Datos personales

Mi nombre es Jaime Vélez, soy Ingeniero de Sistemas y aficionado en el uso de Linux, mi distribución favorita es openSUSE , intentare escribir en estas notas configuraciones rápidas de servicios que me han sido útiles tanto en mi hogar, como en el trabajo, espero que le sean útiles a alguien en algún momento.

martes, 24 de julio de 2007

Configuración de Samba usando LDAP

paquetes requeridos
Compilador y herramentas de C/C++

Use los paquetes de la distribución SuSE via YaST

baje de cpan.org los siguientes paquetes
estos paquetes vienen en formato tar.gz, descomprimalos e instalelos con el metodo de perl, así

perl Makefile.PL
[clave de root]
make install

por ejemplo en cpan.org encontré Unicode-Map-0.112.tar.gz, lo bajo, luego desde la linea de comandos
tar -xvzf Unicode-Map-0.112.tar.gz
cd Unicode-Map-0.112
perl Makefile.pl
[clave de root]
make install

1. Configuración inicial de Samba

Configure con YaST el servidor samba, (no incluya nada de ldap en este paso) especifique que la maquina es controlador de dominio primario, ahora desde un shell como root (borre cualquier estructura ldap que tenga)

2. Configuracion de Openldap

cd /etc/openldap/schema
cp /usr/share/doc/packages/samba/examples/LDAP/samba.schema /etc/openldap/schema

vi /etc/openldap/slapd.conf
(archivo /etc/openldap/slapd.conf)
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/yast.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
#access to dn.base=""
# by * read

#access to dn.base="cn=Subschema"
# by * read

#access to attrs=userPassword,userPKCS12
# by self write
# by * auth

#access to attrs=shadowLastChange
# by self write
# by * read

#access to *
# by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!

# BDB database definitions

loglevel 0
database bdb
suffix "dc=eratostenes,dc=site"
rootdn "cn=Administrador,dc=eratostenes,dc=site"
rootpw "secret"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial

se incluyo el archivo nis.schema, se cambio suffix, rootdn y rootpw, asi como los indices para el arbol ldap

vi /etc/openldap/ldap.conf
(archivo /etc/openldap/ldap.conf)
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=eratostenes,dc=site
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#DEREF never

3. Instalación Herramientas Samba

cd /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.9.2

ahora ejecute desde la linea de comandos como root
perl configure.pl

(salida de la ejecución configure.pl observe los valores que se le dan a las variables, las variables sin valor se dejo el valor default)
Use of $# is deprecated at configure.pl line 314.
smbldap-tools script configuration
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] > /etc/samba/smb.conf

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] > /etc/smbldap-tools/
Let's start configuring the smbldap-tools scripts ...

. workgroup name: name of the domain Samba act as a PDC
workgroup name [TUX-NET] > TUX-NET
. netbios name: netbios name of the samba controler
netbios name [] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [P:] >
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\\%U'
logon home (press the "." character if you don't want homeDirectory) [\\%L\%U\.profiles] > \\ERATOSTENES\%U\.profiles
. logon path: directory where roaming profiles are stored. Ex:'\\\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\%L\profiles\%u] > \\ERATOSTENES\profiles\%U
. home directory prefix (use %U as username) [/home/%U] > /home/%U
. default users' homeDirectory mode [700] > 755
. default user netlogon script (use %U as username) [] > netlogon.bar
default password validation time (time in days) [45] > 45
. ldap suffix [dc=eratostenes,dc=site] > dc=eratostenes,dc=site
. ldap group suffix [ou=Groups] > ou=groups
. ldap user suffix [ou=Users] > ou=users
. ldap machine suffix [ou=Computers] > ou=machines
. Idmap suffix [ou=Users] > ou=users
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=TUX-NET] >
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [] >
. ldap master port [389] >
. ldap master bind dn [cn=Administrador,dc=eratostenes,dc=site] > cn=Administrador,dc=eratostenes,dc=site
. ldap master bind password [] >
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [] >
. ldap slave port [389] >
. ldap slave bind dn [cn=Administrador,dc=eratostenes,dc=site] > cn=Administrador,dc=eratostenes,dc=site
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain TUX-NET: SID of the domain (can be obtained with 'net getlocalsid ')
SID for domain TUX-NET [S-1-5-21-2154626869-2296519943-178442766] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] >
. default computer gidNumber [515] >
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail adress [] > eratostenes.site
Use of uninitialized value in concatenation (.) or string at configure.pl line 314, line 33.
backup old configuration files:
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.

(ARCHIVO /etc/smbldap-tools/smbldap.conf )
# $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
# Copyright (C) 2001-2002 IDEALX
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.

# Purpose :
# . be the configuration file for all smbldap-tools scripts

# General Configuration

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"

# LDAP Configuration

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=
# If not defined, parameter is set to ""

# Slave LDAP port
# If not defined, parameter is set to "389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=
# If not defined, parameter is set to ""

# Master LDAP port
# If not defined, parameter is set to "389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details

# CA certificate
# see "man Net::LDAP" in start_tls section for more details

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!

# Unix Accounts Configuration

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"

# Default mode used for user homeDirectory

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID

# Default Computer (Samba) GID

# Skel dir

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)

# SAMBA Configuration

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries

# comment out the following line to get rid of the default banner
# no_banner="1"

(ARCHIVO /etc/smbldap-tools/smbldap_bind.conf)
# Credential Configuration #
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)

copie los archivos smbldap* al directorio /usr/local/sbin
cp /usr/share/doc/packages/samba/examples/LDAP/smbldap-tools-0.9.2/smbldap* /usr/local/sbin

cd /usr/local/sbin
chmod 755 *
con esto terminamos de configurar los herramientas con que samba se comunica con ldap

4. Creacion de la estructura de arbol LDAP

cd /usr/local/sbin
/usr/local/sbin/smbldap-populate -u 1550 -g 1500
Populating LDAP directory for domain TUX-NET (S-1-5-21-2154626869-2296519943-178442766)
(using builtin directory structure)

adding new entry: dc=eratostenes,dc=site
adding new entry: ou=users,dc=eratostenes,dc=site
adding new entry: ou=groups,dc=eratostenes,dc=site
adding new entry: ou=machines,dc=eratostenes,dc=site
adding new entry: ou=Idmap,dc=eratostenes,dc=site
adding new entry: uid=root,ou=users,dc=eratostenes,dc=site
adding new entry: uid=nobody,ou=users,dc=eratostenes,dc=site
adding new entry: cn=Domain Admins,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Domain Users,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Domain Guests,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Domain Computers,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Administrators,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Account Operators,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Print Operators,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Backup Operators,ou=groups,dc=eratostenes,dc=site
adding new entry: cn=Replicators,ou=groups,dc=eratostenes,dc=site
adding new entry: sambaDomainName=TUX-NET,dc=eratostenes,dc=site

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password

esto crea la estructura ldap que necesita samba para su correcto funcionamiento.

el password de root que solicita el comando smbldap-populate es del usuario con el que se ingresaran las maquinas windows al dominio, este password puede ser igual al password de root del sistema linux o ser totalmente diferente, tenga en cuenta que su sistema ahora tiene dos usuarios root, supongamos que el usuario root de linux tiene clave admin1 y el usuario root de samba (guardado en el arbol ldap) tiene clave admin2, usted ahora puede ingresar como root con clave admin1 o admin2 y con ambas claves .. tiene derechos de superusuario... tenga mucho cuidado con esto.

recomiendo instalar luma o gq para administrar ldap

5. Configuracion de pam-ldap y nss-ldap

YaST-->Servicio de Red-->Cliente Ldap

Autenticación de usuarios
Usar Ldap
Cliente ldap
Direccion del servidor Ldap
DN base de ldap
LDAP Version 2
Marcar :
Crear Directorio personal al iniciar sesión
Click en Configuración avanzada
Ajustes de Clientes
Asignación de contraseña
Asignacion de grupos

Ajustes de Administración
Configuracion DN Base

DN del administrador

marcar: directorios personales en este equipo
aceptar y finalizar

editar el archivo ldap.conf que esta en /etc (no el que esta en /etc/openldap)

vi /etc/ldap.conf
agregue la siguiente clave

nss_base_passwd ou=machines,dc=eratostenes,dc=site
Asi, busque la linea 282-292 del archivo /etc/ldap.conf aparece algo como esto

ssl no
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=users,dc=eratostenes,dc=site
nss_base_shadow ou=users,dc=eratostenes,dc=site
nss_base_group ou=groups,dc=eratostenes,dc=site
tls_checkpeer no

agregue la linea así

ssl no
ldap_version 3
pam_filter objectclass=posixAccount
nss_base_passwd ou=users,dc=eratostenes,dc=site
nss_base_passwd ou=machines,dc=eratostenes,dc=site
nss_base_shadow ou=users,dc=eratostenes,dc=site
nss_base_group ou=groups,dc=eratostenes,dc=site
tls_checkpeer no

guarde la modificación

cree los siguentes directorios (en un shell como root)

mkdir -vpm 755 /home/samba/
mkdir -vpm 755 /home/samba/netlogon /home/samba/users
chgrp -v “Domain Admins” /home/samba/netlogon/
mkdir -vpm 1757 /home/samba/profiles


6. Archivo smb.conf final

copie en /etc/samba/smb.conf
workgroup = TUX-NET
netbios name = eratostenes
printcap name = cups
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon home = \\%L\%U\.profiles
logon path = \\%L\profiles\%U
logon drive = P:
usershare allow guests = Yes
## add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
log file = /var/log/samba/log.%m
log level = 5
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = Yes
profile acls = yes
nt acl support = yes
passdb backend = ldapsam:ldap://
ldap admin dn = cn=Administrador,dc=eratostenes,dc=site
ldap suffix = dc=eratostenes,dc=site
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=machines
ldap idmap suffix = ou=Idmap
# ldap ssl = start tls
# add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
local master = Yes
security = user
ldap delete dn = Yes

add user script = /usr/local/sbin/smbldap-useradd -m "%u"
#delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -t 5 -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

path = /home/samba/profiles
comment = Network Profiles Service
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
profile acls = yes
nt acl support = yes

comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/

comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

comment = Network Logon Service
path = /home/samba/netlogon
write list = @domainadmins

listo, ya configuramos y poblamos el arbol ldap e hicimos que ldap y pam “hablaran”
ahora falta que samba y ldap se comuniquen

ejecute como root
rcldap restart
rcsmb restart
rcnmb restart
smbpasswd -w secret
Setting stored password for "cn=Administrador,dc=eratostenes,dc=site" in secrets.tdb

secret es el password de la administrador de ldap (igual que el que esta en el archivo /etc/openldap/slapd.conf

y eso es todo
intente ingresar una maquina al dominio.

para ingresar usuarios

/usr/local/sbin/smbldap-useradd -a nombreusuario

para darle un password

/usr/local/sbin/smbldap-passwd nombreusuario

7. Fuentes

1. Howto setup SUSE 10.1 as Samba PDC
2. Howto setup SUSE as SAMBA PDC with OpenLDAP DYNDNS and CLAMAV
3. Integración de redes con OpenLDAP, Samba, CUPS y PyKota