Professional Documents
Culture Documents
31 Jan 2006
This tutorial demonstrates how to install and configure Samba as a primary domain
controller with a secure LDAP-based authentication mechanism. It also describes
how to configure the LDAP server, OpenLDAP, for PAM-based authentication and
how to secure the link between Samba and OpenLDAP with Transport Layer Security
(TLS). The completed system boasts a secure file- and print-sharing setup, in
addition to a robust LDAP server that could be used for purposes beyond those
required by Samba. Additionally, Windows® clients are able to logon to your Samba
server which acts as a primary domain controller and have shared drives
automatically mounted for them based on their group membership.
• Introduce LDAP, show how it integrates with Samba, and discuss security
concerns
This tutorial is best suited for readers with moderate UNIX or Linux familiarity and
experience with basic IP networking concepts. The author used Fedora Core 3 as
the Linux distribution, but other Linux distributions or UNIX variants, such as AIX,
Solaris, or HP-UX, would also work for the setup described in the tutorial. All
applications and utilities used in this tutorial are open source and are available from
either your Linux vendor or the application vendor's homepage.
Prerequisites
The Linux distribution is Fedora Core 3; however, there is no reason why the setup
described here would not work on other Linux distributions or UNIX variants such as
AIX, Solaris, or HP-UX. The software is free and obtained in a number of ways. I
recommend that you get a precompiled version (such as an RPM) from your Linux
vendor's ftp mirror.
Here is a list of software used in this tutorial. There is no need to get the list
beforehand as the tutorial describes how to download and install them.
• OpenSSL.
• OpenLDAP.
• Samba.
LDAP manages data in what is termed a directory information tree. This tree helps to
organize data through categorization. Many LDAP servers use SQL databases to
store their information because they are a natural fit. As with a traditional SQL
database, LDAP uses schemas to define where data should be located and how
data should be formatted. The use of schemas and the similarities with traditional
SQL databases are key advantages of LDAP because they contribute greatly to its
extensibility.
• The first is the inclusion of Samba's schema into the LDAP server.
• The second is configuring Samba to authenticate through the LDAP
server.
Authentication takes place with the help of Linux's PAM utility (Pluggable
Authentication Modules). The PAM utility abstracts the process of authentication
away from software applications running on Linux so that they do not have to
understand the complexities of a particular authentication mechanism. As such,
PAM gives software applications an enormous degree of flexibility because a
software application can call one API for authentication and PAM decides if it should
• The third integration point involves a set of tools that aid in the
management of Samba's LDAP directory information tree. This toolkit is
produced by a third-party; however, it is covered under the GNU Public
License.
Security
A key strength of LDAP is its ability to be used as an authentication mechanism for
software applications that could be scattered across a network. A side effect of this
strength is that passwords may flow across the network during the authentication
phase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL
(Secure Sockets Layer) and TLS.
In this tutorial, the LDAP server is running on the same physical server as Samba;
thus, there isn't much need for encryption. However, I will demonstrate how to
encrypt the channel between LDAP and Samba because it is relatively simple and
necessary for the reader who hosts Samba and LDAP on different machines.
This tutorial proceeds in two phases. The first phase details how to configure Samba
and LDAP in an unsecured mode. Once the first phase is complete, encryption is
enabled to secure the channel between Samba and the LDAP server. I am
proceeding in a two-phase approach because in general, it is usually easier to
install, configure, and diagnose problems in an unsecured mode.
3. We create a directory for the IDEALX scripts to live in. At the command
prompt type: mkdir -p /var/lib/samba/sbin. Then type: chmod
-R 755 /var/lib/samba.
5. Copy the required scripts from the temporary directory to the permanent
directory with the following command: cp smbldap* configure.pl
/var/lib/samba/sbin.
1. chmod 750 *
The IDEALX toolkit requires some additional Perl modules that may not be installed
on your system. This section demonstrates how to download and install them.
1. The first thing you need to do is to download all of the requisite Perl
2. The next step is to un-tar and un-zip the downloaded Perl modules. Issue
the following command in the directory where you saved the four
downloaded modules: tar -zxvf *.gz.
3. The final step is to build and install each of the four modules. Change into
each of the newly created directories and issue the following commands
as root.
1. perl Makefile.PL
2. make install
Create the directory for our LDAP database. In this tutorial, we give this directory the
3. Set the correct ownership. Fedora users should already have the user
LDAP defined in /etc/passwd. If you are installing on a different
distribution you may need to create that user. Type: chown ldap:ldap
/var/lib/ldap/somedomain.com.
Finally, we create the encryption keys that OpenLDAP uses for TLS. To do this you
need OpenSSL. The vast majority of Linux distributions ship with OpenSSL;
however, if you do not have it installed, get a copy from your vendor or
http://www.openssl.org/.
This tutorial assumes that the user will not be using a commercial certificate
authority (CA) such as Verisign, Thawte, etc. As such, we will need to become our
own CA and sign the certificates used by our LDAP server. The steps below
demonstrate how to become a CA and sign certificates.
1. If you haven't already done so, edit openssl.cnf to match your particular
needs. Find the openssl.cnf file and type: locate openssl.cnf.
default_bits = 1024
# The following parameters should be modified to fit your
# organization.
countryName_default = US
stateOrProvinceName_default = North Carolina
localityName_default = Raleigh
0.organizationName_default = somedomain.com
4. Create your CA certificate and key pair with the following command:
openssl req -nodes -config openssl.cnf -new -x509
-keyout CA/private/cakey.pem -out CA/cacert.pem -days
3650.
5. Create the key pair for OpenLDAP with the following commands:
1. cp CA/cacert.pem /etc/openldap/
Before we begin editing, generate a password hash for the rootdn. This is the
password that you must use to make changes to your LDAP server's directory
information tree.
Note: Choose a password that is different from your Linux server's root password.
2. Save the output from this command, as you will need it next. It could look
like: {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# -1 is all messages 296 is a good compromise for most debugging
#loglevel -1
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# The following three lines are related to security. Leave them commented out now.
# We uncomment them and enable security *after* we have successfully tested Samba with
# LDAP in an unsecured configuration. Debugging is infinitely easier without encryption
# enabled.
#TLSCipherSuite HIGH
#TLSCertificateFile /etc/openldap/slapd-cert.pem
#TLSCertificateKeyFile /etc/openldap/slapd-key.pem
database bdb
# MODIFY
# Modify suffix and rootdn to match your domain name.
suffix "dc=somedomain,dc=com"
rootdn "cn=Manager,dc=somedomain,dc=com"
# MODIFY
# Use the following to generate:
# slappasswd -h {SSHA} -s <your password here>
rootpw {SSHA}kCuJt72QLJ2O06nFUvdre97sHT0AxlH/
# MODIFY
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended with an owner of ldap and a group of ldap
directory /var/lib/ldap/somedomain.com
# Indices to maintain for this database
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
Sometimes there are multiple instances of ldap.conf on your system. Locate the one
that PAM has been configured to use. To do this type: strings
/lib/libnss_ldap.so.2 | grep conf. Usually, the returned value is
/etc/ldap.conf.
Edit ldap.conf in your favorite editor and insert the following text. Modify the sections
denoted with a "# MODIFY" comment.
## IMPORTANT
## The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in
## /etc/openldap.
## The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch.
## If you intend to use those tools you will need to add a TLS_CACERT directive to that
## file also.
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space.
host 127.0.0.1
# MODIFY
# The distinguished name of the search base.
base dc=somedomain,dc=com
# MODIFY
# The distinguished name to bind to the server with.
# We will use the root dn until we can create a lesser privileged user.
binddn cn=Manager,dc=somedomain,dc=com
bindpw < use the password you created for Manager in "Step 4: Configure slapd.conf">
# MODIFY
# Note: "ou=Users" and "ou=Groups" should match what
# you entered in smb.conf for "ldap group suffix"
# and "ldap user suffix"
nss_base_passwd ou=Users,dc=somedomain,dc=com?one
nss_base_passwd ou=Computers,dc=somedomain,dc=com?one
nss_base_shadow ou=Users,dc=somedomain,dc=com?one
nss_base_group ou=Groups,dc=somedomain,dc=com?one
ssl no
pam_password md5
# We need to tell PAM where the certificate used to authenticate the LDAP
# server (i.e. is the LDAP server the one we think it is).
tls_cacertfile /etc/openldap/cacert.pem
# If you experience difficulty authenticating after enabling TLS, try uncommenting
# the next line. You will know that you are having problems if you
# issue "getent group" and do not see any of the MS Windows groups
# that have been created in your LDAP database.
# tls_checkpeer no
Linux vendor to do all of the dirty work for me. Fedora provides a command line
utility called authconfig that knows how to modify all of PAM's configuration files.
Other Linux vendors have similar configuration utilities, so consult the
documentation if you're not using Fedora.
1. Check to see if your distribution already has Samba installed. Issue the
following command at a terminal: rpm -qa | grep samba. If you do
not get a response of samba-3.0.14 or greater, then you should either
upgrade or install anew (which is described next).
1. mkdir -p /var/lib/samba/netlogon/scripts/
/var/lib/samba/printing/
our Microsoft Windows network and we add hooks to make Samba aware of the
LDAP backend. The file is shown below with comments.
Change all sections a denoted by a "# MODIFY" comment to fit your particular
situation. Also, all of the directives in this configuration file are described in the
Samba manual. You can view it by typing man smb.conf.
# Global parameters
[# Global parameters
[global]
# MODIFY
workgroup = BIGTIME
# MODIFY
netbios name = linus
# MODIFY
server string = Linus Samba Server
passdb backend = ldapsam:ldap://127.0.0.1/
# By default run with minimal logging. However, if you need to debug
# 5 is a fairly verbose logging level.
#log level = 5
log file = /var/log/samba/log.%m
max log size = 50
time server = Yes
add user script = /var/lib/samba/sbin/smbldap-useradd -a '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel '%u'
add group script = /var/lib/samba/sbin/smbldap-groupadd -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel '%g'
add user to group script = /var/lib/samba/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /var/lib/samba/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /var/lib/samba/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /var/lib/samba/sbin/smbldap-useradd -w '%u'
# Personally, I do not like roaming profiles because they take up too
# much space on my server. As such, I disable roaming profiles by
# setting the following two variables to null
logon path =
logon home =
logon drive = H:
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
# MODIFY
ldap admin dn = cn=Manager,dc=somedomain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
# MODIFY
ldap suffix = dc=somedomain,dc=com
ldap user suffix = ou=Users
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
# The next three blocks define the shared drives that we will be exposing. They are all
# nearly identical. The important thing to note is that all files on these drives are
# readable and writeable by any user in that group.
[netlogon]
path = /var/lib/samba/netlogon/scripts
browseable = No
root preexec = /var/lib/samba/netlogon/scripts/logon.pl %U %I
# MODIFY
[marketing]
comment = Marketing material
path = /home/marketing
# Any files written to this drive will have this user group. Since this is a
# *shared* drive all users should have permission to read/write/remove any file.
# If you do not agree you will probably want to remove the "force group" line
force group = marketing
read only = No
create mask = 0770
directory mask = 0770
browseable = No
# MODIFY
[engineering]
comment = Common material
path = /home/engineering
path = /home/marketing
# Any files written to this drive will have this user group. Since this is a
# *shared* drive all users should have permission to read/write/remove any file.
# If you do not agree you will probably want to remove the "force group" line
force group = engineering
read only = No
create mask = 0770
directory mask = 0770
browseable = No
# MODIFY
[management]
comment = Management Data
path = /home/management
path = /home/marketing
# Any files written to this drive will have this user group. Since this is a
# *shared* drive all users should have permission to read/write/remove any file.
# If you do not agree you will probably want to remove the "force group" line
force group = management
read only = No
create mask = 0770
directory mask = 0770
Our Samba server does not be store roaming profiles because these can take up
quite a bit of space; however, we force each Microsoft Windows client that logs in to
our domain to mount drives and synchronize with a time server.
In this step we create a Perl script that generates a Windows batch file that is
executed each time a user logs in to the BIGTIME domain. The batch file causes the
user's Windows machine to automatically mount the drives that their security profile
grants them access to. This action is useful for large organizations with many
common drives and a diverse security policy. The location and execution of this
batch script are defined by two parameters in the netlogon section of smb.conf, they
are path and root preexec.
The Perl script is shown following. Perform these actions to install the Perl logon
script:
1. cd /var/lib/samba/netlogon/scripts
2. Create a file called logon.pl and fill it with the contents shown below.
#!/usr/bin/perl
use strict;
# Set the permissions on any file we create to 640 (i.e. -rw-r--r--)
umask(022);
my $NETLOGON_DIR = "/var/lib/samba/netlogon/scripts";
my $LOG_DIR = "/var/log/samba";
my $SERVERNAME = "linus";
## You will need to modify this hash to match your mountpoints.
my %MOUNTPOINTS = (
"engineering" => "NET USE W: \\\\$SERVERNAME\\engineering \/YES\r\n",
"marketing" => "NET USE W: \\\\$SERVERNAME\\marketing \/YES\r\n",
"management" => "NET USE W: \\\\$SERVERNAME\\management \/YES\r\n"
);
## Make sure that there is a user name and that it contains a valid
## user name string (i.e. no invalid chars).
if ($#ARGV != 1 ||
$ARGV[0] =~ /[^a-zA-Z0-9-_]/) {
exit(1);
}
# Make sure that the user exists and log attempts with invalid IDs
my $uid = getpwnam($ARGV[0]);
if ($uid == /[^0-9]/){
my $now = localtime;
open LOG, ">>$LOG_DIR/log.netlogon";
print LOG "$now";
print LOG " - Error: Unknown user $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n";
close LOG;
exit(1);
}
# Log the logon attempt
my $now = localtime;
open LOG, ">>$LOG_DIR/log.netlogon";
print LOG "$now";
print LOG " - User $ARGV[0] logged into $SERVERNAME from $ARGV[1]\n";
close LOG;
Now it is time to populate the LDAP database with our Samba schema and some
initial values. For this task use the handy IDEALX scripts. We begin by executing a
configuration script, /var/lib/samba/sbin/configure.pl. The configuration script creates
two files, smbldap_bind.conf and smbldap.conf, which contain important
environment variables used by all of the scripts in the IDEALX toolkit.
4. You will now be prompted with a series of questions and I have provided
a sample listing. In general, you should be able to simply press the return
key to the queries; however, here are some important things to know.
• The password hash is case sensitive and should match the hash
algorithm you specified in ldap.conf's pam_password variable (see
Step 5: Configure /etc/ldap.conf).
• In this tutorial there is no LDAP slave server, so we will use the same
information as the master server.
• The bind password requested by this script is the same password you
used for the rootdn in Step 4: Configure slapd.conf.
5. For those of you who do not want password expiration enabled, I will
demonstrate how to disable it. Edit smbldap.conf and comment out the
following line: defaultMaxPasswordAge="45".
6. Execute the following three commands to set the proper permissions and
ownership:
To create a shared drive for each of our three user groups (engineering, marketing,
and management) we use the smbldap-useradd utility. This utility will create a
directory in /home that serves as a shared drive. We will also create an associated
UNIX user group that we use later to grant ordinary users permissions to the shared
drive. Execute the following commands as root:
cd /var/lib/samba/sbin
./smbldap-groupadd engineering
./smbldap-groupadd marketing
./smbldap-groupadd management
./smbldap-useradd -s /sbin/nologin -m -g engineering engineering
./smbldap-useradd -s /sbin/nologin -m -g marketing marketing
./smbldap-useradd -s /sbin/nologin -m -g management management
each user:
cd /var/lib/samba/sbin
./smbldap-useradd -a -G "Domain Users",engineering dilbert
./smbldap-passwd dilbert
./smbldap-useradd -a -G "Domain Users",engineering wally
./smbldap-passwd wally
./smbldap-useradd -a -G "Domain Users",marketing catbert
./smbldap-passwd catbert
./smbldap-useradd -a -G "Domain Users",marketing,management,engineering boss
./smbldap-passwd boss
4. A new window should appear. In this window, click the radio button for
domain and enter BIGTIME as the domain. Click OK.
5. When prompted for a user ID and password, use root as the user ID and
the password you gave in Step 7: Populate the LDAP database. You are
prompted to reboot the workstation.
6. After rebooting, you will notice that the domain BIGTIME has been added
to the Log on to: selection box. Before we can log on as one of the
domain members we created in Step 9a: Add the PAM user, we should
decide where they fit in this workstation's local security hierarchy. In this
tutorial, we will add all Domain Users in the BIGTIME domain to the
Power Users local group on this workstation. Follow these steps:
1. From the logon screen, select the option for (this computer) from
the Log on to: selection box.
8. Click on Groups.
10. Click the Add button and make sure the box From this Location
contains BIGTIME.
14. Select Domain Users and click OK until you are returned to the
Computer Management window.
7. Next, enter any of the users you configured (boss, wally, catbert, or
dilbert) and log on to that workstation.
8. The workstation should automatically mount the drives that the user is
allowed to access based on their security profile.
TLSCipherSuite HIGH
TLSCertificateFile /etc/openldap/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd-key.pem
Some people may experience difficulty getting PAM to communicate with their LDAP
server after enabing TLS. If you are unable to see the Windows groups you created
in your LDAP database with getent group, try adding the following line at the end
of your ldap.conf file: tls_checkpeer no.
This is a screen shot depicting the TLS being enabled through authconfig.
## IMPORTANT
## The /etc/ldap.conf file is used by PAM. There is another ldap.conf file in
## /etc/openldap.
## The file, /etc/openldap/ldap.conf, is used by ldap tools, such as ldapsearch.
## If you intend to use those tools you will need to add a TLS_CACERT directive to that
## file also.
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space.
host 127.0.0.1
# MODIFY
# The distinguished name of the search base.
base dc=somedomain,dc=com
# MODIFY
# The distinguished name to bind to the server with.
# We will not be using the root dn. Instead we will create
# lesser privileged user.
binddn uid=samba,ou=Users,dc=somedomain,dc=com
bindpw <your password here>
# MODIFY
# Note: "ou=Users" and "ou=Groups" should match what
# you entered in smb.conf for "ldap group suffix"
# and "ldap user suffix"
nss_base_passwd ou=Users,dc=somedomain,dc=com?one
nss_base_passwd ou=Computers,dc=somedomain,dc=com?one
nss_base_shadow ou=Users,dc=somedomain,dc=com?one
nss_base_group ou=Groups,dc=somedomain,dc=com?one
ssl start_tls
pam_password md5
# We need to tell PAM where the certificate used to authenticate the LDAP
# server (i.e. is the LDAP server the one we think it is).
tls_cacertfile /etc/openldap/cacert.pem
# If you experience difficulty authenticating after enabling TLS, try uncommenting
# the next line. You will know that you are having problems if you
# issue "getent group" and do not see any of the MS Windows groups
# that have been created in your LDAP database.
tls_checkpeer no
You may have noticed that there are other options in the smbldap.conf file for
authentication, clientcert and client key. These two options are there for the
truly paranoid and would allow the LDAP server to authenticate the client.
/etc/init.d/ldap restart
/etc/init.d/smb restart
To test a TLS security between Samba and LDAP try the following:
Resources
Learn
• Linux-powered networking, Part 3: Integrate Linux and Windows with Samba
(developerWorks, December 2004) is a tutorial that shows how to use Samba to
integrate your Linux and Windows networks with sample code and configuration
files.
• Common threads: Samba domain controller support (developerWorks, August
2000) demonstrates how to use Samba's domain controller function to control a
Windows NT domain.
• Common threads: Introduction to Samba, Part 1 (developerWorks, June 2000),
Part 2 (July 2000), and Part 3 (July 2000) is an excellent guide to installing and
configuring Samba.
• Find more resources for Linux developers in the developerWorks Linux zone.
Get products and technologies
• Samba provides print and file services for SMB/CIFS clients.
• OpenLDAP is an open source implementation of the Lightweight Directory
Access Protocol.
• Pick up the Samba LDAP toolkit.
• Access the UNIX man pages for Samba.
• Build your next development project on Linux with IBM trial software, available
for download directly from developerWorks.
Discuss
• Get involved in the developerWorks community by participating in
developerWorks blogs.
Trademarks
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
DB2, Lotus, Rational, Tivoli, and WebSphere are trademarks of IBM Corporation in
the United States, other countries, or both.
Intel is a trademark of Intel Corporation or its subsidiaries in the United States and
other countries.