A few beginning statements....

  1. While these instructions are Slackware 11 specific, the principles and understanding provided by this document should serve to be a universal help no matter which distribution or type of *nix used.
  2. This walkthrough uses packages and software versions dated at the time of this walkthrough's creation. Take the understanding that will hopefully be provided by this walkthrough and apply it to current versions of the software.
  3. This walkthrough assumes a home directory of /usr/download for a 'compile' user with source files being extracted and compiled into compile owned '/usr/src/*' directories.
  4. Commands listed inside yellow boxes should be command line copy and paste compatible.

Preparation

Basic OS setup and preparation

  • Start with a full install of Slackware 11
  • Perform additional Slackware installation tasks
    • Update to the latest patches and packages
    • Install 'checkinstall' from /extra (for use in making custom packages for use with pkgtool)
    • use 'cpan' and update some basic perl modules
      • install Bundle::CPAN
      • install Net::SSLey (for use by webmin)
    • If using the IDEALX smbtool scripts, run 'cpan' to install perl modules that will be needed by the IDEALX smbtools (see the beginning of the smbldap-PROGRAM_NAME for a list of Perl::Modules needed)
      • install Crypt::SmbHash (for use by smbldap-populate)
      • install unicode::MapUTF8 (for use by smbldap-populate)
  • SETUP A NON_ROOT USER FOR COMPILING SOFTWARE 
   #create a compile user
        mkdir -p /usr/download;
        groupadd -g 252 compile
        useradd -c 'compile user' compile -d /usr/download -g compile -s /bin/bash -u 252
   #assign some directory rights to user compile
        chown -R compile:compile /usr/src
        chown compile:compile /usr/download

Install required packages to support Samba3+LDAP

1.Obtain, compile and install PAM (Linux-PAM-0.99.7.1)

***DOCUMENT WHY THIS IS NEEDED***
if [ -f /tmp/workingdir ] ; then rm /tmp/workingdir ; fi
su compile
cd
wget http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.7.1.tar.bz2
cd /usr/src
tar -jxvf ~compile/Linux-PAM-0.99.7.1.tar.bz2
cd Linux-PAM-0.99.7.1/
./configure --sysconfdir=/etc/pam
make && pwd > /tmp/workingdir
exit
if [ -f /tmp/workingdir ] ; then
 cd `cat /tmp/workingdir`
 checkinstall --install=yes
else
 echo Check for errors
fi

2.Obtain, compile and install OPENLDAP

There are two options here. The OpenLDAP source files can be downloaded and compile from scratch. with a command such as.. 
if [ -f /tmp/workingdir ] ; then rm /tmp/workingdir ; fi 
su compile
cd
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-GET_THE_LATEST_VERSION.tgz
cd /usr/src
tar -zxvf ~/openldap-stable*
cd openldap*
cat >> openldap.SlackBuild << EOF
./configure --sysconfdir=/etc \
--enable-crypt=yes \
--enable-lmpasswd=yes \
--enable-wrappers=yes \
--enable-passwd=yes \
--enable-perl=yes \
--with-cyrus-sasl=yes \
--with-tls=yes
EOF

. openldap.SlackBuild
make depend
make && pwd > /tmp/workingdir
exit
if [ -f /tmp/workingdir ] ; then
 cd `cat /tmp/workingdir`
 checkinstall
else
 echo Check for errors
fi

--OR--
You could use the slackware package for openldap and rebuild it so that it includes the server executables and libraries.
NOTE: slackbuild must build a packages as root -- not as a regular user.

Tasks to rebuild the openldap-client
  • Downloaded the slackware SOURCE package
  • Edit the openldap-client.SlackBuild file and make the following changes
    • remove the --disable-slapd and --disable-slurpd options
    • remove the --disable-static line (so the required library.a files will be built)
      Added in the options.....
    • --enable-crypt \
    • --enable-lmpasswd=yes \
    • --enable-wrappers=yes \
    • --enable-passwd=yes \
    • --enable-perl=yes

      ***remove references to being a 'client-only'
    • comment out the find commands that remove the server daemon man pages.
  • save the file as openldap.SlackBuild
  • Ran the build file as root.
  • Remove the existing openldap-client package
  • Install the new package

shell commands to obtain and rebuild the slackware openldap-client package 

 
mkdir /usr/download/openldap
cd $_

# *Downloaded the slackware SOURCE package
wget -nH --cut-dirs=6 -r -np ftp://slackware.cs.utah.edu/pub/slackware/slackware-11.0/source/n/openldap-client

# *Edit the openldap-client.SlackBuild file and make the following changes
#including setting the libexecdir value and ensuring that ldbm is not enabled
sed -e 's#--disable-slapd \\#--enable-crypt --libexecdir=/usr/bin \\#g' < openldap-client.SlackBuild > tempa
sed -e 's#--disable-static \\#--enable-wrappers=yes --enable-perl=yes \\#g' < tempa > tempb
sed -e 's#--disable-slurpd#--enable-lmpasswd=yes --enable-passwd=yes#g' < tempb > tempa
sed -e 's#openldap-client#openldap-server#g' < tempa > tempb
sed -e 's/find $PKG/#find $PKG/g' < tempb > openldap-server.SlackBuild
rm tempa tempb

. openldap-server.SlackBuild
removepkg  `basename \`ls /var/log/packages/openldap-client-*\``

installpkg `ls /tmp/openldap-server-*.tgz`

3.Obtain, compile and install the PAM_LDAP libraries from PADL

LDAP is a prerequisite. LDAP must be installed to successfully configure otherwise you will receive a "configure: error: could not locate <ldap.h>" message.
***DOCUMENT WHY THIS IS NEEDED..or which module/library/package uses pam_ldap!*** 
 
   if [ -f /tmp/workingdir ] ; then rm /tmp/workingdir ; fi 
   su compile
   cd
   wget http://www.padl.com/download/pam_ldap.tgz
   cd /usr/src
   tar -zxvf ~/pam_ldap.tgz
   cd pam_*
   ./configure --prefix=/usr/ \
   --sysconfdir=/etc \
   --localstatedir=/var \
   --with-ldap-lib=openldap 
   make && `pwd > /tmp/workingdir` #Dump current path to a file
   exit
   if [ -f /tmp/workingdir ] ; then
     cd `cat /tmp/workingdir`
     checkinstall --install=yes
   else
     echo Check for errors
   fi

4.Obtain, compile and install the NSS_LDAP libraries from PADL

This allows the system to redirect user and group queries from the local files (/etc/passwd & /etc/group) to the ldap server. Note that we are enabling the rfc2307bis schema and setting our ldap library to 'openldap'. 
 if [ -f /tmp/workingdir ] ; then rm /tmp/workingdir ; fi 
   su compile
   cd
   wget http://www.padl.com/download/nss_ldap.tgz
   cd /usr/src
   tar -zxvf ~/nss_ldap.tgz
   cd nss_*
   ./configure --prefix=/usr \
   --sysconfdir=/etc \
   --localstatedir=/var \
   --enable-rfc2307bis \
   --with-ldap-lib=openldap
   make && `pwd > /tmp/workingdir` #Dump current path to a file
   exit
   if [ -f /tmp/workingdir ] ; then
     cd `cat /tmp/workingdir`
     checkinstall
   else
     echo Check for errors
   fi

5.Download and recompile Samba to support PAM and LDAP.

The Slackware package provided with Slackware does NOT contain support for ldapsam or PAM. The samba.SlackBuild script must be modified to re-compile the Slackware package to be LDAP compatable. 
mkdir /usr/src/samba
cd $_
wget -nH --cut-dirs=6 -r -np ftp://slackware.cs.utah.edu/pub/slackware/slackware-11.0/patches/source/samba/
sed -e 's#BUILD:-1#BUILD:-2#g' < samba.SlackBuild > ssb.tempa
sed -e 's#--with-ldap \\#--with-ldap --with-pam=yes --with-ldapsam=yes \\#g' < ssb.tempa > ssb.tempb
mv ssb.tempb samba.SlackBuild ; rm ssb.tempa
. samba.SlackBuild
upgradepkg /tmp/samba-3.0.24-i486-2_slack11.0.tgz

Configuration of the packages

Now that all of the packages are installed, we are ready to begin configuring each package for use. Based on the example system with the compile options that used, the packages will use the following configuration files located in the specified location. Before beginning the configuration, here is a review of each daemon that we will be configuring along with the configuration files used.
  • LinuxPAM
    • There are no configuration files needed at this point because Slackware does not use PAM for authentication. Other *NIXes might use files such as /etc/pam.d/ldap and /etc/pam.d/system to configure PAM.
  • openldap(LDAP)
    • /etc/openldap/slapd (used by the ldap daemon, slapd)
    • /etc/openldap/ldap.conf (used by the ldap client on the system.)
  • PADL Libraries
    • pam_ldap: Once again, there is no pam related configuration needed for Slackware at this point.
    • nss_ldap: /etc/ldap.conf (this file is referenced by the nss_ldap libraries so that nss knows where to look and HOW to look in your ldap directory for your local (POSIX) user and group information.)
    • /etc/ldap.secret (a file to be created that will contain your ldap admin password)
    • /etc/nsswitch.conf (Not a configuration file provided BY nss_ldap. "nss" uses this file to determine where it should look for POSIX account information.)
  • Samba
    • /etc/samba/smb.conf (the configuration file for the samba server)
Comment: Before the configuration of the samba smb.conf file can occur, the LDAP database will need to be populated, started and tested. So before we start on the samba config, we will take a break to test our LDAP setup.

Begin the configuration of the config files

openldap(LDAP)

/etc/openldap/slapd - the configuration file for the ldap daemon
The /etc/openldap/slapd.conf file is the main configuration file for the stand-alone LDAP daemon. The types of options in slapd.conf include the location, type and permissions of the databases, the log level desired, the LDAP administration distinguished name and credentials, and most importantly the desired schemas that you need to use to support your directory needs. 
###############################################
#               slapd.conf                    #
###############################################

##### Begin adding in the schema files... #####
### required for openldap (the basic schema)
include  /etc/openldap/schema/core.schema

### Support for X.500 directory pilots.  RFC 1274
include  /etc/openldap/schema/cosine.schema

### inetorgperson stores contact information ###
include  /etc/openldap/schema/inetorgperson.schema

#NIS is required by the samba.schema
include  /etc/openldap/schema/nis.schema

#Samba schema is required to manage samba accounts
include  /etc/openldap/schema/samba.schema

# Logging (1,2,4,8,16,32,64,128 - bits to make up the value)
# 1 (0x1 trace) trace function calls
# 2 (0x2 packet) debug packet handling
# 4 (0x4 args) heavy trace debugging (function args)
# 8 (0x8 conns) connection management
# 16 (0x10 BER) print out packets sent and received
# 32 (0x20 filter) search filter processing
# 64 (0x40 config) configuration file processing
# 128 (0x80 ACL) access control list processing
# 256 (0x100 stats) stats log connections/operations/results
# 512 (0x200 stats2) stats log entries sent
# 1024 (0x400 shell) print communication with shell backends
# 2048 (0x800 parse) entry parsing
# 4096 (0x1000 cache) caching (unused)
# 8192 (0x2000 index) data indexing (unused)
# 16384 (0x4000 sync) LDAPSync replication
# 32768 (0x8000 none) only messages that get logged whatever log level is set
loglevel 264

#Choose the database type to use.
# Note to netatalk users:  Netatalk can use a DBD backend to store its CNID database. Please be
#                          aware of this when upgrading your DBD version 
database bdb


#Enter the topmost suffix of your LDAP tree
suffix "dc=example,dc=lan"

#Set the distinquished name for the LDAP administrator user which is not subject to access 
# control or administrative restrictions for operations on this database.  An empty root
# DN (the default) specifies no root access is to be granted. It is recommended that the
# root dn only be specified  when needed (such as when initially populating a database).  
#  Note: the rootdn is always needed when using syncrepl.
rootdn "cn=admin,dc=example,dc=lan"

#Set the rootpw for the rootdn admin
# Note:  run 'slappasswd' from the command line to generate a password hash to use here.
#  (The password used in this example was:   secretpw
rootpw {SSHA}lkFH5nh2tq+iaCHaTi4gh2M62PaMOnjD

#Set the directory where the ldap database will be stored.
directory /etc/openldap/data/example.lan

#Set the absolute path and pidfile name
pidfile /var/run/slapd.pid

#`man slapd-bdb` to learn about this option
#cachesize 2000

## indexes to maintain

#Additional indices to maintain. (from the Official Samba 3 Howto Guide. p.163)
# NOTE:  An error such as "bdb_equality_candidates: (sambaGroupType) index_param failed"
# may be encountered when an attribute does not have an index but when something is doing a 
# on that attribute.  This is not generally a problem for the occasional error but if the error
# is constant you can add in the appropriate index, stop slapd, and rebuild the index files with
# the slapindex utility.  There are performance tradeoffs between maintaining additional indices
# VS allowing unindexed filter searches.  See: http://www.openldap.org/faq/data/cache/42.html

#################################################################################################
# Indices to maintain  [See the OPENLDAP section of the Official Samba3 HOWTO reference guide : #
# ( http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id327194 )           #
#################################################################################################
## required by OpenLDAP
index objectclass eq
index cn pres,sub,eq
index sn pres,sub,eq

## required to support pdb_getsampwnam
index uid pres,sub,eq

## required to support pdb_getsambapwrid()
index displayName pres,sub,eq

## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq


index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub

## Additional Indices (possibly used by ldapsam:editposix)
#index   sambaSIDList            eq
#index   sambaGroupType          eq
#index   uniqueMember            eq

################ END OF INDEX MAINTENANCE LIST  #######################

#Grant rights to the LDAP directory. 
#TODO: come back and FIX this with the PROPER rights!!!!!
#Reference: http://www.stanford.edu/services/directory/openldap/configuration/slapd-acl.html
access to *
  by * read
access to *
  by * write
Now that our slapd.conf has been created we will need to ensure that our samba.schema is available in the /etc/openldap/schema directory. Because we are working with a known OS install and a known samba package installation, we know the location of the samba schema file. 
#copy the samba.schema file from the doc directory to the /etc/openldap/schema directory
cp /usr/doc/samba-3.0.24/examples/LDAP/samba.schema /etc/openldap/schema/
/etc/openldap/ldap.conf (used by the ldap client on the system.)
Leaving this at the default for now since there is nothing at this point that should need it.
/etc/ldap.conf
The /etc/ldap.conf file provided by nss_ldap will need to be configured. The nss-ldap.conf file will contain the distinguished name of the search base, the schemas to enable, the nss_base values to use along with the rootbinddn user information. In our example configuration, the minimum settings we want to use will be: 
#############################################
#  ldap.conf file for the nss_ldap library  #
#############################################
#For documentation on this file, see:  http://www.die.net/doc/linux/man/man5/nss_ldap.5.html
#the hostname of the ldap server
host 127.0.0.1

#the topmost level of the tree
base dc=example,dc=lan

#the distinguished name with which to bind to the directory server. This option is optional; 
#the default is to bind anonymously.
#binddn cn=admin,dc=example,dc=lan

#The cleartext password the binddn will use for simple (non SASL for instance) binds. 
#bindpw secret

#Just like the binddn option above, except it applies when the effective user ID is zero. 
#If not specified, then the identity specified in binddn is used instead. Because this file
#may be readable by many users, the root bind DN credentials are stored in the ldap.secret 
#file instead.   NOTE:  The rootbinddn parameter and the /etc/ldap.secret file will be used
# by the OS when looking up POSIX accounts or when running a command such as 'getent passwd'.
rootbinddn cn=admin,dc=example,dc=lan

#Set the level of depth you want ldap searched for records.
#see: http://www.idevelopment.info/data/LDAP/LDAP_Resources/SEARCH_Setting_the_SCOPE_Parameter.shtml
scope sub

#enable support for the RFC2307bis schema (distinguished names in groups)
nss_schema rfc2307bis

#Setting the values of your nss_base for password, shadow and group tells nss where in 
#the LDAP tree it can look to find the information that would normally be in the
#/etc/passwd, /etc/shadow and /etc/group files.
nss_base_passwd         ou=people,ou=home,dc=example,dc=lan?sub
nss_base_shadow         ou=people,ou=home,dc=example,dc=lan?sub
nss_base_group          ou=groups,ou=home,dc=example,dc=lan?sub

#***CAUTION!!***
# The user accounts and the samba computer accounts are in different areas of the tree!
# To ensure that the POSIX accounts for the computers are located, we must also inform
# NSS where ELSE it should search.
nss_base_passwd         ou=computers,ou=home,dc=example,dc=lan?sub

#An option that may be specified multiple times to direct nss_ldap to use the attribute 
#to_attribute instead of the RFC 2307 attribute from_attribute in all lookups. 
nss_map_attribute       rfc2307attribute        mapped_attribute
#An option that may be specified multiple times to direct nss_ldap to use the objectclase 
#to_objectclase instead of the RFC 2307 objectclass from_objectclass in all lookups. 
nss_map_objectclass     rfc2307objectclass      mapped_objectclass

#Specifies whether SASL authentication should be used when the effective user ID is zero.
rootuse_sasl = no
/etc/ldap.secret file contains the desired ldap admin password.
echo secretpw > /etc/ldap.secret ; chmod 600 /etc/ldap.secret

Creating the initial LDAP tree

Designing your LDAP Directory Information Tree (DIT) is up to you and your needs. Many of the examples will use a flat "dc=example,dc=lan" tree with containers created for Users, Groups, Idmaps, and Computers. The example used here will provide us with an extra home OU layer in the tree so that the LDAP server is prepared for future growth should the need arise for another site. [...and so that we can do it just because it can be done! :) ] 
#Create a file to hold the initial LDAP entries
cat > /tmp/initialtree.ldif << EOF
# Building the root node organization 
dn: dc=example,dc=lan
objectClass: top
objectclass: dcObject
objectclass: organization
dc: example
o: example LAN
description: example.LAN home network

# Organizational Role for Directory Management
dn: cn=Admin,dc=example,dc=lan
objectclass: organizationalRole
cn: admin
description: Directory Manager
objectclass: simpleSecurityObject
userPassword: {SSHA}lkFH5nh2tq+iaCHaTi4gh2M62PaMOnjD

# Setting up the home Organizational Unit
dn: ou=home,dc=example,dc=lan
objectclass: top
objectclass: organizationalUnit
ou: home

# Setting up the Users OU inside of the home OU
dn: ou=people,ou=home,dc=example,dc=lan
objectclass: top
objectclass: organizationalUnit
ou: people

# Setting up container for groups
dn: ou=groups,ou=home,dc=example,dc=lan
objectclass: top
objectclass: organizationalUnit
ou: groups

# Setting up container for computers
dn: ou=computers,ou=home,dc=example,dc=lan
objectclass: top
objectclass: organizationalUnit
ou: computers

# Setting up container for IDMAP
dn: ou=idmap,ou=home,dc=example,dc=lan
objectclass: top
objectclass: organizationalUnit
ou: idmap
EOF

#ensure that the LDAP data directory exists
mkdir -p /etc/openldap/data/example.lan

#Copy in a DB_CONFIG file to prevent annoying error messages
cp /etc/openldap/DB_CONFIG.example /etc/openldap/data/example.lan/DB_CONFIG

#Use 'slapadd' to populate the LDAP tree using the file containing the initial LDAP records.
slapadd -vl /tmp/initialtree.ldif

Starting and testing the LDAP server

REVIEW:

At this point we have installed all of the require packages that will be interacting to handle storing accounts in LDAP. We have configured the LDAP daemon (slapd) for use, the nss files have been configured to point to specific locations for data, the LDAP tree was designed using those specific locations, and the values were added to the database in 'offline' mode via slapadd.

The LDAP server now needs to be started and some quick tests run to verify that the LDAP server is working and responding to queries. Because the original Slackware package is a client package, there is no script to manage the slapd daemon. The following box will create a start up script, make the script executable, add the script to the Slackware rc.local file, start the server, view the slapd logs and perform a basic search.

we can start the server, watch the log file, and then run a quick test to view our data stored in LDAP. 

#create or overwrite( > ) an rc.slap file
cat > /etc/rc.d/rc.slapd << EOF
#!/bin/bash
# -x
#
# /etc/rc.d/rc.slapd
#
# Start/stop/restart the slapd daemon
#
# To make SLAP start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.slapd
#
#
# IMPORTANT NOTE: To kill off slapd safely, you should give 
#  a command like this:
#
#       kill -INT `cat /var/run/slapd.pid`
#
#  where /var/run is determined by configure.
#
#Killing slapd by a more drastic method may cause information loss or database corruption.

slap_start() {
  if [ -x /usr/bin/slapd -a -f /etc/openldap/slapd.conf ]; then
       echo "Starting Slap  /usr/bin/slapd"
       /usr/bin/slapd
  fi
}

slap_stop() {
  if [ -f /var/run/slapd.pid ] ; then
       kill -INT \`cat /var/run/slapd.pid\`
  else
       echo "I can't find /var/run/slapd.pid.  Will try to nuke any running slapd processes"
           killall -INT slapd
  fi
}

slap_restart() {
  slap_stop
  sleep 2
  slap_start
}

case "\$1" in
'start')
  slap_start
  ;;
'stop')
  slap_stop
  ;;
'restart')
  slap_restart
  ;;
*)
  # Default is "start", for backwards compatibility with previous
  # Slackware versions.  This may change to a 'usage' error someday.
  slap_start
esac

EOF

#Change the permissions on the rc.slap file so that it is executable
chmod 700 /etc/rc.d/rc.slapd

#Add (append >> ) the rc.slap command to the rc.local startup file
cat >> /etc/rc.d/rc.local << EOF

if [ -x /etc/rc.d/rc.slapd ] ; then
  echo "Starting the slapd daemon...."
  /etc/rc.d/rc.slapd start
fi
EOF


#Start the slap server 
/etc/rc.d/rc.slapd start

#look for slapd entries in the last 300 entries of /var/log/debug
tail -n 300 /var/log/debug | grep -i slapd

#wait for 4 seconds to allow for a good look at the logs
sleep 4

#use ldapsearch to list out the contents of the ldap database thus far
# using dc=example,dc=lan as a base
ldapsearch -x -b dc=example,dc=lan -LLL

Break Time here to create and test an POSIX LDAP user

If you choose to create POSIX-ONLY accounts on your server, you can store them in either /etc/password or in the LDAP database. The 'ldapadd' utility is used to add information into a running LDAP database. ('slapadd' can be used to add records when the slapd daemon is not running)

To add a posix-only account you will need to identify and include the required attributes (hint: the MUST attributes from the schema files) into the posix-only user account. Alternatively you can use a third party utility such as Webmin to manage LDAP users and groups. (See the Webmin notes on the tools page for notes concerning Webmin.)
For the sake of expediency, webmin was used to create a group and a user with the gid and uid of 2000 and the resulting entries exported for use here. The following commands can be used to create a 'testuser' group and 'testuser' user in the LDAP tree. 
cat > /tmp/testuser.ldif << EOF
dn: cn=testuser,ou=Groups,ou=home,dc=example,dc=lan
gidNumber: 2000
cn: testuser
userPassword:
objectClass: posixGroup
memberUid: testuser

dn: uid=testuser,ou=People,ou=home,dc=example,dc=lan
cn: Test User
uid: testuser
uidNumber: 2000
loginShell: /bin/bash
homeDirectory: /home/testuser
#The following userPassword is set to:   letmein
userPassword:: e2NyeXB0fU1EQ2NjZFZVQ0FMZFE=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowLastChange: 13606
givenName: Test
sn: User
gecos: Test User
gidNumber: 2000
EOF

#add user using (-x simple authentication) (-f get data from file) 
#   -D "login as the following administrator user"  ( -w with_password)
ldapadd -x -f /tmp/testuser.ldif -D "cn=admin,dc=example,dc=lan" -w secretpw
Now that the testuser account is setup in LDAP, the NSS system needs to be informed to look in LDAP for user and group data. The nsswitch.conf file contains lines that direct the system on where to look for authentication. The current lines for passwd and group might be set to "files dns" or "compat". We need to edit the nssswitch.conf file so that we can tell the system that in can look in ldap first, then files second "ldap files"
Edit the /etc/nsswitch.conf file and locate the lines dealing with passwd and group. Backup and modify those lines so that the lines instruct NSS to point to LDAP to resolve names.

NOTE: passwd: shadow: AND GROUP: <<------!!!!!! must be specified in nsswitch.conf

The LDAP server is ready for testing. Running 'getent passwd' should produce a list of POSIX users and groups from both the /etc/passwd file (root will be in this list) and also from the LDAP directory (our newly created testuser should also show up). Running 'id testuser' should show the account that is in LDAP but not in /etc/passwd. 
#sample commands to run to verify that your LDAP server is running correctly.
#list all the POSIX users
getent passwd

#list all the POSIX groups
getent group

#get the listing for our testuser user
id testuser
Troubleshooting steps:
If you find that 'id testuser' and the 'getent' are not returning accounts from ldap....
  • Did you edit /etc/nsswitch.conf
  • Is the password that is in the /etc/ldap.secret file (which is used by nss_ldap) the correct password?
  • Does the rootbinddn parameter in the nss_ldap config file (/etc/ldap.conf in our example) match what is in the database?
  • Is nss_ldap actually installed? [ I won't admit to ever having this issue. :) ]
When you are ready to continue on to the samba setup, you might want to remove the testuser. You will need to use an LDAP command (and not just userdel) to remove the user. The following commands will remove the example test user created. 
ldapdelete -x -h localhost -D "cn=admin,dc=example,dc=lan" -w secretpw \
 "uid=testuser,ou=People,ou=home,dc=example,dc=lan"
ldapdelete -x -h localhost -D "cn=admin,dc=example,dc=lan" -w secretpw \
  "cn=testuser,ou=Groups,ou=home,dc=example,dc=lan"
*WARNING* If you decide to remove the test users by blowing away the whole ldap tree, then be sure to recreate a new basic tree. :)

Samba

A VERY IMPORTANT MESSAGE!!!
DO NOT START ANY SAMBA DAEMONS AT THIS POINT!
There are prerequisite steps that must be done before starting samba.

For the purposes of completing this project, the configuration of the samba server will consist of setting basic options in the smb.conf file followed by the provisioning of our Samba PDC. Once all these prerequisite steps are done, we will start the samba daemons and test our setup. After successfully testing our basic setup the project will have been completed. Further configuration of the samba server can be made/seen on the AdvancedSambaConfig page.

configuring the samba configuration file

The Samba server configuration file in our example machine is /etc/samba/smb.conf . For the ease of documentation, the following config file with included documentation can be copied and pasted and edited to suit your own needs. 
[global]
#Microsoft enjoys using the DCs for the name of the domain.  The domain name can , in fact, be anything.
# In the case used here, rather than using "example.lan" for the name of the domain or workgroup, the TLD 
# component ".lan" will be dropped and replaced with the suffix "_DOM" to signify that it is a DOMain.
        workgroup = example_dom

        #The description of the server as it will appear when browsed.
        server string = Main File and Print server

        #Setting the security mode for this samba installation.
        security = user

        #Setting the location, size and level of the log files. 
        #   **Be sure the /var/log/samba path exists!!**
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 3


        dns proxy = no

        #Provide WINS support (Be a WINS server) on the network
        wins support = yes

        #Tell the Samba server to act as a domain controller for NT4 style domain services
        domain logons = yes

        #Performance tuning options
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        #specify the local path to which the home directory will be connected
        logon drive = P:

        #Negotiate encrypted passwords with the client
        encrypt passwords = true

        #Unix users can map to different SMB User names
        username map = /etc/samba/smbusers


#Setting LDAP parameters
#TODO:  Document these better when 3.0.25 comes out with the updated man pages for smb.conf
#Set Samba to use the an LDAP database for storing user and group information 
        passdb backend = ldapsam

#inform Samba that the complete user and group database that is relevant to Samba is
#   stored in LDAP with the standard posixAccount/posixGroup attributes and that the  Samba  
#   auxiliary object classes are stored together with the POSIX data in the same LDAP object.  
#   This allows Samba to completely bypass the NSS system to query user information. 
        ldapsam:trusted=yes

#Activate the editposix extention so that the posix user management can be maintained by samba.
        ldapsam:editposix=yes

#Define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal 
#   accounts (NOT for  workstation,  server  or domain trusts) on a password change via SAMBA. 
#
#       Default = no ( only update NT and LM passwords and update the pwdLastSet time.)
#       ldap password sync = no


#specify where idmap is go to use LDAP to obtain SID to UID / GID mappings for unmapped SIDs instead of having
# to use a local idmap tdb file.
        idmap backend = ldap:ldap://127.0.0.1

#Set the UID and GID range that idmap can use
        idmap uid = 1000-60000
        idmap gid = 1000-60000

#Set the ldap administrator information as well as the base suffix 
#    and the Users, Groups, and Computer suffixes
        ldap admin dn = cn=admin,dc=example,dc=lan
        ldap suffix = ou=home,dc=example,dc=lan
        ldap user suffix = ou=Groups
        ldap group suffix = ou=People
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=idmap

# *WARNING* - pay attention to the following parameter!!!
# setting the following parameter to yes will cause a delete operation in ldapsam to delete
# the COMPLETE ldap entry and not just the SAMBA attributes. 
        ldap delete dn = yes




[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[netlogon]
  comment = Network Logon Service
# **BE SURE THE FOLLOWING PATH EXISTS**
  path = /home/sambadata/netlogon
  guest ok = yes
   writable = no
   share modes = no
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[sys]
   comment = Network Share
   path = /home/sys
   writable = yes
   printable = no
#NOTE: The name of the group @domusers, is the name of the unix group that the 'net sam provision'
#      script will create.  TODO: Document this behavior on the wiki.samba.org/ldapsam_editposix page.
   write list = @domusers
Once you have saved your samba config file, we are ready to provision the LDAP database with the necessary samba values. If a particular domain SID is desired, run the command to set the domain step first. This will ensure that the additional data is created in a particular domain. So then the steps will be to set the domain SID (if desired, set the ldap admin password in the samba database, THEN we can launch our first samba daemon -- winbindd. With winbindd successfully running, we can run the 'net sam provision' command to generate the default Administrator user and domain groups along with the appropriate default group mappings. 
#optional step to set the local and domain SIDs
net setlocalsid S-1-5-21-4001470350-4061692207-2918579299
net setdomainsid S-1-5-21-4001470350-4061692207-2918579299

#Store the LDAP admin password in samba
smbpasswd -w secretpw

#Launch the first samba daemon that will be required by 'net sam provision'
winbindd

#Run the command to provision the database
net sam provision

#Now let's start samba (slackware style)
/etc/rc.d/rc.samba start

#Now we must set samba account rights to the Administrator user
net rpc rights grant Administrator SeAddUsersPrivilege -U Administrator
net rpc rights grant Administrator SeMachineAccountPrivilege -U Administrator
Now that your new samba based PDC/domain is setup and running, you are ready to join a computer to the new domain and begin setting up users.
In our example, you would join your workstation to the domain with the user credentials...
  • username: example_dom/Administrator
  • password: secretpw 
######################################################################
###   NOTE: The workstation joining needs to tested and verified!! ###
######################################################################

Congratulations!!!

It is now time to open your adult beverage of choice and take a break!
CURRENT PROGRESS 2007-06-05

***Other notes and questions to answer or document further***

Questions:

  1. .What are the various pieces of the puzzle? What checklist can be used? (in other words...make a map!)
  2. .How does one activate and test the start_tls portion of the ldap setup? (make a new section???)


Page last modified by October 03, 2007, at 12:53 PM