This applies to to FreeBSD 6.1. It is probably the same for versions >= 6.1 as well. Please read the docs that come with the packages.
- Install the required ports/packages
- Configure smbldap_tools
- Setup openldap
- smbldap-populate the DIT
- Authenticate posix accounts against OpenLDAP
To be documented:
- Configure samba3's
smb.conf? as a PDC for the domain - AD Migration - use "net rpc vampire" to suck the AD controller. AD tree can be vampired and stored in the separate machines DIT.
- Profile preservation with correct sambaSIDs in place
- ACLs
- Test domain membership of all possible client machines OSes
1. Install the required ports/packages
I prefer the use of FreeBSD's ports to packages, so I installed all the required software using the ports collection with the exception of OpenLDAP. OpenLDAP was installed from source previous to this start of this project.
- samba-3.0.21b,1
- openldap-2.3.24 (Jun 12 2006 11:36:38)
- nss_ldap-1.244
- pam_ldap-1.8.0
- smbldap-tools-0.9.1_1 (not required to have a fully-functional PDC, but very handy)
We will use smbldap-tools to populate the DIT, and to script the addition, removal, modification of users & groups.
Install OpenLDAP
- Installing
openldap-serverfrom source:
In order for OpenLDAP's configure script to quit bitching about incompatible Berkely DB verisions, you will have to explicitly specify where Berkeley DB "things" are. Set the following environment variables:
LDFLAGS=" -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib" CPPFLAGS="-I/usr/local/include/db43 -I/usr/local/include" LDFLAGS=" -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib"
Once this is done, it is time to set the compile-time options for the configure script.
$ ./configure --enable-crypt=yes \ --enable-lmpasswd=yes \ --enable-passwd=yes \ --enable-wrappers=yes \ --enable-perl=yes \ --with-cyrus-sasl=yes \ --with-tls=yes
Once configure is done
$ make $ su $ Password: # make install
- Install using ports
cd /usr/ports/net/openldap23-server/ && make install clean
2. Configure smbldap_tools
Configuration of smbldap-tools is done in two files; /usr/local/etc/smbldap-tools/smbldap.conf, and /usr/local/etc/smbldap-tools/smbldap_bind.conf. The file smbldap_bind.conf contains the credential configuration for binding to the LDAP DIT. Because we have no slave OpenLDAP server the master will be the slave, so we configure smbldap-tools to bind as the rootdn for both the slaveDN, and masterDN parameters. Because this file contains the rootDN password, it's permissions should not be set group or world readable. Once the configuration is done, we can move to the next step; Populate the DIT with smbldap-populate, and check the DIT using an LDAP browser/editor such as JXplorer or ldapvi.
Carefully check all of the parameters within smbldap.conf. This file must match the proposal for the new domain. Since we are migrating from AD to a samba PDC, be sure to set the the SID= parameter to match the current AD domain SID.
3. Setup OpenLDAP This needs more documentation!!!
- include any schema's necessary
- set the pid/args/ and log file locations
- Configure the SSL configuration options
- Choose the database type to be used
- Set the suffix to use (the base dn)
- Define a root dn for superuser privs. (does not have to be in the ldap database! Why?)
- Set the directory location to contain the database
- create the indexes??
- Set the ACL (access control list) rights. (granted * to * temporarily during the setup)
4. smbldap-populate the DIT
Running smbldap-populate creates entries in the DIT relevant to a Windows Domain setup. It creates the groups such as Domain Admins, Domain Users, Backup Operators, etc. It also creates a domain admin account (which can be set to your liking) and upon completion of the script prompts you for a password for this admin account. The domain admin account is important in that it's gidNumber, and uidNumber are =0. This will be the account/credentials used when adding computers to the domain.
Once smbldap-populate has successfully created, use an LDAP viewer to look at the tree to ensure that everything was created properly. It should reflect the configuration that is set in smbldap.conf.
5. Authenticate posix accounts agianst OpenLDAP
You will need the following to authenticate to users in openldap:
# cd /usr/ports/net/nss_ldap/ && make install clean # cd /usr/ports/security/pam_ldap/ && make install clean
The preceeding commands install the ports (preferrably). But, you can do the same with could also be done with packages:
# pkg_add -r nss_ldap # pkg_add -r pam_ldap
Now, copy the pam_ldap config file /usr/local/etc/ldap.conf.default to /usr/local/etc/ldap.conf and edit to match your DIT. Also you need to setup nss_ldap by editing @@/usr/local/etc/nss_ldap.conf. In my setup, these files are the same with the exception of some comments. So you could symlink these files to reduce the chance of errors caused by differences in the two files.
# ln -s /usr/local/etc/ldap.conf /usr/local/etc/nss_ldap.conf
The file(s) will look something like this: (be sure you edit it to reflect your needs)
uri ldap://127.0.0.1/ base dc=example,dc=lan scope sub binddn cn=admin,dc=example,dc=lan bindpw secret rootbinddn cn=admin,dc=example,dc=lan # secret is stored in /usr/local/etc/nss_ldap.secret ssl no pam_password exop bind_policy hard #pam_filter objectclass=posixAccount pam_login_attribute uid nss_base_passwd ou=people,dc=example,dc=lan?sub nss_base_passwd ou=computers,dc=example,dc=lan?sub nss_base_shadow ou=people,dc=example,dc=lan?sub nss_base_group ou=groups,dc=example,dc=lan?sub
From what I can tell there needs to be a .secret file for both nss_ldap, and pam_ldap. So Create nss_ldap.secret & /usr/local/etc/ldap.conf.secret both (chmod 600) to contain the rootdn password.
Fire up your favorite text editor so that /etc/nssldap.conf contains the following:
... passwd files ldap groups files ldap shadow files ldap ...
Note: the file will have other entries besides these.
Also you will create a file /etc/pam.d/ldap to contain the following line:
login auth sufficient /usr/local/lib/pam_ldap.so
At this point, from root you should be able to su to an account in ldap. I was getting prompted for a password by the system and LDAP. I was able to correct this by editing the #auth section of the file /etc/pam.d/system as follows:
auth sufficient /usr/local/lib/pam_ldap.so auth required pam_unix.so no_warn try_first_pass nullok