Tuesday, December 30, 2008

Firewall and Internet sharing - Firestarter

Introduction

Firestarter is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators.

Installation

Firestarter is packaged for many of the leading Linux distributions. Using a pre-compiled package ensures that the program will integrate properly with your distribution of choice. For platforms for which a binary package does not yet exist and for experienced users, Firestarter can also be compiled from source.

Installing in Fedora Core, Red Hat Linux, SuSE or Mandrake

Firestarter is conveniently available in RPM package format for RPM enabled Linux distributions like, Fedora Core, SuSE and Mandrake.

Once you have downloaded the Firestarter RPM specific to your distribution, open a terminal and change to the directory where you downloaded the RPM to. Type the following commands as shown in bold to install the package:

[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ rpm -Uvh firestarter*rpm
Preparing...
...

Barring any unresolved dependencies or other problems, Firestarter should now be installed. Alternatively you can use a graphical package manager by double clicking the RPM file in your file manager.

Installing in Debian and Ubuntu

Firestarter is maintained in Debian and can be downloaded and installed using the apt-get tool by simply typing "apt-get install firestarter".

Ubuntu users can install Firestarter by enabling the "universe" repository in the /etc/apt/sources.list file or in synaptic under Settings->Repositories. Having enabled the repository, the procedure is the same as in Debian.

Installing in Gentoo

Firestarter is fully supported in the Gentoo distribution by the Portage system. Simply run "emerge firestarter" to install the program.

Compiling and installing from source

Start by downloading the tar.gz version of Firestarter. Unpack the tarball and move into the newly created directory:

[bash]$ tar -zxvf firestarter*tar.gz
...
[bash]$ cd firestarter

Run the configure script. There is no need to give any parameters to the script, but we recommend you at least specify the sysconfdir variable, which determines the directory the firewall configuration will be written to. For a full list of options, see ./configure --help.

[bash]$ ./configure --sysconfdir=/etc
checking for a BSD compatible install... /usr/bin/install -c
...

By default Firestarter will be installed into the /usr/local tree when compiling from source, you can override this by setting the prefix option.

If the configure stage completed without problem you should now be able to compile and install the program:

[bash]$ make
...
[bash]$ su
Password: [Type your root password and hit enter]
[bash]$ make install
...

The make install stage is optional. You can also run Firestarter directly from the src subdirectory of the build tree if you want. In that case you must however first issue "make install-data-local" in the build directory. This will install the GConf configuration schema, Firestarter will not run without it.

Installing a Firestarter init script

When you install Firestarter from a package the program is automatically registered to run as a system service. This means the firewall is also running even if the graphical program is not. If you compile Firestarter from source and want this same functionality, you will have to install a system init script for your distribution.

In the firestarter tarball you will find .init files. These are service startup scripts tailored to specific distributions, although you can likely use one even if it doesn't exactly match your distribution with a bit of editing.

To install the service, copy the init file to /etc/init.d/ and rename it to firestarter.init. After this you must tell the system to use the new script, exactly how this is done varies between distributions. If your distribution has the chkconfig tool available, simply run "chkconfig firestarter reset" and the service will be registered.


Starting Firestarter

After downloading and installing Firestarter, you will find the Firestarter icon in your desktop's programs menu. For example, in Fedora Core the Firestarter icon is located in the System tools menu. Alternatively you can run the program by simply executing "firestarter" from either a command line or from the Run Application... dialog (accessed by pressing Alt-F2).

Password prompt

Unless you are already logged in as root, you will be prompted for your root user password when starting Firestarter as a regular user.

Running Firestarter for the first time

Since you are running Firestarter for the first time, a wizard is launched. Following the welcome screen, you will be asked to select your network device from a list of detected choices for your machine. In case you have multiple devices, select the one that provides your Internet connection, otherwise you can use the default supplied.

In case your machine has multiple devices and can act as a gateway for your network, you will next have the option of sharing your Internet connection among all the computers on your local network. Again, simply select the local network connected device from the list of detected devices. If you wish for the clients to acquire their network settings automatically, simply check the option to Enable DHCP for local network.

Having completed the wizard, click the save button on page final page. The firewall is now ready and running, and your machine has an added layer of security. Firestarter now works in its default mode, which is a restrictive policy for incoming traffic and a permissive stance towards outgoing connections. This means you are fully protected against connection attempts from the outside, but are still able to browse the web, read your email, etc. as normal. There is no need to further configure Firestarter if you are satisfied with these defaults.


Trying out the Firestarter interface

The main Firestarter application

Let's take a quick look at some of the features of the program itself. The application is divided into three pages, accessed through a tabbed notebook interface. These pages are Status, giving you an fast overview of state the firewall, Events, where blocked intrusion attempts and the firewall history is shown, and Policy, where you alter the behavior of the firewall by creating security policy.

From the Status page where you start out you can further access the prefernces where you can change your network settings, as well as enable advanced options such as ICMP or ToS filtering. For now, let's take a look at the Events page.

Reacting to events

On the events page you will see all connections that the firewall has terminated since you started the program. By pressing the reload button you can also import all the previous events as recorded in the system log. This is really the core of the Firestarter program. Firestarter starts out in a restrictive mode, providing complete protection against incoming intrusions. That means that if you are running a legitimate service on your machine, for example a web server or SSH, connections to these services will also be stopped and recorded here at first.

Traditional firewalls will have you scrambling for the settings and configuration files at this point. However, when you see a connection attempt that you want to authorize, you simply right-click the entry in Firestarter and select "Allow inbound service for everyone". If you want to give access to the machine that is attempting the connection, but without even letting anyone else know that you're running the service in question, select "Allow inbound service for source". This is known as stealthing and can be a very powerful tool.

Creating policy

The previous example of enabling the service could also have been accomplished from the Policy page. However, it is not just a gimmick, in reality you will want to create policy from events often for maximum security. By opening services to select machines only after the connection attempt, as shown above, you effectively minimize your exposure on the net. It's also very convenient.

Let's take a look at a legitimate reason to resort to the Policy page. Say Firestarter is running on your gateway, doing Internet connection sharing for your local network. On your local network you have a desktop, on which you wish to use the BitTorrent application. In the BitTorrent manual it tells you to "forward ports 6881-6889 from your firewall". With Firestarter this kind of setup is a piece of cake. Select the Policy page, right click on the list marked Forward service and select Add rule. You will be presented with a dialog for creating a new policy rule. Select BitTorrent from the service drop-down, fill in the IP of the client and you're done. Click the Apply Policy button to apply the changes.

Quitting the program

A frequently asked is question is, what happens when you quit the program. The answer is that the firewall will keep functioning. If you are running Firestarter as a system service, which is automatically set up for you when installing Firestarter from a binary package, the firewall is in many cases even running before you start the program.

Internet connection sharing

Firestarter has the ability to share the firewall host's Internet connection among all the computers on your local network. This is done through a technique called Network Address Translation, or NAT. To the outside world the cluster of machines will look like a single machine with a single IP address.

For connection sharing to work you need to have two or more network devices in your firewall. If the local network is set up correctly, enabling connection sharing is as easy as enabling the option in either the firewall wizard or the Firestarter prefernces.

The physical setup and network device settings

A complex NAT setup
Sharing a connection with a local network

The procedure for setting up a network using connection sharing is essentially the same whether you have only two computers or a more complex network with hubs or switches connecting multiple computers. For this example we will be assuming that the Internet connected device on the firewall is an Ethernet card, but a modem or ISDN will work too.

The Firewall/gateway machine connected to the Internet will need two network cards and the clients need one each.

The first network card in the firewall, the external interface, will be the one physically connected to the Internet. This card is usually automatically configured with DHCP. The second network card in the firewall, the internal interface, will be connected to the client machines via either a crossover cable if the connection goes directly to another computer, or regular cable if you have a hub or switch.

A simple NAT setup
Sharing a connection with a single computer

The internal interface of the firewall needs to be statically configured. There are many ways to configure a network interface depending on the distribution you use. Fedora and Red Hat Linux ship with a simple command line tool called netconfig and a more sophisticated graphical tool called system-config-network. system-config-network works better with multiple network cards in the same machine, so we recommend you try it. Other distributions include their own configuration tools, for example in SuSE you would use the Yast program.

No matter how you decide to configure the network cards, these are settings you should enter:

For the external device (usually eth0):
  • Enable dynamic IP configuration (DHCP)
  • That's it. You're done, don't touch this card further.
The internal device (usually eth1):
  • Disable dynamic IP configuration
  • IP address: 192.168.0.1
  • Netmask: 255.255.255.0
  • Default gateway (IP):

Any changes you make will take effect after a reboot, or more elegantly after a restart of the network services (run "/etc/init.d/network restart" as root in most distributions).

Configuring the clients

There are two ways to configure the clients. The more elegant and in the long run easier way is to run a DHCP service on the firewall. A DHCP server distributes the network settings such the IP address, the default gateway, nameservers, etc. at run time to the each client. The alternative to using a DHCP server is to configure every client manually.

Using the DHCP service is as easy as simply enabling it in Firestarter. For more information about the service and how to configure it, refer to the section on configuring the DHCP server.

When using DHCP, the clients need only be configured to use dynamic IP configuration. No other settings need to be changed.

Configuring the clients manually

If you do not wish to use the DHCP service, configure the network devices of the clients to use the following settings:

  • Disable dynamic IP configuration
  • IP address: 192.168.0.2 to 192.168.0.254, with each client using an unique IP
  • Netmask: 255.255.255.0
  • Default gateway (IP): 192.168.0.1
  • Primary nameserver: Set this to the same nameserver as used on the firewall. You can see the correct setting in the /etc/resolv.conf file on the firewall.

Restart the network service and you're done.

Testing the Setup

The computers should now be connected and the hardware level configuration complete. To test that everything is ok, try pinging the gateway from the client and vice versa.

Enter the following at the firewall machine console, to test that the gateway can reach the client:

[bash]$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) from 192.168.0.1 : 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=255 time=1.37 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=255 time=0.635 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=255 time=0.638 ms

--- 192.168.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2010ms
rtt min/avg/max/mdev = 0.635/0.882/1.375/0.349 ms
[bash]$

In case of DHCP, the IP's might be randomly assigned

If it is not working you know that the problem lies with the hardware or network configuration. It is common to get the default gateway setting wrong, so double check it.

At this point:
  • The firewall machine should be able to reach the Internet
  • The clients and firewall should be able to ping each other
  • The clients should be able to reach the Internet if the Internet connection sharing option is enabled in Firestarter.

Thursday, November 13, 2008

LDAP complete Setup

Ubuntu 8.04 Small Business Server (version 2.0)

This is version 2.0 of my original guide. I am including the original guide with additional notes and modifications. Version 2.0 of the guide also incorporates the addition of Windows shares, Windows login scripts, and NFS mounts. I will go into detail for configuring a Windows XP Professional SP2 client computer and an Ubuntu client computer. RAID1 will be used to ensure data integrity for our user home directories and for our LDAP database. Please note that this is an optional modification to the guide.



This is version 2.0 of my original guide. I am including the original guide with additional notes and modifications. Version 2.0 of the guide also incorporates the addition of Windows shares, Windows login scripts, and NFS mounts. I will go into detail for configuring a Windows XP Professional SP2 client computer and an Ubuntu client computer. RAID1 will be used to ensure data integrity for our user home directories and for our LDAP database. Please note that this is an optional modification to the guide.

Much of the work on this guide has been done for my own amusement and proof of concept, as I am a computer consultant that continually looks for the best way to serve my customers. As such the guide will need to be customized for your exact scenario. Also note that because I put this guide on the internet it means I believe in it and that I know it works. If you go through my guide and copy/paste every command then this WILL work without issue. If you make a change you must ensure that you follow the change throughout the guide.

Please note, and this is very important, this guide only applies to the SAMBA3 branch. SAMBA4 is in development and will supposedly make most of this guide obsolete. When that happens count on a new guide based on the new technology found in SAMBA4.


Goals


The overall goal is to have a server computer with the role of "domain controller." My definition of domain controller is a server computer with a central user database that client computers can authenticate against. This guide will accomplish the following goals:

  1. Central user authentication using an LDAP database

  2. Central storage of users home directories using a combination of NFS and SAMBA

  3. The creation of a SAMBA domain that Windows XP Professional SP2 computers can "join" and participate in

  4. A DNS server that can be used on your network

  5. Data integrity from the use of RAID1 arrays for user and LDAP data


Configure A Fully Qualified Domain Name

We need to change our hostname to be a fully qualified domain name (FQDN). The safe way to do this is to add it to the /etc/hosts file and then edit the /etc/hostname file to reflect the change. Your FQDN if you follow this guide exactly will be dc01-ubuntu.example.local.

Once again I will post the command and my resulting file for your reference.

vim /etc/hosts

/etc/hosts

127.0.0.1       localhost 127.0.1.1       dc01-ubuntu dc01-ubuntu.example.local  # The following lines are desirable for IPv6 capable hosts ::1     ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts vim /etc/hostname

/etc/hostname

dc01-ubuntu.example.local

Configure External Time Sync

This step can be optional if you prefer. I feel as though this should be required, however. In a network with a client/server model you want every device to have the exact same time. Otherwise concurrent file access and other items could run into unexpected problems. From a security stand point you want to make sure that all devices have the same time to track file changes in the case of an intruder. As I said, this is optional but I highly recommend it.

First install the NTP service. This is a small install and is very easy to configure.

apt-get install ntp

Now we need to edit the file /etc/ntp.conf and add an additional line to the file. Add "server pool.ntp.org" below "server ntp.ubuntu.com". Here is the command:

vim /etc/ntp.conf

Here is a copy of my file after making the change.

/etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd  driftfile /var/lib/ntp/ntp.drift  # Enable this if you want statistics to be logged. #statsdir /var/log/ntpstats/  statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable   # You do need to talk to an NTP server or two (or three). server ntp.ubuntu.com server pool.ntp.org  # By default, exchange time with everybody, but don't allow configuration. # See /usr/share/doc/ntp-doc/html/accopt.html for details. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery  # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1  # Clients from this (example!) subnet have unlimited access, # but only if cryptographically authenticated #restrict 192.168.123.0  mask  255.255.255.0 notrust  # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) #broadcast 192.168.123.255  # If you want to listen to time broadcasts on your local subnet, # de-comment the next lines. Please do this only if you trust everybody # on the network! #disable auth #broadcastclient

Now we will reboot the server to ensure that everything is working properly.

shutdown -r now

OR

reboot

Step 3: Configure LDAP Data Directory and LDAP User Home Directories


We will be making two directories. However, pay attention here, because this is important. The /ldaphome directory MUST be created, do not skip that. The /ldap_data directory is optional depending on how you wish to install and configure OpenLDAP. In that section I show you two different ways for configuring OpenLDAP. If you will be leaving OpenLDAP in the default directory then you do not need to create the /ldap_data directory.

Run the following commands to create the directories:

mkdir /ldaphome mkdir /ldap_data

Step 4: Configure RAID1 (Mirroring)


This is an optional step. I'm including these notes for those of you who have the hard drives and would like the data integrity and security. Basically we are going to use a program called CFDISK to partition and configure our hard drives. We will then use the program MDADM to setup each of our RAID arrays. We will then configure the MDADM configuration file so that our arrays are recognized automatically in the future. Then we will format each array and mount each array in their designated directories. The final step will be to configure our /etc/fstab configuration file to automatically mount our arrays at bootup. Once again, this is optional. If you are not using RAID then you can safely ignore this step.

Install the MDADM software package.

apt-get install mdadm

Next we need to use CFDISK to partition and configure our hard drives. Basically each hard drive needs a partition. Make it a primary partition. You will be using type "fd" for Linux raid. Please be sure to put the correct /dev/xxx in the command. I recommend writing out what you'll be doing and going off that sheet so it is less confusing.

cfdisk /dev/sdb cfdisk /dev/sdc cfdisk /dev/sdd cfdisk /dev/sde 

Now we can create the first array.

mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdc1

OK - that command is definitely confusing. Here is what it all means. We are invoking the program and telling it to create a new RAID device. The program is going to give us as much information as possible. The device it is going to create is /dev/md0. RAID1 will be used for the device. Only two devices are going to be participating in the array. Those two devices are /dev/sdb1 and /dev/sdc1.

Next format the array with the ext3 filesystem. Naturally you can use whatever filesystem you want, but this is what I am familiar with.

mkfs.ext3 /dev/md0

Now we can create the second array.

mdadm --create --verbose /dev/md1 --level=1 --raid-devices=2 /dev/sdd1 /dev/sde1

Next format the array with the ext3 filesystem. Naturally you can use whatever filesystem you want, but this is what I am familiar with.

mkfs.ext3 /dev/md1

Great! Now we have our two arrays. The next thing we need to do is define these two arrays in our /etc/mdadm.conf file.

vim /etc/mdadm.conf 

/etc/mdadm.conf

DEVICE        /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 ARRAY        /dev/md0 devices=/dev/sdb1,/dev/sdc1 ARRAY        /dev/md1 devices=/dev/sdd1,/dev/sde1

Alright, go ahead and try mounting the RAID arrays to their respective folders. In my case /dev/md0 will be mounted at /ldap_data and /dev/md1 will be mounted at /ldaphome.

mount /dev/md0 /ldap_data mount /dev/md1 /ldaphome

Does it work? If not then you have your work cut out for you. If yes then continue.

Let's add the mounting information to the /etc/fstab file. We will be adding the following lines:

# Custom RAID entries
/dev/md0 /ldap_data ext3 defaults,errors=remount-ro 0 1
/dev/md1 /ldaphome ext3 defaults,errors=remount-ro 0 1

vim /etc/fstab 

/etc/fstab

# /etc/fstab: static file system information. # #                 proc            /proc           proc    defaults        0       0 # /dev/sda1 UUID=09afe0b0-d7df-4322-bd07-fa0854041a6f /               ext3    defaults,errors=remount-ro 0       1 # /dev/sda5 UUID=d557816b-8149-46ea-b6fb-dd674231e597 none            swap    sw              0       0 /dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0 /dev/fd0        /media/floppy0  auto    rw,user,noauto,exec 0       0   # Custom RAID entries /dev/md0 /ldap_data ext3 defaults,errors=remount-ro 0 1 /dev/md1 /ldaphome ext3 defaults,errors=remount-ro 0 1

Now reboot the server and ensure that everything mounts correctly!

reboot

Step 5: Install Postfix Mail Agent


We will be installing Postfix for several reasons. One, the system needs a mailserver in order to email reports about the RAID arrays and other items of interest. Two, you might wish to use a mail server for other tasks. Three, it just makes things easier. Four, the reason I chose to install Postfix is because it is the only mail server that I am familiar with. Like something else? Good for you, use it.

I guess that the first thing to do would be to actually install it:

apt-get install postfix mailx

During the installation it will ask you some questions. Answer as follows:

Internet site dc01-ubuntu.example.local  

Naturally you will want to customize those answers to tailor to your environment, but if you are following this guide exactly then the answers I provide should be sufficient.

Step 6: Install OpenLDAP

You might notice that this step is very similar to Step 2 in the original guide. What I've done in version 2.0 is change the order slightly and move some steps into their own sections to simplify the entire guide. My hope is that this will be easier to follow and use.

OK, well we need to install OpenLDAP at this point. We're using OpenLDAP as opposed to other LDAP servers for one reason and one only: This is the only program that I found good documentation for in regards to SAMBA and other services. I'm fairly certain that you can use Novell and other LDAP servers in place of OpenLDAP. Please be advised that those are beyond my comprehension at this time and I'd rather stick to the standard - OpenLDAP in this case.

There are two ways to configure OpenLDAP. In one configuration we will have OpenLDAP store its data in a different directory than default. I do this so that the directory can be on its own hard drive for backup purposes. Others may wish to "leave it as it is." That is fine. This guide will work either way. Therefore I have two sub-sections here. The first section describes how to install and configure OpenLDAP with the default directory. The second section shows you how to customize it.

OpenLDAP with the Default Directory

Install OpenLDAP:

apt-get install slapd ldap-utils migrationtools

This installs more than just OpenLDAP - it installs other utilities that can be of assistance to you.

During the installation you will be prompted to supply an Admin password and then to confirm it:

Admin password: 12345 Confirm password: 12345

Now we need to reconfigure OpenLDAP and customize it to our needs.

dpkg-reconfigure slapd

Naturally this will also prompt your for some information. Here are the answers that I am using. Please note that when you deviate here you must also follow suit everywhere else! If you change the domain name then change it everywhere else!

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB No Yes No

And now you have OpenLDAP installed!

OpenLDAP with a Customized Directory

Install OpenLDAP:

apt-get install slapd ldap-utils migrationtools

This installs more than just OpenLDAP - it installs other utilities that can be of assistance to you.

During the installation you will be prompted to answer some questions. Here are the answers that I am using:

Admin password: 12345 Confirm password: 12345

Reconfigure OpenLDAP:

dpkg-reconfigure slapd

Answers:

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB Yes Yes No

Stop OpenLDAP:

/etc/init.d/slapd stop

Edit the file /etc/ldap/slapd.conf and change the directory. In the file find the first "directory "/var/lib/ldap" and change it to "directory "/ldap_data"

vim /etc/ldap/slapd.conf

Copy all the current DB files into our new directory:

cp -R /var/lib/ldap/* /ldap_data/

Set the correct permissions on the new directory and files:

chown -R openldap:openldap /ldap_data/

Yes, we need to reconfigure OpenLDAP yet again.

dpkg-reconfigure slapd

Answers:

No DNS domain name: example.local Name of your organization: example.local Admin password: 12345 Confirm password: 12345 OK BDB Yes Yes No

Now start OpenLDAP:

/etc/init.d/slapd start

Here is a copy of my /etc/ldap/slapd.conf file after this initial change:

/etc/ldap/slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.  ####################################################################### # Global Directives:  # Features to permit #allow bind_v2  # Schema and objectClass definitions include         /etc/ldap/schema/core.schema include         /etc/ldap/schema/cosine.schema include         /etc/ldap/schema/nis.schema include         /etc/ldap/schema/inetorgperson.schema  # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile         /var/run/slapd/slapd.pid  # List of arguments that were passed to the server argsfile        /var/run/slapd/slapd.args  # Read slapd.conf(5) for possible values loglevel        0  # Where the dynamically loaded modules are stored modulepath      /usr/lib/ldap moduleload      back_bdb  # The maximum number of entries that is returned for a search operation sizelimit 500  # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1  ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend         bdb checkpoint 512 30  ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend                  ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database        bdb  # The base of your directory in database #1 suffix          "dc=nodomain"  # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn          "cn=admin,dc=nodomain"  # Where the database file are physically stored for database #1 #directory       "/var/lib/ldap" directory    "/ldap_data"  # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0  # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information.  # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500  # Indexing options for database #1 index           objectClass eq  # Save the time that the entry gets modified, for database #1 lastmod         on  # Where to store the replica logs for database #1 # replogfile    /var/lib/ldap/replog  # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange         by dn="cn=admin,dc=nodomain" write         by anonymous auth         by self write         by * none  # Ensure read access to the base for things like # supportedSASLMechanisms.  Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read  # The admin dn has full write access, everyone else # can read everything. access to *         by dn="cn=admin,dc=nodomain" write         by * read  # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" #        by dn="cn=admin,dc=nodomain" write #        by dnattr=owner write  ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database          # The base of your directory for database #2 #suffix         "dc=debian,dc=org"

I'm a firm believer in fully testing everything. Therefore I recommend rebooting. If you don't wish to perform a full reboot then go ahead and just restart OpenLDAP.

reboot

OR:

/etc/init.d/slapd restart 

Now OpenLDAP is installed and it should be functional. You can verify that it is running by scanning your server with a portscanner, like NMAP.

Step 7: Install SAMBA

We want to install SAMBA because we wish to have a domain the Windows clients can participate in. We also want to share files, etc... SAMBA is a good program for this. One thing to look forward to is the fact that SAMBA now has access to Microsoft documents that detail the SMB protocol. What does this mean? Well it hopefully means that in the future SAMBA and Windows will be able to interoperate without issues.

It has been pointed out that this step could be optional in some situations. For example, if you are running a Linux only network then yes, this part could be optional. And so will several other parts. Also, if you wish to seperate your services and run SAMBA on a different server. Therefore look at these directions as a guide in those situations and for the second server example you should be able to follow most of the same steps without issue and have it work, providing DNS works that is.

For the majority of people following this guide then this is a required step. Please don't deviate unless you know what you are doing.

Install the required software:

apt-get install samba smbldap-tools smbclient samba-doc

There should be no prompts for answers or any additional configuration.

Step 8: Configure OpenLDAP for use with SAMBA

By default OpenLDAP is not configured to work with SAMBA. We need to tell OpenLDAP that SAMBA is there and how to talk to it. We do this by installing a schema file for OpenLDAP that describes SAMBA.

Run the following commands to install the file in the correct location:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ gzip -d /etc/ldap/schema/samba.schema.gz

Now we need to edit the OpenLDAP configuration file, again. I wish this step could have been earlier but if we did that then OpenLDAP complains about missing items.

vim /etc/ldap/slapd.conf

Find the lines that begin with "include" - you'll notice that this is how OpenLDAP knows about other configuration files. Now add the following two lines below the other "include" lines:

include         /etc/ldap/schema/samba.schema include         /etc/ldap/schema/misc.schema

While in the file we need to change another line. Find the line that says "access to attribute=userPassword,shadowLastChange" and change it to:

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

Now we can either reboot the server or just restart the service:

reboot

OR:

/etc/init.d/slapd restart 

Step 9: Configure SAMBA

This step can become complicated so be sure to read through it and figure out what you want to do. The only file that we will be editing is the file /etc/samba/smb.conf. We will make a backup of this file before we begin, so in case of a screw up you can just restore the backup. In this file we will configure the domain name, how LDAP works, etc... Please be sure to verify every aspect of the file otherwise you will run into problems.

First enter the SAMBA directory:

cd /etc/samba/

Now backup the smb.conf file:

cp smb.conf smb.conf.original

Open the smb.conf file for editing:

vim smb.conf

OK - this next part is not exactly copy and paste. First and foremost, find the following items and change them to what I have:

workgroup = EXAMPLE security = user passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no

Now copy and paste the following lines just below the line "obey pam restrictions = no":

####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # #       Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # #       End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE!  #####################################################

Obviously in the previous two smb.conf configuration steps you'll want to change the information to suit your needs. Please remember this!

Now comment out the following line. This is a very important step! Fail to do this and you WILL NOT BE ABLE TO JOIN A WINDOWS CLIENT TO THE DOMAIN!!!

Change:

invalid users = root

To:

;invalid users = root

Add the following line to the file (examples of the line should be there somewhere, I recommend sticking it there). This line disables roaming profiles for Windows.

logon path =

For reference here is a copy of my edited /etc/samba/smb.conf file for your viewing pleasure:

/etc/samba/smb.conf

# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors. #  #======================= Global Settings =======================  [global]  ## Browsing/Identification ###  # Change this to the workgroup/NT-domain name your Samba server will part of #   workgroup = MSHOME workgroup = EXAMPLE  # server string is the equivalent of the NT Description field    server string = %h server (Samba, Ubuntu)  # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ;   wins support = no  # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ;   wins server = w.x.y.z  # This will prevent nmbd to search for NetBIOS names through DNS.    dns proxy = no  # What naming service and in what order should we use to resolve host names # to IP addresses ;   name resolve order = lmhosts host wins bcast  #### Networking ####  # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ;   interfaces = 127.0.0.0/8 eth0  # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself.  However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ;   bind interfaces only = true    #### Debugging/Accounting ####  # This tells Samba to use a separate log file for each machine # that connects    log file = /var/log/samba/log.%m  # Put a capping on the size of the log files (in Kb).    max log size = 1000  # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ;   syslog only = no  # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher.    syslog = 0  # Do something sensible when Samba crashes: mail the admin a backtrace    panic action = /usr/share/samba/panic-action %d   ####### Authentication #######  # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. ;   security = user security = user  # You may wish to use password encryption.  See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling.    encrypt passwords = true  # If you are using encrypted passwords, Samba will need to know what # password database type you are using. #   passdb backend = tdbsam passdb backend = ldapsam:ldap://localhost/  #   obey pam restrictions = yes obey pam restrictions = no   ####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # #       Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # #       End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE! #####################################################     ;   guest account = nobody ;   invalid users = root  # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ;   unix password sync = no  # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < program =" /usr/bin/passwd" chat =" *Enter\snew\sUNIX\spassword:*" change =" no" logons =" yes" path =" \\%N\profiles\%U" path =" \\%N\%U\profile" path ="  #" drive =" H:" home =" \\%N\%U" script =" logon.cmd" script =" /usr/sbin/adduser" printers =" yes" printing =" bsd" name =" /etc/printcap" printing =" cups" name =" cups" admin =" @lpadmin" include =" /home/samba/etc/smb.conf.%m" so_rcvbuf="8192" so_sndbuf="8192" options =" TCP_NODELAY" command =" /bin/sh" master =" auto" uid =" 10000-20000" gid =" 10000-20000" shell =" /bin/bash" groups =" yes" users =" yes" definitions ="=" comment =" Home" browseable =" no" users =" %S" writable =" no" group="rw" mask =" 0700" group="rw" mask =" 0700" comment =" Network" path =" /home/samba/netlogon" ok =" yes" writable =" no" modes =" no" comment =" Users" path =" /home/samba/profiles" ok =" no" browseable =" no" mask =" 0600" mask =" 0700" comment =" All" browseable =" no" path =" /var/spool/samba" printable =" yes" public =" no" writable =" no" mode =" 0700" comment =" Printer" path =" /var/lib/samba/printers" browseable =" yes" only =" yes" ok =" no" list =" root," comment =" Samba" writable =" no" locking =" no" path =" /cdrom" public =" yes" preexec =" /bin/mount" postexec =" /bin/umount">

Now we can restart the SAMBA service.

/etc/init.d/samba restart

Very important! We need to tell SAMBA what the "admin" password for the OpenLDAP server is. Hint: If you changed your "admin" password to be different from mine then you MUST replicate that change here! I guarantee you that someone will do this step and will have issues with SAMBA... this might be why!

smbpasswd -w 12345

Go ahead and reboot the server and make sure that everything still works correctly.

reboot

Step 10: Configure the SMBLDAP-TOOLS package

The smbldap-tools package is one of the most important packages that we will be configuring today. This is a collection of scripts that we will use to add users, groups, and computers to the LDAP directory. Of course this will require careful configuration. Many mistakes can be made here. I recommend doing everything that I do and then going back through another time to make your own customizations. If you are not careful here then you will run into issues. Good luck!

Open up the "examples" directory:

cd /usr/share/doc/smbldap-tools/examples/

Copy the configuration files to the correct directory and unzip them.:

cp smbldap_bind.conf /etc/smbldap-tools/ cp smbldap.conf.gz /etc/smbldap-tools/ gzip -d /etc/smbldap-tools/smbldap.conf.gz

Open up the smbldap-tools directory:

cd /etc/smbldap-tools/

Now you need to get the Security ID (SID) for your SAMBA domain. Write this string down (copy and paste it somewhere) because you will need it for the next step.

net getlocalsid

This results in (example): SID for domain DC01-UBUNTU is: S-1-5-21-949328747-3404738746-3052206637

Open up the file /etc/smbldap-tools/smbldap.conf for editing:
vim smbldap.conf

Alright, now we need to edit the file. You can't just copy and paste here, you need to edit the specific lines according to your individual setup. I will include my file for reference as well:

SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid" sambaDomain="EXAMPLE" ldapTLS="0" suffix="dc=example,dc=local" sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!! userHome="/ldaphome/%U" ## This is found in the UNIX section. userSmbHome= userProfile= userHomeDrive= userScript= mailDomain="example.local"

/etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools  #  This code was developped by IDEALX (http://IDEALX.org/) and #  contributors (their names can be found in the CONTRIBUTORS file). # #                 Copyright (C) 2001-2002 IDEALX # #  This program is free software; you can redistribute it and/or #  modify it under the terms of the GNU General Public License #  as published by the Free Software Foundation; either version 2 #  of the License, or (at your option) any later version. # #  This program is distributed in the hope that it will be useful, #  but WITHOUT ANY WARRANTY; without even the implied warranty of #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the #  GNU General Public License for more details. # #  You should have received a copy of the GNU General Public License #  along with this program; if not, write to the Free Software #  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, #  USA.  #  Purpose : #       . be the configuration file for all smbldap-tools scripts  ############################################################################## # # General Configuration # ##############################################################################  # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return #SID="S-1-5-21-4205727931-4131263253-1851132061" SID="S-1-5-21-4052000378-234799737-4288018487"  # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" #sambaDomain="IDEALX-NT" sambaDomain="EXAMPLE"  ############################################################################## # # LDAP Configuration # ##############################################################################  # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done #   (typically a replication directory)  # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" slaveLDAP="127.0.0.1"  # Slave LDAP port # If not defined, parameter is set to "389" slavePort="389"  # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="127.0.0.1"  # Master LDAP port # If not defined, parameter is set to "389" masterPort="389"  # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "1" #ldapTLS="1" ldapTLS="0"  # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require"  # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"  # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"  # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"  # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG #suffix="dc=idealx,dc=org" suffix="dc=example,dc=local"  # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=Users,${suffix}"  # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=Computers,${suffix}"  # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=Groups,${suffix}"  # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=Idmap,${suffix}"  # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" #sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}" sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with this section!!  # Default scope Used scope="sub"  # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA"  # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s"  ############################################################################## # # Unix Accounts Configuration # ##############################################################################  # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash"  # Home directory # Ex: userHome="/home/%U" #userHome="/home/%U" userHome="/ldaphome/%U" ## This is found in the UNIX section.  # Default mode used for user homeDirectory userHomeDirectoryMode="700"  # Gecos userGecos="System User"  # Default User (POSIX and Samba) GID defaultUserGid="513"  # Default Computer (Samba) GID defaultComputerGid="515"  # Skel dir skeletonDir="/etc/skel"  # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="45"  ############################################################################## # # SAMBA Configuration # ##############################################################################  # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" #userSmbHome="\\PDC-SRV\%U" userSmbHome=  # The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" #userProfile="\\PDC-SRV\profiles\%U" userProfile=  # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" #userHomeDrive="H:" userHomeDrive=  # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos #userScript="logon.bat" userScript=   # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" #mailDomain="idealx.com" mailDomain="example.local"  ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ##############################################################################  # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"  # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd"  # comment out the following line to get rid of the default banner # no_banner="1"

Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing:

vim smbldap_bind.conf

Edit the file so the following is correct according to your setup. I will also include a copy of my file for reference.

slaveDN="cn=admin,dc=example,dc=local" slavePw="12345" masterDN="cn=admin,dc=example,dc=local" masterPw="12345"

/etc/smbldap-tools/smbldap_bind.conf

############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) #slaveDN="cn=Manager,dc=idealx,dc=org" #slavePw="secret" #masterDN="cn=Manager,dc=idealx,dc=org" #masterPw="secret"  slaveDN="cn=admin,dc=example,dc=local" slavePw="12345" masterDN="cn=admin,dc=example,dc=local" masterPw="12345"

Set the correct permissions on the above files:

chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Step 11: Populate LDAP using smbldap-tools

This is another simple step but it is very important. When doing this step if you encounter errors then it is most likely because you failed the previous step. Just a hint.

Run the command to populate the directory:
smbldap-populate -u 30000 -g 30000

When doing so it will prompt you to assign a password to the user "root" - remember to use the password that you've been using to keep things simple.

12345

Verify that you have several new entries in your LDAP directory by running the command:

ldapsearch -x -b dc=example,dc=local | less

Awesome, now we have some default entries in our LDAP directory. This is a good thing!


Step 12: Add an LDAP User to the System

Run the following command to add a new user to the LDAP. Please note that you should edit this user information to suit your needs. This will add a standard user, not an administrative user.
smbldap-useradd -a -m -M ricky -c "Richard M" ricky

Here is an explanation of the above command switches:

-a allows Windows as well as Linux login -m makes a home directory, leave this off if you do not need local access. PAM will be configured to automatically create a home directory. -M sets up the username part of their email address -c specifies their full name

Now we need to set the password for this new account:

smbldap-passwd ricky # I will be using "12345" for the password.

Now that we have a user in our LDAP directory we will need to configure the system to authenticate via LDAP.

Step 13: Configure LDAP Authentication on the Server

The basic steps for this section came from the Ubuntu Forums (http://ubuntuforums.org/showthread.php?t=597056). Thanks to all who contributed to that thread! Basically we need to tell our server to use LDAP authentication as one of its options. Be careful with this! It can cause your server to break! This is why we always have a backup around.

Install the necessary software used to accomplish this feat:

apt-get install auth-client-config libpam-ldap libnss-ldap

You will be prompted to answer some questions. Use the following answers (or your own if you changed things before!):

Should debconf manage LDAP configuration?: Yes LDAP server Uniform Resource Identifier: ldapi://127.0.0.1 Distinguished name of the search base: dc=example,dc=local LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=example,dc=local LDAP root account password: 12345

Create a backup of the file /etc/ldap.conf:

cp /etc/ldap.conf /etc/ldap.conf.original

Open the file /etc/ldap.conf for editing in your favorite editor:

vim /etc/ldap.conf

Please note that you cannot just copy and paste the following into your file. Find the referenced lines and modify them so that they are correct. I will include a copy of my file for reference.

host 127.0.0.1 base dc=example,dc=local uri ldap://127.0.0.1/ rootbinddn cn=admin,dc=example,dc=local bind_policy soft

/etc/ldap.conf

###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ##  # # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com #  # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host 127.0.0.1  # The distinguished name of the search base. #base dc=padl,dc=com base dc=example,dc=local  # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator  # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3  # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com  # The credentials to bind with. # Optional: default is no credential. #bindpw secret  # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=admin,dc=example,dc=local  # The port. # Optional: default is 389. #port 389  # The search scope. #scope sub #scope one #scope base  # Search timelimit #timelimit 30  # Bind/connect timelimit #bind_timelimit 30  # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft  # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600  # Filter to AND with uid=%s #pam_filter objectclass=account  # The user ID attribute (defaults to uid) #pam_login_attribute uid  # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes  # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes  # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes  # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com  # Group member attribute #pam_member_attribute uniquemember  # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0  # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody  # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5  # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt  # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds  # RACF is an alias for the above. For use with # IBM RACF #pam_password racf  # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad  # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop  # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password.  # RFC2307bis naming contexts # Syntax: # nss_base_XXX          base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd       ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd        ou=People,dc=padl,dc=com?one #nss_base_shadow        ou=People,dc=padl,dc=com?one #nss_base_group         ou=Group,dc=padl,dc=com?one #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one #nss_base_services      ou=Services,dc=padl,dc=com?one #nss_base_networks      ou=Networks,dc=padl,dc=com?one #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one  # attribute/objectclass mapping # Syntax: #nss_map_attribute      rfc2307attribute        mapped_attribute #nss_map_objectclass    rfc2307objectclass      mapped_objectclass  # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member  # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad  # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad  # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad  # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword  # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear  # Netscape SDK LDAPS #ssl on  # Netscape SDK SSL options #sslpath /etc/ssl/certs  # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on  # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes  # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs  # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool  # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1  # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key  # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0  # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache  # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5

Now we need to copy the file /etc/ldap.conf to the file /etc/ldap/ldap.conf. First we will backup the file (/etc/ldap/ldap.conf) and then we will copy the new file.

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.original cp /etc/ldap.conf /etc/ldap/ldap.conf

OK, create a new file by running the following command. You will need to edit the first part of the command to use your favorite editor.

vim /etc/auth-client-config/profile.d/open_ldap

This file is the new OpenLDAP authentication profile. Copy and paste EXACTLY the following lines:

[open_ldap] nss_passwd=passwd: compat ldap nss_group=group: compat ldap nss_shadow=shadow: compat ldap pam_auth=auth       required     pam_env.so  auth       sufficient   pam_unix.so likeauth nullok  auth       sufficient   pam_ldap.so use_first_pass  auth       required     pam_deny.so pam_account=account    sufficient   pam_unix.so  account    sufficient   pam_ldap.so  account    required     pam_deny.so pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok  password   sufficient   pam_ldap.so use_first_pass  password   required     pam_deny.so pam_session=session    required     pam_limits.so  session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077  session    required     pam_unix.so  session    optional     pam_ldap.so

Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

Backup the files in /etc/pam.d:

cd /etc/pam.d/ mkdir bkup cp * bkup/

Enable the new OpenLDAP profile by running the following command. If you did all the previous steps correctly then this will run without issue.

auth-client-config -a -p open_ldap

The final step is to simply reboot the server. When the server is running again then test to see if you can log in with your new LDAP user. No matter what you should be able to log in with a local user (unless the system is hung). If the system hangs then reboot HARD and try again.

reboot

Step 14: Install the BIND DNS Server

We will be using the BIND DNS server because it is the only DNS server that I know how to configure. We will be using WebMIN to configure it (Webmin will be installed later and we will configure BIND in a later step). Why do we need a DNS server? Well, DNS makes it easier to manage the hosts on the network. LDAP works great when you can use DNS. DNS must be there in order for a Windows client to join the domain.

Install the software:

apt-get install bind9

Step 15: Install and Configure NFS Server Support

By this point LDAP authentication is working without issue and LDAP user home folders are located in /ldaphome. If this is not correct then you will want to go back through and fix things.

Now we will be installing and configuring our NFS server. Thanks to everyone in the thread http://ubuntuforums.org/showthread.php?t=249889 for the help with this section.

First install the software:
apt-get install nfs-kernel-server nfs-common portmap

Now we need to reconfigure portmap.

dpkg-reconfigure portmap

Answer as follows to the prompt:

no

Restart portmap:

/etc/init.d/portmap restart

Open up the /etc/exports file for editing. This is where we define our NFS shares (or exports).

vim /etc/exports

Add the following line to the file. What this line does is allow unrestricted access to the /ldaphome share from any computer. I will also include a copy of my file for reference.

/ldaphome *(rw,async)

/etc/exports

# /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync) hostname2(ro,sync) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt) # /srv/nfs4/homes gss/krb5i(rw,sync) # /ldaphome *(rw,async)

Restart the NFS service.

/etc/init.d/nfs-kernel-server restart

Now we have NFS enabled and configured. If you have a client up and running at the moment you can give it a test. Otherwise just continue with this guide.

Step 16: Install Webmin

Webmin is a very useful program. We can use it to control installed services, monitor the system, and help ease administration.

Download the package from the Webmin website:

wget http://superb-east.dl.sourceforge.net/sourceforge/webadmin/webmin_1.400_all.deb

We need to install some required packages first.

apt-get install openssl libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl

Now we can install Webmin:

dpkg -i webmin_1.400_all.deb

You should see a message similar to the following when it successfully installs:

"Webmin install complete. You can now login to https://dc01-ubuntu.example.local:10000/  as root with your root password, or as any user who can use sudo to run commands as root."

The Webmin installation is now complete.

Step 17: Configure BIND9 and the Primary DNS Zone

We now want to create our DNS zone so that we are in charge of it and can make use of it. I prefer using a GUI to do this as opposed to editing the zone files.

In a web browser navigate to: https://192.168.0.60:10000 (Please use the IP address that YOU assigned to your server.)
Login as "sysadmin" and "12345
Servers > BIND DNS Server
Under "Existing DNS Zones" click "Create master zone"

Enter in the following information (customize to your needs!):

Zone type: Forward (Names to Addresses) Domain name / Network: example.local Records file: Automatic Master server: dc01-ubuntu.example.local Email address: sysadmin@example.local

Click "Create" button

Click "Apply Changes" button

Click "Address (0)" at the top

Fill in with this information (customize to your needs!):

Name: dc01-ubuntu Address: 192.168.0.60 Click "Create" button Click "Return to record types"

Click "Apply Changes" button.

Step 18: Configure the Server to use Itself for DNS

DNS doesn't do a whole lot of good if we don't use it. In this section we point our /etc/resolv.conf file to ourselves. I also recommend leaving in a known working DNS server as the seconday source just in case something screws up. In some of my trials I did notice that the server would hang trying to start BIND9.

Backup the /etc/resolv.conf file before editing it!

cp /etc/resolv.conf /etc/resolv.conf.original

Open the /etc/resolv.conf file for editing:

vim /etc/resolv.conf

Edit the file so that the only lines in the file are the following. I will also include a copy of my file for reference.

search example.local nameserver 192.168.0.60

Reboot the server and then test DNS to ensure everything is working the way it should be.

reboot

Some notes and conclusions

You should now have a fully functional SAMBA domain controller. All you need to do now is add a workstation account, join machines to the network, and voila, DOMAIN! The next few sections go through some other items of interest (Windows logon script, configuring a Linux client, configuring a Windows client, etc...)

Install and Configure Apache2 + PHPLDAPAdmin

Apache is a nice server to have installed. By having it installed you'll be able to host your own websites, etc... PHPLDAPAdmin is a very nice LDAP management tool. So far the best use that I have gotten from it is the ability to view my LDAP directory. This way I can confirm that items that should be there really are there.

Install the software:

apt-get install apache2 phpldapadmin

Open the file /etc/apache2/httpd.conf for editing:

vim /etc/apache2/httpd.conf

Add the following line to the very top of the file. It will stop an annoying message when Apache starts up. Please customize this according to your configuration.

ServerName dc01-ubuntu.example.local

Restart Apache:

/etc/init.d/apache2 restart

Copy the PHPLDAPAdmin folder into the /var/www/ directory. This way we can access PHPLDAPAdmin more easily.

cp -R /usr/share/phpldapadmin/ /var/www/phpldapadmin

Access PHPLDAPAdmin my going to: http://192.168.0.60/phpldapadmin/. The username is "cn=admin,dc=example,dc=local" - customize that if you changed the LDAP domain properties.


Configure Ubuntu Server 8.04 (client) to Mount NFS Shares

In order for our whole system to work the correct way we need to have access to the user files stored on the server. For Linux clients we will be using NFS to accomplish this. One thing to note is that this section assumes that your client has Linux installed, that it can resolve DNS entries against your server, and that the client works on it's own.

Install NFS support:

apt-get install portmap nfs-common

Restart the associated services:

/etc/init.d/portmap restart /etc/init.d/nfs-common restart

Create the /ldaphome directory:

cd / mkdir ldaphome

Try to manually mount the ldaphome NFS share:

mount dc01-ubuntu.example.local:/ldaphome /ldaphome 

Now go ahead and add the necessary entries into /etc/fstab so that the directory is mounted at boot. I'm also including a copy of my file for reference.

vim /etc/fstab

Add the following lines to the bottom of the file:

# Custom NFS mount for home directories. dc01-ubuntu.example.local:/ldaphome /ldaphome nfs rsize=8192,wsize=8192,timeo=14,intr

/etc/fstab

# /etc/fstab: static file system information. # #                 proc            /proc           proc    defaults        0       0 # /dev/sda1 UUID=fd12bae1-adda-4b61-9ce9-ed4e9a1f52aa /               ext3    defaults,errors=remount-ro 0       1 # /dev/sda5 UUID=86661b5c-c34f-9fad-c85d-ccbc61e5fb0d none            swap    sw              0       0 /dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0 /dev/fd0        /media/floppy0  auto    rw,user,noauto,exec 0       0  # Custom NFS mount for home directories. dc01-ubuntu.example.local:/ldaphome /ldaphome nfs rsize=8192,wsize=8192,timeo=14,intr

Reboot the client to ensure that everything is working.

reboot

Configure Ubuntu Server 8.04 (client) for LDAP Authentication

Now that you have this server it only makes sense to also have an LDAP client, right? Well, here we go. I'm going to shorten this section and only give you the relevant parts. I'm assuming that since you made it through the initial guide you are pretty confident in your ability to install Ubuntu and configure the basics.

Assumptions/Requirements:

  • Your hostname and host file need to be configured correctly. Your hostname should be "client-linux.example.local" - I'm going to assume that you are in the domain "example.local" and that your hostname is "client-linux" - Please customize this to your own scenario. Your hosts file needs to have your FQDN in it otherwise you may run into issue.

  • You have your /etc/resolv.conf file configured so that it is looking at your server for DNS and that it is searching your domain. For my setup I used the same /etc/resolv.conf as I did for the server.

  • You can PING the server by name and by IP.

  • You installed and configured NTP for time synchronization. This is important in a domain environment!

  • Because of the nature of our home directories you MUST have NFS set up and configured on the client FIRST. The previous section describes how to do this.

OK, now we can begin.

Install the software:

apt-get install auth-client-config libpam-ldap libnss-ldap

Answer the questions with the following (customize if you need to):

Should debconf manage LDAP configuration?: Yes LDAP server Uniform Resource Identifier: ldapi://dc01-ubuntu.example.local Distinguished name of the search base: dc=example,dc=local LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: cn=admin,dc=example,dc=local LDAP root account password: 12345

Create a backup of the file /etc/ldap.conf:

cp /etc/ldap.conf /etc/ldap.conf.original

Open the file /etc/ldap.conf for editing in your favorite editor:

vim /etc/ldap.conf

Please note that you cannot just copy and paste the following into your file. Find the referenced lines and modify them so that they are correct. I will include a copy of my file for reference.

host dc01-ubuntu.example.local base dc=example,dc=local uri ldap://dc01-ubuntu.example.local/ rootbinddn cn=admin,dc=example,dc=local bind_policy soft

/etc/ldap.conf

###DEBCONF### ## ## Configuration of this file will be managed by debconf as long as the ## first line of the file says '###DEBCONF###' ## ## You should use dpkg-reconfigure to configure this file via debconf ##  # # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com #  # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host 127.0.0.1 host dc01-ubuntu.example.local  # The distinguished name of the search base. #base dc=padl,dc=com base dc=example,dc=local  # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://dc01-ubuntu.example.local/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator  # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3  # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=padl,dc=com  # The credentials to bind with. # Optional: default is no credential. #bindpw secret  # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=admin,dc=example,dc=local  # The port. # Optional: default is 389. #port 389  # The search scope. #scope sub #scope one #scope base  # Search timelimit #timelimit 30  # Bind/connect timelimit #bind_timelimit 30  # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard bind_policy soft  # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600  # Filter to AND with uid=%s #pam_filter objectclass=account  # The user ID attribute (defaults to uid) #pam_login_attribute uid  # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes  # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes  # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes  # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com  # Group member attribute #pam_member_attribute uniquemember  # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0  # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody  # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password md5  # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt  # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds  # RACF is an alias for the above. For use with # IBM RACF #pam_password racf  # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad  # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop  # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password.  # RFC2307bis naming contexts # Syntax: # nss_base_XXX          base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd       ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd        ou=People,dc=padl,dc=com?one #nss_base_shadow        ou=People,dc=padl,dc=com?one #nss_base_group         ou=Group,dc=padl,dc=com?one #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one #nss_base_services      ou=Services,dc=padl,dc=com?one #nss_base_networks      ou=Networks,dc=padl,dc=com?one #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one  # attribute/objectclass mapping # Syntax: #nss_map_attribute      rfc2307attribute        mapped_attribute #nss_map_objectclass    rfc2307objectclass      mapped_objectclass  # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member  # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad  # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad  # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad  # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword  # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear  # Netscape SDK LDAPS #ssl on  # Netscape SDK SSL options #sslpath /etc/ssl/certs  # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on  # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes  # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs  # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool  # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1  # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key  # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0  # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache  # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5

Now we need to copy the file /etc/ldap.conf to the file /etc/ldap/ldap.conf. First we will backup the file and then we will copy the new file.

cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.original cp /etc/ldap.conf /etc/ldap/ldap.conf

OK, create a new file by running the following command. You will need to edit the first part of the command to use your favorite editor.

vim /etc/auth-client-config/profile.d/open_ldap

This file is the new OpenLDAP authentication profile. Copy and paste EXACTLY the following lines:

[open_ldap] nss_passwd=passwd: compat ldap nss_group=group: compat ldap nss_shadow=shadow: compat ldap pam_auth=auth       required     pam_env.so  auth       sufficient   pam_unix.so likeauth nullok  auth       sufficient   pam_ldap.so use_first_pass  auth       required     pam_deny.so pam_account=account    sufficient   pam_unix.so  account    sufficient   pam_ldap.so  account    required     pam_deny.so pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok  password   sufficient   pam_ldap.so use_first_pass  password   required     pam_deny.so pam_session=session    required     pam_limits.so  session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077  session    required     pam_unix.so  session    optional     pam_ldap.so

Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

Backup the files in /etc/pam.d:

cd /etc/pam.d/ mkdir bkup cp * bkup/

Enable the new OpenLDAP profile by running the following command. If you did all the previous steps correctly then this will run without issue.

auth-client-config -a -p open_ldap

The final step is to simply reboot the client. When the client is running again then test to see if you can log in with your new LDAP user. No matter what you should be able to log in with a local user (unless the system is hung). If the system hangs then reboot HARD and try again.

reboot
vim /etc/pam.d/common-password
password   sufficient   pam_ldap.so password   required   pam_unix.so nullok obscure min=4 max=8 md5


For solving login issue


Configure SAMBA to Share /ldaphome


Since this entire project is to create a domain for Windows PCs it only makes sense to configure the server so that the user home directories are available to Windows clients. This section will configure SAMBA so that the /ldaphome directory is shared.

Add the following lines to the bottom of the /etc/samba/smb.conf file:

# LDAPHOME share definition [ldaphome] path = /ldaphome writeable = yes browseable = yes security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mode = 0

SAMBA should automatically update its configuration after about 2 minutes. From a Windows computer you should be able to access the server as an LDAP user. You will then have access to your home folder.

Configure SAMBA - Enable the 'Netlogon' Share

Create a directory for the netlogon share to use:

mkdir /home/samba mkdir /home/samba/netlogon

Open the file /etc/samba/smb.conf for editing:

vim /etc/samba/smb.conf

Uncomment the netlogon lines by changing:

;[netlogon] ;   comment = Network Logon Service ;   path = /home/samba/netlogon ;   guest ok = yes ;   writable = no ;   share modes = no

To:

[netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no share modes = no

Create a Simple Windows Logon Script

We will create the logon script in the new Netlogon shared folder.
vim /home/samba/netlogon/allusers.bat

Copy and paste the following lines into that new file. Customize as necessary!

@echo off REM    # SYNC THE TIME WITH THE SERVER net time \\dc01-ubuntu.example.local /set /y REM    # DELETE ALL MAPPED DRIVES net use h: /delete REM    # MAP ALL NECESSARY DRIVES net use h: "\\dc01-ubuntu.example.local\ldaphome\%username%"

We need to install an extra program to convert this file to a file that Windows can use.

apt-get install flip

Use this program to convert the file:

flip -m /home/samba/netlogon/allusers.bat

Now we need to tell Samba about this logon script.

vim /etc/samba/smb.conf

Change the line: ; logon script = logon.cmd

To: logon script = allusers.bat

Please note that I removed the semicolon (;) and changed the name of the file.

Now when Windows clients log in to the domain the script will run.


Appendix A: Final /etc/samba/smb.conf File


Here is a copy of my final /etc/samba/smb.conf file for your reference. This has all my customization in it already.

# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which  # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash)  # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic  # errors.  #  #======================= Global Settings =======================  [global]  ## Browsing/Identification ###  # Change this to the workgroup/NT-domain name your Samba server will part of #   workgroup = MSHOME workgroup = EXAMPLE  # server string is the equivalent of the NT Description field    server string = %h server (Samba, Ubuntu)  # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server ;   wins support = no  # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ;   wins server = w.x.y.z  # This will prevent nmbd to search for NetBIOS names through DNS.    dns proxy = no  # What naming service and in what order should we use to resolve host names # to IP addresses ;   name resolve order = lmhosts host wins bcast  #### Networking ####  # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ;   interfaces = 127.0.0.0/8 eth0  # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself.  However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ;   bind interfaces only = true    #### Debugging/Accounting ####  # This tells Samba to use a separate log file for each machine # that connects    log file = /var/log/samba/log.%m  # Put a capping on the size of the log files (in Kb).    max log size = 1000  # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ;   syslog only = no  # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher.    syslog = 0  # Do something sensible when Samba crashes: mail the admin a backtrace    panic action = /usr/share/samba/panic-action %d   ####### Authentication #######  # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. ;   security = user security = user  # You may wish to use password encryption.  See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling.    encrypt passwords = true  # If you are using encrypted passwords, Samba will need to know what # password database type you are using.   #   passdb backend = tdbsam passdb backend = ldapsam:ldap://localhost/  #   obey pam restrictions = yes obey pam restrictions = no   ####################################################################### #COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO" ####################################################################### # #       Begin: Custom LDAP Entries # ldap admin dn = cn=admin,dc=example,dc=local ldap suffix = dc=example, dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes # #       End: Custom LDAP Entries # ##################################################### #STOP COPYING HERE!  #####################################################     ;   guest account = nobody ;   invalid users = root  # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ;   unix password sync = no  # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < program =" /usr/bin/passwd" chat =" *Enter\snew\sUNIX\spassword:*" change =" no" logons =" yes" path =" \\%N\profiles\%U" path =" \\%N\%U\profile" path ="  #" drive =" H:" home =" \\%N\%U" script =" logon.cmd" script =" allusers.bat" script =" /usr/sbin/adduser" printers =" yes" printing =" bsd" name =" /etc/printcap" printing =" cups" name =" cups" admin =" @lpadmin" include =" /home/samba/etc/smb.conf.%m" so_rcvbuf="8192" so_sndbuf="8192" options =" TCP_NODELAY" command =" /bin/sh" master =" auto" uid =" 10000-20000" gid =" 10000-20000" shell =" /bin/bash" groups =" yes" users =" yes" definitions ="=" comment =" Home" browseable =" no" users =" %S" writable =" no" group="rw" mask =" 0700" group="rw" mask =" 0700" comment =" Network" path =" /home/samba/netlogon" ok =" yes" writable =" no" modes =" no" comment =" Users" path =" /home/samba/profiles" ok =" no" browseable =" no" mask =" 0600" mask =" 0700" comment =" All" browseable =" no" path =" /var/spool/samba" printable =" yes" public =" no" writable =" no" mode =" 0700" comment =" Printer" path =" /var/lib/samba/printers" browseable =" yes" only =" yes" ok =" no" list =" root," comment =" Samba" writable =" no" locking =" no" path =" /cdrom" public =" yes" preexec =" /bin/mount" postexec =" /bin/umount" path =" /ldaphome" writeable =" yes" browseable =" yes" mask =" 0777" mode =" 0" mask =" 0777" mode ="">

Appendix B: Final /etc/ldap/slapd.conf File


Here is a copy of my final /etc/ldap/slapd.conf file for your reference.

# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.  ####################################################################### # Global Directives:  # Features to permit #allow bind_v2  # Schema and objectClass definitions include         /etc/ldap/schema/core.schema include         /etc/ldap/schema/cosine.schema include         /etc/ldap/schema/nis.schema include         /etc/ldap/schema/inetorgperson.schema include         /etc/ldap/schema/samba.schema include         /etc/ldap/schema/misc.schema  # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile         /var/run/slapd/slapd.pid  # List of arguments that were passed to the server argsfile        /var/run/slapd/slapd.args  # Read slapd.conf(5) for possible values loglevel        0  # Where the dynamically loaded modules are stored modulepath      /usr/lib/ldap moduleload      back_bdb  # The maximum number of entries that is returned for a search operation sizelimit 500  # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1  ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend         bdb checkpoint 512 30  ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend                  ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database        bdb  # The base of your directory in database #1 suffix          " specifying="" superuser="" needed="" rootdn="" cn="admin,dc=example,dc=local"" file="" physically="" stored="" ldap_data="" debian="" package="" we="" use="" 2mb="" sure="" update="" plenty="" ram="" set_cachesize="" 2097152="" 0="" sven="" hartge="" reported="" he="" had="" set="" value="" incredibly="" high="" get="" slapd="" running="" org="" 303057="" more="" objects="" locked="" at="" same="" set_lk_max_objects="" locks="" both="" requested="" set_lk_max_locks="" number="" lockers="" dbconfig="" set_lk_max_lockers="" 1500="" indexing="" options="" index="" objectclass="" eq="" save="" time="" lastmod="" on="" where="" store="" replica="" logs="" replogfile="" var="" lib="" ldap="" replog="" userpassword="" default="" changed="" owning="" it="" others="" should="" able="" see="" except="" entry="" these="" lines="" 1="" only="" attrs="userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword" anonymous="" auth="" self="" none="" ensure="" things="" like="" without="" may="" problems="" with="" not="" knowing="" what="" mechanisms="" available="" note="" is="" covered="" acl="" below="" too="" but="" change="" that="" as="" people="" are="" wont="" do="" ll="" still="" need="" if="" you="" want="" sasl="" and="" possible="" work="" admin="" has="" full="" everyone="" else="" read="" netscape="" each="" user="" gets="" a="" roaming="" profile="" which="" they="" have="" access="" dn="cn=admin,dc=example,dc=local" by="" dnattr="owner" write="" type="" other="" can="" be="" bdb="" specific="" directives="" apply="" to="" this="" databasse="" until="" another="" directive="" occurs="" the="" base="" of="" your="" directory="" for="" database="" 2="" suffix="" dc="example,dc=local"">


Appendix C: Windows XP Professional SP2 Client Configuration Notes


Anyone that has configured a Windows XP computer for use on a Windows domain will have no problems here. The main thing you have to remember is a) Make sure the network is working. b) Make sure DNS is working. c) Join the computer to the correct domain.

Go ahead and join the computer to the domain like you normally would.

  1. Log into the computer as an Administrative user (most likely Administrator)

  2. Right click "My Computer" and select "Properties"

  3. Select the "Computer Name" tab at the top

  4. Click the "Change" button near the bottom

  5. In this new window select the "Domain:" radio button in the "Member of" section

  6. Type in your domain name - in our example the domain name to enter is simply "example"

  7. Click the "OK" button

  8. A window should pop up asking you for a username and password. Use "root" and your root password which should still be "12345" unless you changed it

  9. After a few seconds you should see a pop-up that says "Welcome to the example domain" or something similar to that effect

  10. Click "OK"

  11. Click "OK" again

  12. Reboot the computer

  13. When it boots you will be at a login prompt. The first time you try to log in you'll want to ensure that you are logging on to the DOMAIN, not the LOCAL COMPUTER.

Follow those simple steps and you should have a Windows client on your domain in no time.