Tutorial - Samba Ldap Pdc [2004].pdf
(
265 KB
)
Pobierz
smb-ldap-3-howto.html
smb-ldap-3-howto.html
Samba (v.3) PDC LDAP howto
20040811.05
Ignacio Coupeau
CTI, University of Navarra
I hope this document can help: express our personal experience at University of Navarra using
Samba
and
OpenLDAP
together.
l
This document covers the
SAMBA_3
LDAP v3
. In short: running
SAMBA_3
with LDAP new
schemas and functionality with full
ldap-v3
protocol support. This howto has been tested for: NT-
WS-4-SP3+/W2K/XP; linux RH7.1+, Debian 3.0, Kernel 2.x.y and Openldap 2.0.21+.
l
The
SAMBA_3
with LDAP compat mode with old schemas was covered in the
smb-ldap-3-compat-
howto
.
l
The Samba-2.2.8+ [
SAMBA_2_2]
, runs fine and has Ldap official support. If you do have plan to
implement
OpenLdap 2.x
you
must
read
a note about
AUXILIARY objectClass
.
Please,
for
SAMBA_2_2
versions you should use the
ldap-smb-2_2
document.
If you do have plan to implement
OpenLdap 2.x
(x>1), and you comes from 2.0.y you
must
read a note
about
AUXILIARY objectClass
.
Many thanks to Andrew Bartlett and many others that help me a lot with some changes and several
updates.
Table of contents
1.
Preliminary notes
2.
Identification and Authentification Scenarios
3.
Most recent changes
2004/05/22
4.
How to download
2004/05/22
5.
Proposed patches
6.
How to compile
7.
Ldap server configuration slap.conf
8.
Comments about the schemas
9.
Samba schema 3.0
10.
A note about AUXILIARY and STRUCTURAL objectClass
11.
Ldap basic entries (also with posixAccount)
12.
Windows XP and W2K requirements
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (1 di 54)16/08/2004 15.34.20
smb-ldap-3-howto.html
13.
Bui
ltin accounts
14.
Group mapping
2004/08/10
15.
Configuring smb server
2004/04/10
16.
A note about charsets (internationalization)
17.
Configuring smb server with ssl (tls)
18.
Setting the
admin dn
passwd with smbpasswd
19.
Migrating from samba+ldap old versions to 3.x
20.
Starting (and stopping) the samba server
21.
Adding accounts with smbpasswd
22.
Refine the ldap account entries
23.
Joining workstations (NT, W2K, XP) to the samba domain
24.
A complex and real example: several domains(PDC), several share servers (no PDC), two ldap
(master/slave) servers
25.
Migrating accounts from smbpasswd to ldap
26.
Some notes about mandatory and roaming profiles
27.
Password sync
28.
A shortcut for building a
pam
,
nss
and
ldap
cetralized accounting system
.
Documentation
l
The
official Samba PDC documentation
and the Samba-HOWTO-Collection in
pdf
or
html
format.
l
The more recent documentation (very improved, of course!) may be found in the distribution tree in
the
docs/
directory:
l
samba/docs/htmldocs/samba-ldap-howto.html
(a must read!)
samba/docs/Samba-HOWTO-Collection.pdf
(a must read!)
also the directories:
samba/docs/htmldocs/
samba/docs/textdocs
l
The chapters 21 and 22 of the
Teach Yourself Samba in 24 hours
(Gerald Carter, SAMS, 1st or 2nd
edition);
Using Samba
(R. Eckstein, D. Collier-Brown & P. Kelly, O'Reilly) may help.
l
The chapter 20th of the book
Special Edition: Using Samba
(Richard Sharpe, with Tim Potter & Jim
Morris, QUE), covers the LDAP stuff for the old HEAD pre-2.1.
l
LDAP System Administration
(Gerald Carter, O'Reilly); a real and recent system administrator
book:
a must read
for systems' integration with LDAP.
Identification and authentification scenarios [
toc
]
Some one ask me about scenarios about samba and ldap. This may explain roughly some basic ideas for
that one new in samba.
A good idea may be take a look to
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (2 di 54)16/08/2004 15.34.20
smb-ldap-3-howto.html
About
SAMBA Scenarios:
1. A samba server grant the access to services based on user/
password@resource. Samba stores the smb passwd secrets in two
fashions:
lmPassword
and ntPassword
when an user logs in a resource, the server compares the nt/
lmpassword client's with the hashes stored in the smbpasswd
file or in the ldap that replaces the local smbpasswd file.
2. If you need grant
access to
a samba resource (share,
printer, fax, etc.) from
a client -an user/passwd@workstation
(NT/W2K/XP)-
you must supply a source of pairs user:<nt|
lm>hash to grant/deny the access. The authentication may be
performed:
- local: resolved locally,
in the same server
, via a
smbpasswd or some passwd source (ldap, ...)
- external: the authetication
is resolved by an external
server
(a PDC in short). The difference between "server" and
"domain"
mechanisms is a bit complex: domain is better for
connections; server is maintained for backward compatibility
with old versions. If domain is used, the server may be a
samba-PDC or NT-PDC.In the new implementations domain is
recomended.
A samba-PDC may act as PDC and server (file,
print, fax, etc.).
3. To access from a client to a samba server (PDC or server)
you need provide an unix account, this may be provided via:
- /etc/passwd
- nsswitch --> ldap or nis (posixAccount)
- winbind (virtual accounting mapping: NT users are mapped in
unix systems with a virtual uid/uidNumber).
Conclusion: samba uses two kind of accounting information:
sambaAccounts (local or remote)
AND posix(unix)Accounts. The
sambaAccounts may be
local or remote (from a PDC). The
posix
(unix)Accounts arealways local, but may be stored externaly
(ldap or nis). May be several posible scenarios:
PDC
1. smbpasswd + /etc/passwd
2. ldap + /etc/passwd
3. ldap +
nsswitch(via
ldap, nis)
4. smbpasswd +
nsswitch(via
ldap, nis)
server only (shares, printers...):
1. smbpasswd + etc/passwd
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (3 di 54)16/08/2004 15.34.20
smb-ldap-3-howto.html
2. ldap + /etc/passwd
3. ldap +
nsswitch(via
ldap, nis)
4. smbpasswd +nsswitch(via
ldap, nis)
5. winbind(virtual users form an NT or PDC server)
6. against an external PDC (security server|domain)
+/etc/passwd
7. against an external PDC (security server|domain)
+nsswitch(via
ldap, nis
, ...)
A more formal clasification:
This section about scenarios is under
absolute
de-construction..
.
Intended use
passwd
class
Config.
implementation
topics
in this doc.
samba as external validator: use lm/
ntpasswd for authenticate services
(squid, ftp)
lm/
ntpasswd
pam_smbpass
- transparent to
ldap
- managed by
pam via rpc
covered as
implementation
scenario
access to samba services (shares,
printers) validating against pam
module
pam dep.
plain/
MD4
passwd.
with-pam
- managed by
pam modules (ie
pam_ldap)
no, at all
samba services (squid, ftp) and
shares validating and
authenticating against an AD or an
NT PDC
lm/
ntpasswd
kerberos
winbind
idmap backend
- rpc
<->
AD,
PDC
- ldap may be
used for store
AD accounting
data in the future
no
samba as PDC for validating
against external PDC (also shares,
printers, may be provided) with
unix accounts
lm/
ntpasswd
ldapsam_compat
- required LDAP
database
- local or nss
methods
covered
smb.conf(5)
samba as PDC for validating
against external PDC (also shares,
printers, may be provided) without
unix accounts in the local samba-
PDC server
lm/
ntpasswd
ldapsam
- required LDAP
database
- accounts are
mapped as local
- required
nss_ldap
??
covered
smb.conf(5)
access to samba services (shares,
printers) in a local server validating
against an external PDC
lm/
ntpasswd
user
domain
- rpc
- transparent to
ldap
covered as
implementation
scenario
Most recent changes [
toc
]
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (4 di 54)16/08/2004 15.34.20
smb-ldap-3-howto.html
040522
CVS replaced by subversion.
040407
'ldap replication sleep' fixes a problem in the replication time: the
slave may be updated prior to new request, or some troubles about sync
data (because slurpd replication delay) may be found.
How to download [
toc
]
There are two ways:
l
the easy way,
ftp
,
tar files and binaries.
l
the develop way via Subversion. In April Samba development changed from using CVS to
Subversion for version control. Please see the
subversion information
for details.
Download with subversion (svn):
l
If you don't have subversion installed,
some packages may be required
:
rpm -i --force zlib-1.1.4-8.i386.rpm
(--force if you have other zlib: take care)
rpm -i neon-0.24.6-1.i386.rpm
rpm -i apache-libapr-2.0.48-0.1.i386.rpm
rpm -i subversion-1.0.3-1.rh7x.i386.rpm
rpm -i --nodeps subversion-1.0.3-1.rh7x.i386.rpm
rpm -i /root/db4-4.0.14-0.4.i386.rpm
l
for download the code follow the
instructions
for the required
branche
(trunk-stable, develop 3,
develop4...). Some examples:
svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0 samba-3_0
svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0 samba-4_0
svn co svn://svnanon.samba.org/samba/trunk samba-trunk
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (5 di 54)16/08/2004 15.34.20
Plik z chomika:
darekisap
Inne pliki z tego folderu:
O'Reilly - LDAP System Administration (2003)(2).pdf
(6900 KB)
O'Reilly - LDAP System Administration (2003).pdf
(6900 KB)
Addison Wesley - Understanding and Deploying LDAP Directory Services (2003).chm
(5467 KB)
Addison Wesley - Understanding And Deploying Ldap Directory Services (2003).pdf
(7059 KB)
817-0962 System Administration Guide Naming and Directory Services (DNS, NIS, and LDAP).pdf
(1438 KB)
Inne foldery tego chomika:
156 database ebooks
Ajax
Apache & Tomcat
Apress
ASP.NET
Zgłoś jeśli
naruszono regulamin