Tutorial - Samba Ldap Pdc [2004].pdf - LDAP - darekisap

smb-ldap-3-howto.html

Samba (v.3) PDC LDAP howto

20040811.05

Ignacio Coupeau

CTI, University of Navarra

I hope this document can help: express our personal experience at University of Navarra using Samba and

OpenLDAP together.

This document covers the SAMBA_3 LDAP v3 . In short: running SAMBA_3 with LDAP new

schemas and functionality with full ldap-v3 protocol support. This howto has been tested for: NT-

WS-4-SP3+/W2K/XP; linux RH7.1+, Debian 3.0, Kernel 2.x.y and Openldap 2.0.21+.

The SAMBA_3 with LDAP compat mode with old schemas was covered in the smb-ldap-3-compat-

howto .

The Samba-2.2.8+ [ SAMBA_2_2] , runs fine and has Ldap official support. If you do have plan to

implement OpenLdap 2.x you must read a note about AUXILIARY objectClass . Please,

for SAMBA_2_2 versions you should use the ldap-smb-2_2 document.

If you do have plan to implement OpenLdap 2.x (x>1), and you comes from 2.0.y you must read a note

about AUXILIARY objectClass .

Many thanks to Andrew Bartlett and many others that help me a lot with some changes and several

updates.

Table of contents

1. Preliminary notes

2. Identification and Authentification Scenarios

3. Most recent changes 2004/05/22

4. How to download 2004/05/22

5. Proposed patches

6. How to compile

7. Ldap server configuration slap.conf

8. Comments about the schemas

9. Samba schema 3.0

10. A note about AUXILIARY and STRUCTURAL objectClass

11. Ldap basic entries (also with posixAccount)

12. Windows XP and W2K requirements

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (1 di 54)16/08/2004 15.34.20

smb-ldap-3-howto.html

13. Bui ltin accounts

14. Group mapping 2004/08/10

15. Configuring smb server 2004/04/10

16. A note about charsets (internationalization)

17. Configuring smb server with ssl (tls)

18. Setting the admin dn passwd with smbpasswd

19. Migrating from samba+ldap old versions to 3.x

20. Starting (and stopping) the samba server

21. Adding accounts with smbpasswd

22. Refine the ldap account entries

23. Joining workstations (NT, W2K, XP) to the samba domain

24. A complex and real example: several domains(PDC), several share servers (no PDC), two ldap

(master/slave) servers

25. Migrating accounts from smbpasswd to ldap

26. Some notes about mandatory and roaming profiles

27. Password sync

28. A shortcut for building a pam , nss and ldap cetralized accounting system .

Documentation

The official Samba PDC documentation and the Samba-HOWTO-Collection in pdf or html format.

The more recent documentation (very improved, of course!) may be found in the distribution tree in

the docs/ directory:

samba/docs/htmldocs/samba-ldap-howto.html (a must read!)

samba/docs/Samba-HOWTO-Collection.pdf (a must read!)

also the directories:

samba/docs/htmldocs/

samba/docs/textdocs

The chapters 21 and 22 of the Teach Yourself Samba in 24 hours (Gerald Carter, SAMS, 1st or 2nd

edition); Using Samba (R. Eckstein, D. Collier-Brown & P. Kelly, O'Reilly) may help.

The chapter 20th of the book Special Edition: Using Samba (Richard Sharpe, with Tim Potter & Jim

Morris, QUE), covers the LDAP stuff for the old HEAD pre-2.1.

LDAP System Administration (Gerald Carter, O'Reilly); a real and recent system administrator

book: a must read for systems' integration with LDAP.

Identification and authentification scenarios [ toc ]

Some one ask me about scenarios about samba and ldap. This may explain roughly some basic ideas for

that one new in samba.

A good idea may be take a look to

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (2 di 54)16/08/2004 15.34.20

smb-ldap-3-howto.html

About SAMBA Scenarios:

1. A samba server grant the access to services based on user/

password@resource. Samba stores the smb passwd secrets in two

fashions: lmPassword and ntPassword

when an user logs in a resource, the server compares the nt/

lmpassword client's with the hashes stored in the smbpasswd

file or in the ldap that replaces the local smbpasswd file.

2. If you need grant access to a samba resource (share,

printer, fax, etc.) from a client -an user/passwd@workstation

(NT/W2K/XP)- you must supply a source of pairs user:<nt|

lm>hash to grant/deny the access. The authentication may be

performed:

- local: resolved locally, in the same server , via a

smbpasswd or some passwd source (ldap, ...)

- external: the authetication is resolved by an external

server (a PDC in short). The difference between "server" and

"domain" mechanisms is a bit complex: domain is better for

connections; server is maintained for backward compatibility

with old versions. If domain is used, the server may be a

samba-PDC or NT-PDC.In the new implementations domain is

recomended. A samba-PDC may act as PDC and server (file,

print, fax, etc.).

3. To access from a client to a samba server (PDC or server)

you need provide an unix account, this may be provided via:

- /etc/passwd

- nsswitch --> ldap or nis (posixAccount)

- winbind (virtual accounting mapping: NT users are mapped in

unix systems with a virtual uid/uidNumber).

Conclusion: samba uses two kind of accounting information:

sambaAccounts (local or remote) AND posix(unix)Accounts. The

sambaAccounts may be local or remote (from a PDC). The posix

(unix)Accounts arealways local, but may be stored externaly

(ldap or nis). May be several posible scenarios:

PDC

1. smbpasswd + /etc/passwd

2. ldap + /etc/passwd

3. ldap + nsswitch(via ldap, nis)

4. smbpasswd + nsswitch(via ldap, nis)

server only (shares, printers...):

1. smbpasswd + etc/passwd

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (3 di 54)16/08/2004 15.34.20

smb-ldap-3-howto.html

2. ldap + /etc/passwd

3. ldap + nsswitch(via ldap, nis)

4. smbpasswd +nsswitch(via ldap, nis)

5. winbind(virtual users form an NT or PDC server)

6. against an external PDC (security server|domain)

+/etc/passwd

7. against an external PDC (security server|domain)

+nsswitch(via ldap, nis , ...)

A more formal clasification:

This section about scenarios is under absolute de-construction.. .

Intended use

passwd

class

Config.

implementation

topics

in this doc.

samba as external validator: use lm/

ntpasswd for authenticate services

(squid, ftp)

lm/

ntpasswd

pam_smbpass - transparent to

ldap

- managed by

pam via rpc

covered as

implementation

scenario

access to samba services (shares,

printers) validating against pam

module

pam dep.

plain/

MD4

passwd.

with-pam

- managed by

pam modules (ie

pam_ldap)

no, at all

samba services (squid, ftp) and

shares validating and

authenticating against an AD or an

NT PDC

lm/

ntpasswd

kerberos

winbind

idmap backend

- rpc <-> AD,

PDC

- ldap may be

used for store

AD accounting

data in the future

samba as PDC for validating

against external PDC (also shares,

printers, may be provided) with

unix accounts

lm/

ntpasswd

ldapsam_compat - required LDAP

database

- local or nss

methods

covered

smb.conf(5)

samba as PDC for validating

against external PDC (also shares,

printers, may be provided) without

unix accounts in the local samba-

PDC server

lm/

ntpasswd

ldapsam

- required LDAP

database

- accounts are

mapped as local

- required

nss_ldap ??

covered

smb.conf(5)

access to samba services (shares,

printers) in a local server validating

against an external PDC

lm/

ntpasswd

user

domain

- rpc

- transparent to

ldap

covered as

implementation

scenario

Most recent changes [ toc ]

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (4 di 54)16/08/2004 15.34.20

smb-ldap-3-howto.html

040522

CVS replaced by subversion.

040407

'ldap replication sleep' fixes a problem in the replication time: the

slave may be updated prior to new request, or some troubles about sync

data (because slurpd replication delay) may be found.

How to download [ toc ]

There are two ways:

the easy way, ftp , tar files and binaries.

the develop way via Subversion. In April Samba development changed from using CVS to

Subversion for version control. Please see the subversion information for details.

Download with subversion (svn):

If you don't have subversion installed, some packages may be required :

rpm -i --force zlib-1.1.4-8.i386.rpm

(--force if you have other zlib: take care)

rpm -i neon-0.24.6-1.i386.rpm

rpm -i apache-libapr-2.0.48-0.1.i386.rpm

rpm -i subversion-1.0.3-1.rh7x.i386.rpm

rpm -i --nodeps subversion-1.0.3-1.rh7x.i386.rpm

rpm -i /root/db4-4.0.14-0.4.i386.rpm

for download the code follow the instructions for the required branche (trunk-stable, develop 3,

develop4...). Some examples:

svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0 samba-3_0

svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0 samba-4_0

svn co svn://svnanon.samba.org/samba/trunk samba-trunk

http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html (5 di 54)16/08/2004 15.34.20

Tutorial - Samba Ldap Pdc [2004].pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: