LDAP Samba

Aus MHC-Wiki

Als zusätzliches Paket habe ich noch "smbldap-tools" installiert. Dies enthällt die Scripte der Gruppe "/usr/sbin/smbldap-" die für die automatische Verarbeitung von User- und Maschinendaten von Windows aus nötig sind. besonders praktisch ist das, wenn einem von Winodws dann automatisch Maschinenaccounts angelegt werden.

Meine Config sieht jetzt so aus:

# Global parameters
[global]
       dos charset = ISO8859-1
       unix charset = ISO8859-1
       workgroup = MHC
       netbios name = SERVER
       server string = Samba auf %h
       min password length = 6
       passdb backend = ldapsam:ldap://localhost
       log level = 2
       syslog = 0
       log file = /var/log/samba/log.%m
       max log size = 204800
       announce version = 4.8
       time server = Yes
       printcap name = cups
       add user script = /usr/sbin/smbldap-useradd -m
       add group script = /usr/sbin/smbldap-groupadd -p
       add user to group script = /usr/sbin/smbldap-groupmod -m
       delete user from group script = /usr/sbin/smbldap-groupmod -x
       set primary group script = /usr/sbin/smbldap-usermod -g
       add machine script = /usr/sbin/smbldap-useradd -w
       logon script = %U.bat
       logon path = \\%L\profiles\%U
       domain logons = Yes
       os level = 254
       preferred master = Yes
       domain master = Yes
       dns proxy = No
       ldap admin dn = cn=admin,dc=mhcsoftware,dc=de
       ldap delete dn = Yes
       ldap group suffix = ou=groups
       ldap machine suffix = ou=computers
       ldap passwd sync = Yes
       ldap suffix = dc=bange-verlag,dc=de
       ldap ssl = no
       ldap user suffix = ou=people
       hosts allow = 192.168.2., 127., 192.168.100.
       map acl inherit = Yes
       printing = cups
       print command =
       lpq command =
       lprm command =
       case sensitive = No

[daten]
  comment = Daten
  path = /space/samba/daten
  guest ok = no
  browsable = yes
  writable = yes

[homes]
  comment = Privates Verzeichnis von \'%u\'
  browseable = no
  writable = yes

[netlogon]
  path = /space/samba/netlogon
  guest ok = yes
  browsable = no
  writable = no
  root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d /space/samba/netlogon/
  root postexec = rm -f /space/samba/netlogon/%U.bat

[profiles]
   path = /space/samba/profiles
   browseable = no
   guest ok = yes
   writable = yes

Hervozuheben ist dabei folgendes:

• Das was bei "ldap admin dn" steht muss im LDAP-Server auch existieren. Hört sich komisch an, war aber einer meiner Stolpersteine. Man darf auch nicht vergessen, für den in "ldap admin dn" genannten Account das Passwort per "smbpasswd -w sehr_geheimes_passwort" zu setzen.
• Der unter "ldap admin dn" eingetragen Account brauch auf jeden Fall Schreibrechte für LDAP, da Samba sonst nicht in die SAM schreiben kann.
• "ntlogon" findet man unter "/usr/share/doc/samba-doc/examples/ntlogon". Ich habe das Python-Script nach /usr/bin kopiert und umbenannt. Das Konfigurationsscript habe ich nach "/etc/samba/" kopiert und angepasst. Der Pfad zur Konfigurationsdatei muss im Script ebenfalls angepasst werden.
• Will man die Option "nt acl support = Yes" nutzen, dann muss man ZWINGEND für die Shares ein Filesystem benutzen, welches auch die erweiterten ACL's beherrscht. Ich verwende deshalb dafür XFS. Auf der Komandozeile kann man sich dann dort die ACL's mit "getfacl" an schauen und mit "setfacl" setzen.
• Die "charset" einträge sind in sofern wichtig, als, dass ohne sie Windows und Linux sich mit den Umlauten und sonderzeichen ins Gehege kommen.

[1] [2] [3]

smbldap Scripte

Damit diese Scripte funktionieren können brauchen sie 2 Dateien:

/etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=ldapadmin,dc=mhcsoftware,dc=de"
slavePw="passwort"

/etc/smbldap-tools/smbldap.conf

...
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-1471976125-4068608696-2468474850"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=mhcsoftware,dc=de"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=people,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=computers,${suffix}"

# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/space/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome="\\SERVERMHC\homes\%U"

# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile="\\SERVERMHC\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="%U.cmd"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="mhcsoftware.de"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

Hinweise

(You should not need this if you're using samba 3.0.5 or better...)

Windows XP tries to sign or seal the secure channel between the workstation and the domain controller. This causes the following error:

Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.

The domain controller may record: Event ID: 5723

The session setup from the computer <Computername> failed to authenticate. The name of the account referenced in the security database is <Computername>. The following error occurred: Access is denied.

The client may record:

Event Source: NETLOGON Event ID: 3227 Description: The session setup to the Windows NT or Windows 2000 domain controller \\\\<ServerName> for the domain <DomainName> failed because \\\\<ServerName> does not support signing or sealing the Netlogon session. Either upgrade the domain controller or set the RequireSignOrSeal registry entry on this machine to 0.

Option 1: Manual registry editing

Start Regedit, navigate to:

HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetLogon\\Parameters and change "RequireSignOrSeal"=dword:00000001 to "RequireSignOrSeal"=dword:00000000

Option 2: The only way Microsoft advocates changing this setting

Use Control Panel to open Local Security Policy in the Administrative Tools. Navigate to Local Policies / Security Options. Double-click Domain Member:Digitally encrypt or sign secure channel data (always). Press Disabled. Press Apply and OK.

Option #3: registry file

Save the followig text to requiresignorseal.reg and then right click->Merge

REGEDIT4

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters] "requiresignorseal"=dword:00000000