La procedura sostanzialmente funziona. Ho riscontrato solo alcuni errori minori per i quali propongo qualche aggiustamento (li trovate in rosso nel testo).
La propongo qui solo per..... non perdermela.....
----------------------------------------------------------------------------------------------
Hi everyone, after digging over the net and after spending a lot of time trying to understand how things work, I'm proud to present a very quick and super easy tutorial to create a Samba Primary Domain Controller with LDAP integration inside Ubuntu 10.04, both 32bit and 64bit.
In less than 30 minutes you'll have:
- A fully working PDC for Windows Clients
- Roaming profiles NOT enabled (this is what most of you want)
- Be able to have shared folders automatically mounted when a user logs into the domain
- Tested and fully working with(all flavours): Windows XP, Windows Vista and even Windows 7!
If you do everything exactly like I wrote I guarantee it will work. One single error can compromise everything and you'll have to restart from the beginning! You have been warned!
General Information before reading:
- In this guide each step will have a number, so if you ever have to ask me a question be sure you point the exact number, I will ignore any posts without the number being explicited.
- Commands you must type start with a "->".
- The guide presumes you know how to use Nano text editor (or any other text editor from shell like Vim).
- In this guide my default password is always "pwd123".
Let's Start.
1)
Install Ubuntu Server 10.04 32Bit or 64Bit
Once Ubuntu 10.04 is up, log with root user:
-> sudo su
From now on I assume you are always root user.
2)
Set a static IP,
in this example the NIC card is eth0 and the network is part of 192.168.1.x class.
-> nano /etc/network/interfaces
Quote:
auto lo eth0 iface lo inet loopback iface eth0 inet static address 192.168.1.10 broadcast 192.168.1.255 netmask 255.255.255.0 gateway 192.168.1.1 |
-> /etc/init.d/networking restart
-> ifconfig
The output should show you the static IP, try pinging a local IP or an internet IP to be sure you are on the net, ex:
-> ping www.google.it
or try pinging your gateway set before:
-> ping 192.168.1.1
If you are unsure, reboot your machine to see if "ifconfig" command still shows you the same IP and to be sure you're still part of the network by pinging as said before.
ONCE YOU FINISHED WITH THIS GUIDE, IF YOU EVER CHANGE YOUR IP BE SURE TO READ SECTION: "TIPS AND TRICKS", FOUND AT THE END OF THIS GUIDE OR YOUR PDC WILL STOP WORKING.
4)
-> apt-get update
-> apt-get dist-upgrade
-> reboot
-> sudo su
5)
-> apt-get install slapd ldap-utils
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
-> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
6)
MODIFICA DEL FILE backend.example.com.ldif
Your next step will be to modify this file, the only thing you should care of changing is the password, which is set at line "olcRootPW:". By default password is "pwd123".
Vale la pena notare che nel file è necessario intrudurre una riga vuota dopo la quinta riga, altrimenti la procedura non funziona.
-> nano backend.example.com.ldif
Quote:
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hd dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=pdc olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=pdc olcRootPW: pwd123 olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=pdc" write by * read |
From now on, if ldap commands similar to this ask for a password, put password set above in step 6, by default in this guide as said "pwd123".
-> ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
8)
-> apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools
9)
Now I'll make you download my samba configuration file.
-> wget http://digilander.libero.it/bulletxt...10.04/smb.conf
After downloading it, you'll have to change ONLY two values: "workgroup = " and "netbios = ".
Workgroup is the name of the Domain. This is the name that you'll have to enter in a Windows client to make it join the domain. Netbios is instead the name used to browse shared folders, for example in Windows you'll put "\\$netbiosname\$shared_folder".
DO NOT PUT WORKGROUP NAME IDENTICAL TO NETBIOS NAME.
IMPORTANT: carefully decide the NETBIOS name, once you change it YOU CAN'T CHANGE IT AGAIN OTHERWISE IT WILL BREAK EVERYTHING! YOU'VE BEEN WARNED.
Type the following and change the two values.
-> nano smb.conf
Once you changed the two values type:
-> cp -rf smb.conf /etc/samba/smb.conf
10)
In the next command it will prompt you to put a password, this must be the same as set before in step 6, by default in this guide "pwd123"
-> smbpasswd -W
11)
-> service smbd restart
12)
Now you must check that samba is running, it will ask you for a password, just hit Enter.
-> smbclient -L localhost
It should not give you any errors, instead it must show some stuff and you should see your Workgroup Name set in step 9
13)
-> mkdir -v /var/lib/samba/profiles
-> chmod 777 /var/lib/samba/profiles
-> mkdir -v -p /var/lib/samba/netlogon
-> chmod 777 /var/lib/samba/netlogon
Nel comando che segue nella procedura originale era presente un refuso, qui corretto.
-> cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
-> gzip -d /etc/ldap/schema/samba.schema.gz
14)
-> > schema_convert.conf
-> nano schema_convert.conf
Quote:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema |
-> mkdir /tmp/ldif_output
-> slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
16)
Now you'll have to edit a file, open the file with the following command and read below to understand what must be edited.
-> nano /tmp/cn\=samba.ldif
At the very top you'll see:
Quote:
dn: cn{12}=samba,cn=schema,cn=config |
Quote:
dn: cn=samba,cn=schema,cn=config |
Quote:
cn: {12}samba |
Quote:
cn: samba |
Quote:
structuralObjectClass: olcSchemaConfig entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95 creatorsName: cn=config createTimestamp: 20080827045234Z entryCSN: 20080827045234.341425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080827045234Z |
17)
Be sure the following command does not give errors:
-> ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif
18)
-> > samba_indexes.ldif
-> nano samba_indexes.ldif
Quote:
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub |
Be sure the following does not give any errors.
-> ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f samba_indexes.ldif
20)
Now thanks to the following command, you'll finally understand if everything till now went fine. If everything goes fine, it will output a lot of stuff, including at the end strings similar to the ones found in step 18
-> ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
21)
Now that ldap is working perfectly, we must also be sure Samba is working too.
The following command MUST not give errors, and it must output something similar to this:
Quote:
SID for domain DOMAIN is: S-1-5-21-908678672-1104131578-2020688504 |
-> net getlocalsid
Io a questo livello ho qualche volta ottenuto l'errore "Can't fetch domain SID for name".
Lo stesso problema è stato segnalato nei post di commento all'articolo originale di Bulletxt. Riprovando la procedura con un altro WORKGROUP e NETBIOSNAME le cose si sono sistemate. 22)
-> gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
23)
Next command is crucial to make Samba and Ldap work together. When prompted,
press always Enter without inserting anything. There are only two cases where you must type something.
When it asks for "Logon Home" and "Logon Path", put a "." character.
At a certain point, it will ask you for a password two times, once for ldap bind master and then for ldap bind slave. In both cases, you must put the exact same password you put in step 6, by default in this guide "pwd123".
So now you know what to do, this is the command:
-> perl /usr/share/doc/smbldap-tools/configure.pl
24)
Following command should create some groups, at the end it will ask for a password. As always put password provided in step 6, default of this guide is "pwd123".
-> smbldap-populate
25)
-> /etc/init.d/slapd stop
-> slapindex
-> chown openldap:openldap /var/lib/ldap/*
-> /etc/init.d/slapd start
26)
If everything till now is really working, the next command will make user "root" be a Domain Administrator.
In section "Tips and Tricks" you'll see how to make other users be a Domain admin.
THIS COMMAND MUST NOT GIVE ERRORS, otherwise it means LDAP is not working with Samba.
-> smbldap-groupmod -m 'root' 'Administrators'
27)
In the next command, it will ask you for some stuff. Do not make errors here!
When it asks for questions that want a Yes/No reply, just press Enter leaving default.
When it asks for LDAP server Uniform Resource Identifier, leave it as it is "ldapi:///"
When it asks for Distinguished name of the search base, put "dc=pdc"
When it asks for LDAP account for root, put "cn=admin, dc=pdc"
When it asks for LDAP password, put the same set in step 6, default of this guide was "pwd123"
The command is:
-> apt-get --yes install ldap-auth-client
IMPORTANT: if you do a mistake, you can reconfigure the previous command typing:
-> dpkg-reconfigure ldap-auth-config
28)
-> auth-client-config -t nss -p lac_ldap
29)
The following command is used to enable Unix, Ldap and Samba authentication.
Be sure all of them are selected with "*" character and press Enter.
The command is:
-> pam-auth-update ldap
30)
The following command should output something similar to this:
Quote:
Domain Admins:*:512:root Domain Users:*:513: Domain Guests:*:514: Domain Computers:*:515: Administrators:*:544:root Account Operators:*:548: Print Operators:*:550: Backup Operators:*:551: Replicators:*:552: |
-> getent group
31)
-> reboot
32)
Good, we're done. After reboot, let's check that everything is working by creating a user.
-> sudo su
If the following command does not give errors, it means Samba and Ldap are both working together, and you should be happy! It will ask for a password, the password is the password you want for the user, in this case for user "user1":
-> smbldap-useradd -a -m -P user1
33)
If you reached this step without errors, it means you are ready to make your Windows Clients join the domain.
However for security reasons it's not a good idea to make your customer know the password of "root" account. At the moment, to make a Windows Client join the domain you'll have to put user "root" and its password, let's instead make another user which will be part of the Domain Administrators. We'll call the user "adminpdc".
-> smbldap-useradd -a -m -P adminpdc
-> smbldap-groupmod -m ' adminpdc' 'Administrators'
-> smbldap-groupmod -m ' adminpdc' 'Domain Admins'
-> sudo auth-client-config -t nss -p lac_ldap
Good, now we have user "adminpdc" that is a Domain Administrator but is in no way a possible security danger for your Linux machine, since it's not part of sudoers. In this way you'll never have to use account "root" to make a Windows client join the domain or to make changes to the Windows client OS.
Finally, make your Windows Client (xp,vista,7) join the domain! :
- In Windows XP, right click on Computer->Properties and click on Change as seen here: http://www.iaji.net/wp-content/uploa...uter_name3.png
- For Windows Vista and 7 instead, right click on Computer, on the left click on Advanced Settings and then click on "Change" under "Computer Name" Tab.
IMPORTANT ABOUT WINDOWS 7:
To make Windows 7 be part of the domain, read below section Tips and Tricks.
- As domain, put the workgroup name you set in step 9
- When it asks for username and password, put "adminpdc" and the password of this user, you set this on step 33. If everything goes well it will say you joined the domain and you must reboot.
That's all!
TIPS AND TRICKS:
Create/Delete/Manage Users:
To Add: smbldap-useradd -a -m -P user
To Delete: smbldap-userdel user
To ChangePassword: smbldap-passwd user
To add a Domain Administrator:
-> smbldap-groupmod -m 'user' 'Administrators'
-> smbldap-groupmod -m 'user' 'Domain Admins'
-> auth-client-config -t nss -p lac_ldap
If you ever change the static IP of the PDC:
-> service smbd stop
-> rm /var/cache/samba/browse.dat
-> rm /var/cache/samba/login_cache.tdb
-> rm /var/lib/samba/wins.dat
-> reboot
To make Windows 7 join the domain:
- Download this file and click on it: https://bugzilla.samba.org/attachmen...88&action=view
- Reboot Windows 7
- Make Windows 7 join the domain. It will say it joined the domain but then it will give you a DNS error. Ignore it and reboot again Windows 7
- You should now be part of the domain
Confermo che questo "trucchetto" funziona con Windows 7 Professional.
To make your PDC automatically map net drives:
-> apt-get install flip
-> > /var/lib/samba/netlogon/allusers.bat
In this example you'll have a shared folder for all users, of course you can edit /etc/samba/smb.conf to create specific user shares.
-> mkdir -p /var/lib/samba/shared/
-> chmod -R 777 /var/lib/samba/shared/
-> nano /var/lib/samba/netlogon/allusers.bat
NOTE: change "PSAMBA" with the Netbios name set in step 9. Change drive "m:" to any letter you prefer.
Quote:
@echo off net use m: /delete net use m: "\\PSAMBA\shared" |
Indicazioni per far girare openldap in modalità sicura (ssl)
Quando si voglia usare un server PDC basato su samba e Ldap per fare autenticare macchine windows XP tramite Pgina, è utile usare il server Ldap in modalità sicura (ssl) di modo che nomeutente e password non viaggino in chiaro sulla rete.
Per ottenere questo bisogna creare un certificato del server sul PDC ed istruire openldap ad usarlo.
Le istruzioni sono basate sulla guida ufficiale di ubuntu server https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
Le mie modifiche (in rosso) riguardano principalmente la durata dei certificati, che di default sono impostati su un solo anno. Nella guida li imposterò a 10 anni.
TLS and SSL
When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL).The first step in the process is to obtain or create a certificate. Because slapd is compiled using the gnutls library, the certtool utility will be used to create certificates.
- First, install gnutls-bin by entering the following in a terminal:
sudo apt-get install gnutls-bin
- Next, create a private key for the Certificate Authority (CA):
sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
- Create a
/etc/ssl/ca.info
details file to self-sign the CA certificate containing:
cn = Nome della scuola o istituzione ca cert_signing_key
expiration_days = 3650
- Now create the self-signed CA certificate:
sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
- Make a private key for the server:
sudo sh -c "certtool --generate-privkey > /etc/ssl/private/pdc_slapd_key.pem"
Sostituire pdc nel nome del file con lo hostname del vostro server (in questa guida è proprio "pdc"). Naming the certificate and key for the host and service that will be using them will help keep filenames and paths straight. - To sign the server's certificate with the CA, create the
/etc/ssl/pdc.info
info file containing:
organization = Nome della scuola o istituzione cn = pdc tls_www_server encryption_key signing_key
expiration_days = 3650
- Create the server's certificate:
sudo certtool --generate-certificate --load-privkey /etc/ssl/private/pdc_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/pdc.info --outfile /etc/ssl/certs/pdc_slapd_cert.pem
Once you have a certificate, key, and CA cert installed, use ldapmodify to add the new configuration options:
sudo ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/pdc_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/pdc_slapd_key.pem
modifying entry "cn=config"
Adjust the ldap01_slapd_cert.pem , ldap01_slapd_key.pem , and cacert.pem names if yours are different. |
/etc/default/slapd
uncomment the SLAPD_SERVICES option: SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
Nel prossimo passo il tutorial prevede di assegnare i files dei certificati agli utenti "openldap" e "ssl-cert". Per non avere un messaggio di errore ho trovato utile creare preventivamente il gruppo "ssl-cert" con il comando:
addgroup ssl-cert.Al solito il nome "pdc" è lo hostname del server che stiamo configurando e va sostituito con il proprio.
Now the openldap user needs access to the certificate:
sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private sudo chgrp ssl-cert /etc/ssl/private/pdc_slapd_key.pem sudo chmod g+r /etc/ssl/private/pdc_slapd_key.pem
If the /etc/ssl/private and /etc/ssl/private/server.key have different permissions, adjust the commands appropriately. |
A questo punto bisogna proprio settare i permessi della cartella /etc/ssl/private e del file /etc/ssl/private/server.key come indicato nella nota sopra.
Ho appurato che il permesso 710 per /etc/ssl/private e il permesso 644 per /etc/ssl/private/pdc_slapd_key.pem
Per impostare i permessi in questo modo usare questi comandi:
chmod 710 /etc/ssl/private
chmod 644 /etc/ssl/private/pdc_slapd_key.pem
Finally, restart slapd:
/etc/init.d/slapd restartThe slapd daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication.
If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key. |
Mi è capitato che i certificati del server scadessero. Per sistemare le cose basta rifare i passi 4 e 7 per generare nuovi cacert.pem e pdc_slapd_cert.pem.
È bene poi riavviare il server. Se si usa Pgina bisogna poi caricare cacert..pem tra i "certificati delle fonti attendibili" usando gli strumenti di internet explorer.
IL TUTORIAL DEVE CONTINUARECON LA SISTEMAZIONE DI SMB.CONF PER GESTIRE LE SHARE DEI SINGOLI UTENTI E DEI GRUPPI
CON GLI SCRIPT PER LA CREAZIONE INIZIALE "IN MASSA" DEGLI UTENTI LDAP
CON L'INSERIMENTO DEI VIDEO "PASSO PASSO"