LDAP authentication==
To get SaMBA to use OpenLDAP as a backend is actually quite straightforward.  The main work is done in ''smb.conf.master'', where we add the following section:
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=saruman,dc=biz
ldap machine suffix = ou=hosts
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=saruman,dc=biz
ldap delete dn = no
# allow user privileges
enable privileges = yes

Revision as of 23:11, 21 November 2008

The Samba Section

Preparations

First off, get yourself this wonderful book - and READ IT. Next, make sure our user backend of choice, OpenLDAP, is properly installed and can be used to authenticate users. If you haven't yet installed OpenLDAP, go to the relevant section of this wiki, and get going. Make sure your OpenLDAP is running well.

Software installation

This is easy: using aptitude, install the following packages:

  • samba, the actual server.
  • samba-tools, a set of utilities.
  • samba-doc - note that we NEED samba-doc, as this package contains a configuration file that we need (the LDAP schema file).
  • smbclient, that can make your Linux server work with a Windows or SaMBa server; we need this to test our own server.

As usual, Debian is asking us for the configuration details. For SaMBa 3.2, there are only two simple questions:

  • What do you want to be your Windows workgroup name? (we provide the name "AMBER")
  • Do you want to modify smb.conf to use WINS setting from DHCP? (we provide "no")

Now we have our SaMBa configuration file as /etc/samba/smb.conf, but we're going to follow two time-honoured tradions: we're going to save the original configuration file for future reference, and we're going to rename our configuration file to smb.conf.master, while providing SaMBa with a comment-stripped version of it:

cd /etc/samba
cp smb.conf smb.conf.sample
mv smb.conf smb.conf.master
testparm smb.conf.master
testparm -s smb.conf.master > smb.conf

Now remember: when we want to change our SaMBa configuration, we edit smb.conf.master. Once we're ready with that, we ALWAYS need to run those last two lines; the first of those will check our updated configuration, to see if we haven't made some silly typo that renders the configuration wholly or partially crippled, and the second one creates a comment-stripped version of it that SaMBa will actually be using.

WINS configuration

To enable WINS, we add the following lines to smb.conf.master:

## Browsing/Identification ###
   workgroup = AMBER
   netbios name = DWORKIN
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
   wins support = yes
   os level = 33
   domain master = yes
   local master = yes
   preferred master = yes
   name resolve order = wins lmhosts hosts bcast
   dns proxy = yes

Now this does a whole lot of things with the SaMBa nmbd daemon - at least when you remember to save the master config file, test it with testparm and write the actual smb.conf as desribed previously, AND then restart your nmbd daemon:

/etc/init.d/samba restart

OK so what do the configuration lines mean?

  • workgroup = AMBER - this line makes the SaMBa server a member of workgroup AMBER.
  • netbios name = DWORKIN - here we define the server NetBIOS name to be "dworkin".
  • wins support = yes - this line actually turns on the WINS support, so it instructs the nmbd daemon to start acting as a WINS server.
  • os level = 33 - this gives our WINS server a "rank" of 33, meaning that it will be sure to become the WINS master browser, even if there are Windows servers on the network tat act as domain controllers.
  • domain master = yes - this will tell our server that it will not be just any master browser, but a domain master browser, so that our server will be the master browser on each and every subnet that it is connected to.
  • local master = yes - this setting is vital to being a domain master browser, as it ensures that our WINS server is also the local master browser.
  • preferred master = yes - adding this line makes the nmbd daemon initiate a browser election as soon as it starts up, so that it essentially gets the master browser role as fast as possible.
  • name resolve order = wins lmhosts hosts bcast - this ensures that for a WINS request, the nmbd daemon not only checks its WINS database, but also the local lmhosts file (if it exists), the Linux /etc/hosts file, and finally, to revert to a broadcast to see if it can locate the requested name by shouting out for it.
  • dns proxy = yes - this makes nmbd to check a requested name with the DNS server, if it cannot be found in the WINS database itself.

After restarting, we can see if our Linux server is now a WINS master browser by inspecting the SaMBa log file, by default /var/log/samba/nmbd.log. It should show something like

[2008/11/21 16:18:03,  0] nmbd/nmbd.c:main(849)
  nmbd version 3.2.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/11/21 16:18:03,  0] nmbd/asyncdns.c:start_async_dns(155)
  started asyncdns process 25707
[2008/11/21 16:18:03,  0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(336)
  become_domain_master_browser_wins:
  Attempting to become domain master browser on workgroup AMBER, subnet UNICAST_SUBNET.
[2008/11/21 16:18:03,  0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(350)
  become_domain_master_browser_wins: querying WINS server from IP 192.168.67.10 for domain master browser name AMBER<1b> on workgroup AMBER
[2008/11/21 16:18:03,  0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(110)
  *****  

  Samba server DWORKIN is now a domain master browser for workgroup AMBER on subnet UNICAST_SUBNET

  *****
[2008/11/21 16:18:03,  0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup AMBER on subnet 192.168.67.10
[2008/11/21 16:18:03,  0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(304)
  become_domain_master_browser_bcast: querying subnet 192.168.67.9 for domain master browser on workgroup AMBER
[2008/11/21 16:18:11,  0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(110)
  *****

  Samba server DWORKIN is now a domain master browser for workgroup AMBER on subnet 192.168.67.10

  *****
[2008/11/21 16:18:26,  0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(395)
  *****

  Samba name server DWORKIN is now a local master browser for workgroup AMBER on subnet 192.168.67.10

  *****

Furthermore, we can test on the server itself if a WINS lookup succeeds:

dworkin:# nmblookup -M amber
querying amber on 127.255.255.255
192.168.67.10 amber<1d>

Finally, we tell our DHCP server to provide clients with the IP address of our WINS server. We do this by adding the following line to /etc/dhcp3-server/dhcpd.conf:

option netbios-name-servers 192.168.67.10

This line can either be added to the global section, or within the subnet declaration for each individual subnet that you want to inform of this WINS server.

OpenLDAP adaptation

In order for our OpenLDAP server to recognise the SaMBa-specific attributes that we're going to use, we need to add the "samba" schema to the OpenLDAP server. After installation of samba-doc, we can find this schema in /usr/share/doc/samba-doc/examples/LDAP, where it sits gzipped between some other schema files; as the README explains, what we need is samba.schema.gz, so we unzip it and copy it to our OpenLDAP schema directory

cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema

Next up, we include this schema into our LDAP configuration, by adding the following line to /etc/ldap/slapd.conf:

include         /etc/ldap/schema/samba.schema

Not only do we need schema updates, we could also do with some more indices. Thus, we change the relevant section of /etc/ldap/slapd.conf to read:

# Indexing options for database #1
index     objectClass,uidNumber,gidNumber                eq
index     cn,sn,uid,displayName                          pres,sub,eq
index     memberUid,mail,givenname                       eq,subinitial
index     sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq

Ofcourse, it's not just enough to add these parameters, we also need to generate the indices, and restart our LDAP server:

sudo invoke-rc.d slapd stop
sudo -u openldap slapindex
sudo invoke-rc.d slapd start

Check to see if the Samba objects are now usable in your LDAP server, e.g. by opening your LDAP Account Manager, and go to tools > schema browser; you should have objects like "sambaConfig" and "sambaDomain".

Samba configuration for LDAP authentication

To get SaMBA to use OpenLDAP as a backend is actually quite straightforward. The main work is done in smb.conf.master, where we add the following section:

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=saruman,dc=biz
ldap machine suffix = ou=hosts
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=saruman,dc=biz
ldap delete dn = no
# allow user privileges
enable privileges = yes