Authentication to Samba as a PDC

Adjusting the Firewall to Allow Samba Traffic

Much like LDAP, Samba is compatible with Fedora's standard firewall software, but it is necessary to open up a few additional ports. Specifically , you must open ports 137 (for NetBIOS browsing), 138 (for NetBIOS name service), 139 (for file and printer sharing), and 445 (for Windows 2000, XP, and Windows Server 2003 without the NetBIOS helper). To do so, follow these steps:

1. From the "Applications" menu, select System Settings Security Level.

2. If "Disable firewall" is selected, change the setting to "Enable firewall."

3. Add the following to the end of the current contents of the "other ports" list:

    137:udp, 138:udp, 139:tcp, 445:tcp 

4. Click "OK" to complete the process.

Directly authenticating users to LDAP is a reasonable solution for Linux-based networks. If you also have Windows, you can certainly use the pGina plug-in for Windows workstations, but you don't need to with Samba. Samba can act as a PDC, and use your OpenLDAP server as an accounts repository. Why bother? Because a Samba PDC pretends to be a Windows NT 4.0 PDC and therefore you needn't modify any Windows clients to authenticate right to it. There's no need to reconfigure every Windows client with, say, pGina to make the magical connection. All the client workstations need to do is join the Samba domainexactly as they would join an NT 4 domain.

Adding samba.schema to OpenLDAP

To store Windows account information in OpenLDAP, you need a slightly enhanced set of structure and syntax definitionsa different schema. For instance, in the Samba/Windows world, each account contains a flag that indicates whether an account is a user account (for a person) or machine account (for a workstation). Unix accounts make no operational distinction between users and workstations, so the OpenLDAP schema files do not contain an attribute for the associated flag.

Out of the box, OpenLDAP knows how to handle Linux accounts because there's a convenient definition of what a Linux account looks like. This is contained within the file /etc/openldap/schema/nis.schema . You told OpenLDAP to use this definition via an include directive in the /etc/openldap/slapd.conf file. In other words, you taught OpenLDAP how to handle Unix accounts. Now you need to tell it how to handle Windows accounts.

OpenLDAP doesn't include an out-of-the-box schema that defines the additional characteristics that make Windows accounts different. Fortunately, however, the Samba software does include a ready-to-go samba.schema file. Once plugged into your OpenLDAP server's /etc/openldap/schema directory, your existing OpenLDAP server will be ready to rock for Windows accounts.

Nothing's easy. Things are complicated just a little bit by the fact that the samba.schema file is in the Samba documentation directory and there is a Samba documentation directory for each version of Samba that has previously been installed. When you updated your packages in Chapter 1, you most likely wound up with at least two Samba documentation directories: one for the version that came on the CD and one for the latest official version from Fedora. As of this writing, the current version is version 3.0.10, which places the Samba documentation in the /usr/share/doc/samba-3.0.10 directory. Your Samba version is most likely more recent than ours.

Use the ls -d command to list all of the Samba documentation directories, making it easy to pick out the newest version.

To take care of these tasks , just follow these steps:

1. Add the following line to /etc/openldap/slapd.conf , immediately following the last include line already present:

    include         /etc/openldap/schema/samba.schema 

2. Locate your Samba documentation directory:

    ls -d /usr/share/doc/samba-* 

   Make note of the most recent version number if you see more than one, and substitute that version for 3.0.10 in the step that follows .

3. Copy the samba.schema file from the Samba documentation directory to /etc/openldap/schema:

    cp /usr/share/doc/samba-3.0.10/LDAP/samba.schema /etc/openldap/schema 

Speeding Up Samba/OpenLDAP Performance

Performance is also important. The OpenLDAP server can always answer any query by searching through its entire database, one item at a time. But if you have a bajillion accounts in your OpenLDAP database, it makes sense to perform an index ahead of time.

index directives in /etc/openldap/slapd.conf already speed up requests such as "give me the account object for the username fred ." But Samba may also need to look up a workstation quickly by its SID (security identifier). To all this, you'll add an index directive to speed up such common Windows requests.

Add the following additional line to / etc/openldap/slapd.conf , following the last index line already present in that file:

 index sambaSID,sambaPrimaryGroupSID,sambaDomainName     eq 

Restarting OpenLDAP with the Samba Changes

You can now restart the OpenLDAP service with these changes by executing the following command at the terminal prompt as root:

 service ldap restart 

"Glue" for Samba and LDAP: The smbldap-tools

Samba ships with the built-in capability to consult an LDAP database for user authenticationbut there's more to operating a full-fledged PDC than simply fielding ongoing user authentication requests.

For a Windows workstation to be happy, it has to be a member of a domain. It doesn't have to be a Windows domainit can be a Samba domain pretending to be a Windows domain. But in either case, the Windows machine must be able to join the domain in the usual Windows way without the manual intervention of an administrator on the server itself. Additionally, a domain administrator might also want to create and administer user accounts via Windows-based domain administration tools, and the PDC should handle these requests correctly as well.

You would think that these capabilities would be built right into the Samba package. But they're not. The authors of Samba followed a very Unix philosophy: each program should do one job well. Samba's primary job is to speak "Windows." Its secondary job is to interface with other programs that do things like managing accounts and storing directory information. You're using LDAP to ultimately store your accounts, but others may choose completely different back ends. Since Samba doesn't implement the back-end, it must provide a way to specify programs that should be run to carry out each of the back-end tasks when they are needed.

Since LDAP is the back end, you can take advantage of a ready-made suite of programs for those back-end tasks. Implemented as a collection of scripts written in the Perl programming language, the smbldap-tools suite provides the necessary "glue" between Samba and LDAP. While the name "tools" might suggest programs that the administrator runs personally , for the most part this is not the case. Most of the smbldap-tools are meant to be run automatically by Samba. For instance, every time an administrator sits down at a workstation and joins that workstation to the domain, Samba automatically starts up the command smbldap-adduser with a special -w option that specifies a workstation account is being added rather than a regular user account. That tool then adds an object representing the new workstation in the LDAP database. Without the ability to do this, a Samba server can't accommodate adding a new workstation or other administrative tasks in the standard Windows way using tools Windows administrators are familiar with. You would constantly need manual administrator interaction on the server itselfnot to mention that the standard Windows dialog boxes to join a domain wouldn't work. And that's no fun. Hence, you'll employ the smbldap-tools to make sure all of the standard Windows dialogs for administering a domain work properly with your Samba domain.

Preparing for the smbldap-tools Installation

While a copy of these scripts is included with Samba, the latest and greatest version is maintained by the generous folks at Idealx , who offer the tools at http://samba.idealx.org . We recommend you use the latest version directly from Idealx; our instructions are based the latest version we could get a hold of.

To obtain and install the smbldap-tools , just follow these steps:

1. Access the URL http://samba.idealx.org/dist/ .

2. Download the latest version in .tar.gz format. You'll see an example of the right file in Figure 2.17. As of this writing, the latest version is smbldap-tools-0.8.6.tgz. (An rpm file is available, but we cannot recommend using it because of dependency error messages that could not be satisfactorily resolved with the rpm command as of this writing. In other words, we couldn't get it to work properly.)

3. Copy this file to /usr/local/src on LinServ1 . If you download the file to a Windows machine, we suggest copying the file to LinServ1 using the free, user-friendly "WinSCP" Windows scp program (available from http://winscp. sourceforge .net ).

4. Change the directory with the cd /usr/local/src command.

5. A .tgz file is a file that has been "tarred," meaning that many files have been accumulated together into a single archive, and then " gzipped ," a Unix file format closely related to the .zip format common on Windows systems. To unpack the contents of the file and change the current directory to the newly unpacked directory, you can use the tar command. Pass three options, z , x , and f . z indicates that the input file is gzipped, x indicates that files should be extracted (read) from the input file, and f indicates that input is from a file rather than from an old-fashioned backup tape drive:

    tar -zxf smbldaptools-0.8.6.tgz cd smbldaptools-0.8.6 

   See the ".tar.gz, gzip, gunzip, and tar" sidebar for more information about gzip, gunzip, and tar.

Figure 2.17: Downloading this latest version of the smbldap-tools

.tar.gz, gzip, gunzip, and tar

The Linux/Unix philosophy generally calls for simple utilities that do a single job well. This is why data compression and the archive creation were traditionally handled by two different tools in the Linux world.

gunzip filename.gz is the reverse of gzip filename . While gzip filename produces a compressed file called filename.gz, gunzip filename.gz restores the original and deletes the compressed version. Unlike .zip, .gz is a simple container format for a single file only.

tar -xf filename.tar is the reverse of tar -cf filename.tar [filename list] . While tar -cf filename.tar [filename list] builds a new .tar archive containing all of the specified files, including subdirectories of any directories in the list, tar -xf filename.tar extracts and restores all of the files found in the .tar file. Unlike gzip and gunzip, tar -cf and tar -xf do not delete the original files or the .tar file, respectively.

In recent years , the z option was added to tar as a convenience; it automatically invokes gunzip on the fly to take care of unzipping compressed data before extracting files from the archive. When the z option is used, the .tar.gz or .tgz file is not replaced with a .tar file. Instead, tar skips ahead to extracting the actual contents of the archive.

 

Teaching Samba How to Encrypt Passwords

The latest versions of the smbldap-tools can encrypt Samba passwords directly, which is a nice performance boost over previous versions that relied on a separate program to do this. However, since the smbldap-tools are written in the Perl programming language, you need to install the optional "Crypt::SmbHash" Perl module to make this feature work. Fortunately, the Perl community maintains a central repository of such modules called the CPAN (Comprehensive Perl Archive Network).

Fedora includes a helpful up2date-like tool called cpan for installing the latest versions of such modules, and it provides a fairly painless way to install any widely recognized enhancement for Perl. You can learn more about Perl by visiting www.perl.org . For more information about CPAN, see www.cpan.org .

To install the "Crypt::SmbHash" Perl module:

1. Execute the cpan command:

    cpan 

   If you have never used cpan before on LinServ1 , you may be asked if you wish to manually configure it. You can answer no to this prompt; the automatic configuration is quite effective.

2. When the cpan> prompt appears, enter the following command to install the "Crypt::SmbHash" Perl module:

    install Crypt::SmbHash 

3. When the cpan> prompt returns, quit cpan with this command:

    quit 

Installing the smbldap-tools on Your System

You're nearly ready to install the smbldap-tools utility programs. Before you do, you'll need to change two settings in a Perl source code file that all of those utilities share in common, smbldap_tools.pm .

Don't panic when you open the file. Although this file contains Perl programming language code, you don't need to know Perl to understand what needs to be changed. All you need to do is open the file with your preferred text editor, locate two directory names that are set incorrectly for your system, and fix them.

Then, since the file contains Perl code that is used by more than one Perl program, you will install it in a place where all of the smbldap-tools utilities (and any other interested Perl programs) can find it. Once you do this, all of the smbldap-tools will be able to easily learn where their configuration files are. For the record, the standard directory for such things is /usr/lib/perl5/site_perl , a directory deliberately set aside for Perl libraries and modules like smbldap_tools.pm that are not part of cpan.

To make the necessary changes we described, you copy the tools to the /usr/local/sbin directory. For the record, this directory is the standard location for utilities intended for the root user but not part of the standard Fedora distribution.

To customize and install the smbldap-tools :

1. Recall that you used the cd command to enter the directory smbldaptools-0.8.6 . To perform the copy, enter the following command

    cp smbldap-* /usr/local/sbin 

2. Edit the file smbldap_tools.pm . Near the top of this file, you'll find these two settings:

    my $smbldap_conf = "/etc/smbldap-tools/smbldap.conf"; my $smbldap_bind_conf = "/etc/smbldap-tools/smbldap_bind.conf"; 

   Make sure the directory names in the quotation marks are exactly as shown. If not, change them to match the preceding code. This ensures that the utilities can find their configuration files properly.

3. Install the smbldap_tools.pm file where Perl scripts can automatically find it:

    cp smbldap_tools.pm /usr/lib/perl5/site_perl 

That's it for installation! Time to move on to the configuration files.

Configuring the smbldap-tools

Now it's time to create the configuration files for the smbldap-tools . These contain the information that the smbldap-tools must know in order to communicate with your LDAP database. For instance, just like any other LDAP client, the smbldap-tools must know what host the LDAP server runs on, what port number it responds on, whether to use SSL encryption, and so forth. In addition, the smbldap-tools must have the right credentials to make changes to the LDAP database because the smbldap-tools carry out administrative tasks, such as creating new account objects.

The smbldap-tools include a pair of sample configuration files. They're great and you'll leverage them as a starting point, but you'll modify them to work with your particular LDAP configuration.

We'll do it in two steps:

1. Copy in the provided sample files.

2. Modify those sample files that will teach smbldap-tools about your OpenLDAP configuration.

Copying in the Sample smbldap-tools Configuration Files

To set up the configuration files, first carry out the following preparatory steps, continuing to work in a terminal window while logged on as root.

1. cd to the directory where you untarred the smbldap-tools :

    cd /usr/local/src/smbldaptools-0.8.6 

2. To create the configuration file directory, use mkdir :

    mkdir /etc/smbldap-tools 

3. Copy the provided configuration files to this directory:

    cp *.conf /etc/smbldap-tools 

Now you're ready to edit the smbldap-tools configuration files, giving the tools critical information they need to access and administer the LDAP database.

smbldap_bind.conf : Credentials for Talking to the LDAP Server

smbldap_bind.conf is another required file for Samba to talk to your LDAP server. It contains the credentials the LDAP server expects you to present before allowing you to read and write information. Just as in smbldap.conf , there are separate master and slave settings available for writing and reading. And as before, you will set them exactly the same, as you'll use the same LDAP server for reading and writing.

The masterDN option sets the distinguished name of the LDAP root user, which should match the rootDN option you previously set in /etc/openldap/slapd.conf . The masterPW option sets the password associated with the LDAP root user. The slaveDN and slavePW options will be set identical to these. Note that since this file must contain the root LDAP password, its permissions should be set carefully . Yes, you read that rightyou need to embed the sensitive LDAP password inside this file. To put a little bit of security upon it, you'll restrict access to who can read this file so you can sleep (at least a little better) at night.

To set up the LDAP credentials for the smbldap-tools :

1. Edit /etc/smbldap-tools/smbldap_bind.conf to match the following:

    slaveDN="cn=root,dc=ldap,dc=corp,dc=com" slavePw="p@ssw0rd" masterDN="cn=root,dc=ldap,dc=corp,dc=com" masterPw="p@ssw0rd" 

2. Set the permissions of /etc/smbldap-tools/smbldap_bind.conf so that only the root user can read the LDAP server password it contains:

    chmod a-rwx,o+r /etc/smbldap-tools/smbldap_bind.conf 

The smbldap-tools are now installed and configured. You're ready to use them to populate the LDAP database with essential Windows networking-related accounts and other settings.

Populating the LDAP Database with Samba Objects

Earlier you adjusted your LDAP schema to include the definitions of Samba objects. Now it's time to actually create common Samba objects that should be present on all Windows-compatible systems, such as the Administrator account. You'll also create the Computers organizational unit, which will store machine trust accounts for workstations that are members of the domain.

Conveniently, the smbldap-tools distribution comes with a command to do all of this for us! Execute the following command as root:

 /usr/local/sbin/smbldap-populate 

This command will warn you that the Users and Groups organizational units already exist; it may generate Perl programmer-oriented warnings as well, as shown next. Neither of these is cause for concern. These acceptable warning messages are shown below for your reference:

 Using builtin directory structure Use of uninitialized value in pattern match (m//) at /usr/local/sbin/smbldap- populate line 118. Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/ smbldap-populate line 126. Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/ smbldap-populate line 126. Use of uninitialized value in string at /usr/lib/perl5/site_perl/smbldap_ tools.pm line 169. Use of uninitialized value in string at /usr/lib/perl5/site_perl/smbldap_ tools.pm line 169. adding new entry: dc=ldap,dc=corp,dc=com failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 389, <GEN1> line 2. adding new entry: ou=Users,dc=ldap,dc=corp,dc=com failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 389, <GEN1> line 3. adding new entry: ou=Groups,dc=ldap,dc=corp,dc=com failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 389, <GEN1> line 4. 

You may wish to verify that the information was successfully added to the LDAP database. You can do so with the following command:

 ldapsearch -x  less 

You should see references to the Administrator and Nobody accounts as well as the Computers organizational unit. If not, double-check your slapd.conf file carefully and review any error messages not just shown that were received from smbldap-populate . Then restart the OpenLDAP server with the service ldap restart command and run smbldap-populate again.

There is one more critical object that must be created in the LDAP database. Most administrative tasks, including the joining of workstations to a domain, must be carried out by the administrative user. By convention, this user is named administrator in the Windows world. Samba conveniently remaps administrator to the root account via the file / etc/samba/ smbusers . But there's one catch: when LDAP is used as the password database, it isn't enough for root to exist only as a regular Unix account in the server's /etc/passwd file, root must also exist in the LDAP database. Otherwise , attempts to join the domain will fail with mysterious , unhelpful error messages.

Take care of this chore using the smbldap-passwd command:

 /usr/local/sbin/smbldap-passwd root 

Enter root's password correctly twice to confirm the change. In theory, you could now eliminate root's entry from /etc/passwd , but we strongly discourage you from doing so as the option of logging in locally as root is critical when LDAP servers behave badly .

Configuring Samba Itself

Now that the back-end LDAP database is ready to rock, you are at last ready to configure Samba itself! Samba is configured via the file /etc/samba/smb.conf . Although a stock version is provided with your Fedora system, we strongly recommend that you replace it with the version presented here and on our website.

In our examples, we have already made the changes necessary to accommodate operation as an NT primary domain controller rather than a simple workgroup server.

Web-Based Interfaces to Configure Samba: SWAT and Webmin

Editing the smb.conf file by hand isn't the only way to configure Samba. It's also possible to configure Samba using a Webmin module. In addition, the Samba team offers its own web-based user interface, SWAT.

So why are we editing smb.conf by hand? Because initial Samba configuration is a task we do only once. So we don't save much repetitive labor by doing it through a web-based interface. In addition, there is a compelling reason not to. Most of the Samba documentation, online and in print, discusses configuration file options by name. Understanding how these option names relate to text fields and radio buttons in a "friendly" web-based interface can be difficult. So if you have a problem and need support, you're going to need to understand the configuration files. That means it's best to speak the language from the beginning.

In later chapters, we will use Webmin's Samba Windows File Sharing module to speed up simpler and more repetitive tasks, like adding and modifying file shares. We chose to go with Webmin consistently throughout the book for simplicity.

Samba's SWAT interface does present options by their "real" names in the configuration file. But there isn't an enormous difference in convenience between SWAT and editing a text file, especially for the one-time task of initially setting up your configuration file. SWAT is definitely worth a look, though. You can learn more about it here: www.samba.org/samba/docs/man/swat.8.html

A little later in the chapter, we'll give you the full configuration of our suggested smb.conf file, but before we present that, here's a breakdown of the decisions that went into each setting in our /etc/samba/smb.conf file, broken up into logical sections:

• Prologue

• Windows Networking Settings

• "Back End Database" LDAP Settings

• Logging Options: Where to Send the Bad News

Prologue In principle, smb.conf can have options in many different categories. In practice, all of the options we use fall into the global category. The first line of smb.conf informs Samba that we are about to list options in the global category, and should always be [global] .

Windows Networking Settings Options in this section have to do with Windows networking issues. What should the domain be called? What networks are allowed to connect to it? How should the Samba server it identify itself to workstations? Do you want the various behaviors associated with a PDC, as opposed to a BDC or mere workgroup server? Should encrypted passwords, required by out-of-the-box modern versions of Windows, be required by Samba? All of these questions are answered by the options in the following list.

• The workgroup option is used for both domains and simple workgroup servers. We set this to corp , the name we chose for our Windows NT-compatible Samba domain.

• The hosts allow option limits the IP addresses that are allowed to connect to the server. The syntax used here is simple: to allow all addresses in our class C local network, 192.168.2, we specify using the odd syntax of 192.168.2 . Similarly, to allow loopback connections from the server itself, we specify 127 . ( All IP addresses with the first byte set to 127 are reserved for a machine that wishes to talk to itself, although in practice only 127.0.0.1 is frequently used.) So, when typing in this particular line be sure to type it in exactly as shown. Specifically, you want to enter in 192.168.2(period)(space) 127(period).

• The server string option allows workstations to tell inquisitive users what server software is being used. We chose to proudly announce our Samba server, but you can choose a more or less interesting response if you prefer.

• The security option determines the type of security model used by Samba. For a domain controller, this option is set to user because our primary goal is user authentication.

• We set the encrypt passwords option to yes. This option is almost a historical footnote at this point. Prior to the release of Windows 98, Windows workstations were quite comfortable with keeping passwords as plain text on the server. With the arrival of Windows 98, unencrypted passwords began to require registry changes on each workstation. Since the release of Windows 98, encrypted passwords have moved from an option to a default to a requirement. This option should always be set to yes on a modern Samba server.

• min passwd length sets the minimum length of a password in characters. You may find that three characters is far too short. Feel free to set a higher minimum.

• domain logons is a crucial option for operation as a PDC or BDC: without it, the server would not accept logons from client workstations. We set this option to yes .

• domain maste r is another PDC-related option. In Windows, the PDC is the domainmaster browser. Setting this the same here would be a functional equivalent. The domain-master browser is responsible for combining browse lists from all of the Ethernet subnets involved that have Windows clients on them. Since this is how a real Windows PDC works, we set it to yes .

• preferred master indicates that the Samba server should be the Windows networking "master browser" for this local subnet. We set this option to yes . This does not guarantee that Samba will be the master; it only forces an "election" to choose a master browser at the time the Samba server starts up. It is not necessarily a problem for another server in the domain to be the master for the subnet on which our Samba domain master server is located. We just want to make sure one is chosen promptly at startup time. This option also implicitly turns on the local master option, which indicates that the server can be a Windows networking master browser for the local subnet.

• We set the wins support option to yes . This option specifies that the Samba server should act as a WINS (Windows Name Service) server. This allows Windows or Samba clients to register their IP addresses and have other clients look them up. It's a nice touch if no Windows server is already performing this chore. If this Samba server is the only server on the network, always set this option to yes . If there are multiple servers present, make sure only one is a WINS server.

"Back End Database" LDAP Settings What sort of database should you use to store passwords? For us, the answer is LDAP. Where is that database? How is it structured? Where should information about users, computers, groups, and Windows SIDs be kept? Should the LDAP connection be encrypted? In the following list, you see the options that resolve these questions.

• The passdb backend option specifies what sort of database should be used to store passwords, as well as the URI (Uniform Resource Identifier) where that database can be reached. We're using LDAP as a back-end repository, so our value for this setting begins with ldapsam: to specify the LDAP Samba back end. This is followed by ldaps://linserv1.corp.com/ , which is understood to mean that an LDAP server is listening on the encrypted LDAP-over-SSL port (636) on the server linserv1.corp.com .

• LDAP passwd sync is a necessity when working with encrypted passwords and using an LDAP back end, which we are. Recall that Unix and Windows use different techniques for encrypting passwords. Samba needs to store the new password in both formats. We set LDAP passwd sync to yes to accomplish this.

• The ldap ssl option specifies that our LDAP connection should be encrypted via SSL.

• The ldap admin dn option specifies the credentials of the LDAP root user, which Samba needs in order to change passwords, an administrative task that it performs directly. You have already seen other administrative tasks that are performed via the smbldap-tools .

• The ldap suffix option is identical in purpose to the suffix option in /etc/openldap/slapd.conf , as covered earlier, and we also set it to ldap suffix = dc=ldap,dc=corp,dc=com .

• ldap group suffix, ldap machine suffix , and ldap user suffix should specify three distinct LDAP organizational units (OUs) in order to avoid name collisions between users, groups and computers. We set them to Groups, Computers , and Users , respectively, matching the existing layout in our LDAP database.

• ldap idmap suffix can share the same organizational unit with ldap user suffix because Windows SIDs are not valid Windows usernames and vice versa. Since a Windows SID will never be the same as a Windows username, there's no risk of the one overwriting the other. The smbldap-tools were designed with this assumption in mind, so we'll follow Idealx's recommended practice by setting this to Users .

Logging Options: Where to Send the Bad News Options in this section are concerned with the logging of error messages, warnings, and diagnostic messages.

• The log level option determines how much information will be included in error log files (see the later section "If Samba Doesn't Work," for more information on how to take advantage of the error logs). We set this to 2 because it causes most useful debugging information to be logged without completely swamping the log file in detail.

• The closely related log file option determines where error messages, warnings, and diagnostic messages related to a particular workstation should be logged. Replacing the %m wildcard with the IP address of the workstation. /var/log/samba/%m.log is a good choice because /var/log/samba is the standard place to log Samba-related activity.

"Glue" Options: Connecting the smbldap-tools to Samba

The options in the preceding section allow Samba itself to talk to LDAP in order to verify and change passwords. As we've described, there are a bunch of additional administrative tasks that Samba doesn't do on its own. The Samba maintainers made a wise decision to break these tasks out, allowing the administrator to plug in tools of their own choosing.

We've already chosen the smbldap-tools , which do a comprehensive job of implementing all of these functions. There's a lot of "under the hood" stuff going on here. It should be noted that the smbldap-tools can be run manually or plugged into scripts of your own. This section provides a useful introduction to their capabilities.

For readability's sake, we chose not to use full paths in this section. All of the smbldaptools scripts are located in /usr/local/sbin/ , and that prefix does appear in the actual configuration file. You will also note wildcards such as %u and %g . Samba automatically replaces these with the actual user (%u) and group (%g) names involved in each request before executing the script in question.

• add user script is executed each time a new user should be added and should be set to smbldap-useradd -a -m '%u' . This instructs smbldap-useradd to add a new user.

  • The -a option specifies that a Windows account should be created.

  • The -m option indicates that a home directory should be created.

  • The '%u' option specifies the username specified by the Windows domain administrator who made the request. Placing %u between single quotes ensures that the Bash command shell does not try to misinterpret any special characters in the username with possibly unwanted consequences. Samba itself takes care of making sure there are no back- ticks (`) in the username that might otherwise ruin this security precaution.

• Similarly, delete user script is executed when a user should be removed. In this case, we use smbldap-userdel and pass it the name of the user to delete, again via the %u wildcard.

• add group script performs a similar task: adding a new group; smbldap- groupadd is used. The -p option indicates that a Windows group should be added, and the username is passed in the same way via '%u' .

• delete group script is similar to delete user script ; smbldap- groupdel is used. The username is passed in via '%u' .

• add user to group script takes care of adding a user to a group; the script smbldapgroupmod is used. The -m specifies that a user should be added to a group. The user and group names are then substituted in using the %u and %g wildcards.

• delete user from group script removes a user from a group. The script smbldap-groupmod is again used, but with different options. The -x option specifies that a user should be removed from a group, and the user and group names are again substituted in using the %u and %g wildcards.

• set primary group script sets the primary group for a user. This is the group that will initially own any files created by the user unless the user expressly specifies otherwise. The smbldap- usermod script is used, with the -g option specifying that the default group should be changed, and the group and usernames (in that order for this particular command) are substituted in using the %g and %u wildcards.

• add machine script runs every time a new workstation joins the domain. The smbldapuseradd script is used, but the -w option clarifies the situation by asking the script to add a workstation account rather than a regular user account.

Listing 2.1: /etc/samba/smb.conf

 [global] # Set our domain name workgroup = corp # Lock out people not on the local LAN. Optional. # Also allow local loopback (127.) hosts allow = 192.168.2. 127. #So, when typing in the hosts allow line (above), be sure to type it in exactly as shown. Specifically, you want to enter in 192.168.2(period)(space)127(period) # Identify our software server string = Samba Server # Security mode should be "user" for a domain controller security = user # We must encrypt passwords to talk to # modern versions of Windows # without registry hacks, and we want to #do that anyway encrypt passwords = yes # Set a reasonable minimum password length min passwd length = 3 # Crucial options to enable operation as a PDC domain logons = yes domain master = yes preferred master = yes wins support = yes #Talk to LDAP via SSL to obtain account information passdb backend = ldapsam:ldaps://linserv1.corp.com/ # Sync our passwords with the ldap database ldap passwd sync = yes ldap ssl = yes ldap admin dn = cn=root,dc=ldap,dc=corp,dc=com ldap suffix = dc=ldap,dc=corp,dc=com ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap idmap suffix = ou=Users #Scripts run to carry out domain administration tasks add user script = /usr/local/sbin/smbldap-useradd -a -m  '%u' delete user script = /usr/local/sbin/smbldap-userdel  '%u' add group script = /usr/local/sbin/smbldap-groupadd -p  '%g' delete group script = /usr/local/sbin/smbldap-groupdel  '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u'  '%g' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'  '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g'  '%u' add machine script = /usr/local/sbin/smbldap-useradd -w  '%m' #Log enough information to debug problems but not so much as to swamp us log level = 2 # Log errors where Fedora normally does; one # log file per client IP address log file = /var/log/samba/%m.log 

 

Cluing Samba in to the LDAP Root Password

Once the Samba configuration file is ready, you need to make the Samba server aware of the root password for the LDAP database. This is because, while you leverage the smbldap-tools for most administrative tasks, Samba handles password changes internally. For historical reasons, this information is stored in a special file called secrets.tdb that Samba creates in /etc/samba . You do this task using the smbpasswd command and passing the -w option, which indicates that you want to set the password needed to make changes to the LDAP database:

 smbpasswd -w p@ssw0rd 

You should receive the following response:

 Setting stored password for "cn=root,dc=ldap,dc=corp,dc=com" in secrets.tdb 

To continue with Samba configuration, you must now launch the Samba server to determine its SID.

Launching the LDAP-Based Samba Server for the First Time

To start the Samba server and to ensure that it is restarted at the next reboot, enter the following commands as root. The first command ensures that the two Samba server daemons, smbd and nmbd , are always launched at boot time. The second launches the Samba servers now:

 chkconfig --add smb service smb start 

You can now determine the Windows SID (security identifier) of the server using the net command. As you may recall, the smbldap-tools need this information to operate correctly, and you were not able to add the SID option to smbldap.conf earlier because you had not yet generated a SID by starting Samba for the first time. To learn the server's SID, use the following command:

 net getlocalsid 

If your Samba server launched successfully, this should produce output similar to the following. Note that the name of your individual server appears rather than corp , the NT domain name you have chosen. This is not cause for concern.

 SID for domain LINSERV1 is: S-1-5-21-3084340505-2073876770-3452236727 

Now, edit the file /etc/smbldap-tools/smbldap.conf and change the SID setting to match what you received ( don't just copy our example):

 SID="YOURSIDGOESHERE" 

The smbldap-tools are now ready to handle administration requests such as joining a workstation to a domain.

Using Webmin to Administer LDAP User Accounts for Samba

You're nearly ready to join a true Windows client to your Samba domain! To make that truly useful, you'll first need to enable Samba login for each of your existing LDAP users and configure the Webmin LDAP Users and Groups to do so automatically for newly created users in the future.

Configuring the Webmin LDAP Users and Groups Module for Samba

Follow these steps:

1. Log into Webmin. Then click the "System" button, followed by the "LDAP Users and Groups" button.

2. You will note that the display now includes several new users, including the standard Windows account Administrator and the machine trust account linserv1$ . The Groups list has also been expanded quite a bit with a collection of standard Windows groups.

3. Click the "Module Config" link to access the Configuration page.

4. Set the "other objectClasses to add to new users" field to account sambaSamAccount , as shown in Figure 2.18. Note that this means that all newly created LDAP accounts will support Samba domain logins.

5. Scroll down to "Samba account options." To the right of "LDAP object class for Samba users," make sure "sambaSamAccount" is present. This is needed to allow upgrading existing accounts to Samba support.

6. To the right of "Domain SID for Samba3," paste in your SID as received from the net getlocalsid command.

7. Scroll to the end of the page and click "Save."

Figure 2.18: Webmin settings to support Samba accounts in LDAP Users and Groups

Now you're ready to upgrade your user accounts to support Samba.

Upgrading and Adding LDAP Samba-Enabled Accounts with Webmin

You'll also need to retrofit your existing LDAP users to support their new lives as Samba users. After you do that, we'll demonstrate how to add a new account with Samba support.

To upgrade an existing account from the "LDAP Users and Groups" main page, click the user " doctor1 ." On the page that follows, click the radio box next to "Normal password' and enter p@ssw0rd again in the field to the right of the radio box, as shown in Figure 2.19. This is necessary because Unix and Windows both encrypt passwords via a one-way function that does not allow the original password to be recovered. As a result, the Samba password database cannot be automatically populated using the existing LDAP-MD5 password. When upgrading to Samba, administrators have solved this problem by issuing new passwords to all users or by requiring each user to come to a central workstation and reset their password.

Figure 2.19: Upgrading an existing LDAP account to support Samba

Warning

If you do not reset an existing user's password when adding Samba support to their account, they will not be able to authenticate from a Windows workstation.

Now, scroll down to "User capabilities" and press the radio button labeled "Yes" next to the "Samba login?" This allows doctor1 to authenticate from a Windows workstation. Scroll to the end of the page and click "Save." Repeat this process for doctor2, nurse1 , and nurse2 .

Adding a new account with Samba support is easy: just follow the same procedure described earlier in this chapter to add a new LDAP account. Thanks to your configuration changes, all new accounts will automatically support Samba. You can verify this by adding a doctor3 account.

That's ityour LDAP-based Samba PDC is ready to use! Continue with the next section to learn how to verify its operation.

 service ldap restart service smb restart 

 tail /var/log/messages 

 tail -100 /var/log/messages 

 /var/log/samba/smbd.log /var/log/samba/xxx.xxx.xxx.xxx.log 

 expand usrmgr.ex_ c:\usrmgr.exe expand srvmgr.exe c:\srvmgr.exe