About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Monday, December 27, 2010

Installing samba pdc on openSuSe 11.x

We have - OpenSUSE 11.0, should get - PDC FileServer. Detail guide. Samba PDC
We have - OpenSUSE 11.0, should get - PDC + FileServer.

Let assume: created linux groups and users I name Posix-groups and users, internal accounts (service users, groups and so on) I define as system users, created by samba (in the OpenLDAP database) - samba-users (groups).

1. Server deployment.
Let name server as vitanaserver. First method registration of users - local, and there are not any users except root. Need install following packets from openSuSe distribution: openldap2-devel, openssl-certs, pam_cifs, pam_smb, pam-config, pam-modules, pam_ldap, perl-Authen-SASL, Perl-BerkeleyDB, perl-OpenCA-CRL, OpenCA-REQ, perl-OpenCA-X509, perl-Unicode-String, perl-Crypt, perl-IO-String, perl-ldap, perl-ldap-ssl, Perl-IO-Socket-SSL, perl-Net_SSLeay, perl-Unicode-Map8, libgcrypt, libxcrypt, libnscd, libacl, libmsrpc, libsmbsharemodes, libmspack, cyrus-sasl, tls. External packets from SuSe repositories: openldap2-back-perl, ldapsmb, samba-doc.

Notice: In the README of packet smbldap-tools version 0.9.2 I can find following sentence: "In the future, some other function may come (like : compliance to RFC2307...)". It means I need define catalog schema - nis.shema or more new rfc2703bis.schema, but without smbldap-tools. To use smbldap-tools I preffer nis.shema.

Before install samba need check more new version. Right now openSuSe repositories have more new samba version and I download required packages from http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_11.0/i586/: samba-3.4.3-4.1.i586.rpm samba-client-3.4.3-4.1.i586.rpm samba-debugsource-3.4.3-4.1.i586.rpm samba-winbind-3.4.3-4.1.i586.rpm samba-devel-3.4.3-4.1.i586.rpm libsmbclient0-3.4.3-4.1.i586.rpm libtalloc-devel-3.4.3-4.1.i586.rpm libtalloc1-3.4.3-4.1.i586.rpm libwbclient-devel-3.4.3-4.1.i586.rpm libwbclient0-3.4.3-4.1.i586.rpm

smbldap-tools version can have different issues and even installation ordering, read installation instruction before.

Configure network card for internal zone, static ip address. Open LDAP, samba servers ports in the firewall.

2. Installation smbldap-tools.
Installation perl-Jcode: #wget http://download.opensuse.org/repositories/home:/beyerle:/TWiki/openSUSE_11.0/src/perl-Jcode-2.07-6.1.src.rpm #wget http://download.opensuse.org/repositories/home:/beyerle:/TWiki/openSUSE_11.0/src/perl-Unicode-MapUTF8-1.11-6.1.src.rpm #wget http://download.opensuse.org/repositories/home:/beyerle:/TWiki/openSUSE_11.0/src/perl-Unicode-Map-0.112-3.1.src.rpm #rpm --rebuild perl-Jcode-2.07-6.1.src.rpm #cd /usr/src/packages/SOURCES/

Unpack packets to /usr/src/packages/SOURCES/ and follow INSTALL guide, there you can find 4 installation steps: #perl Makefile.PL #make #make test ;be sure there is not any errors, #make install

RPM database does not have any info about Unicode::Map and Unicode::MapUTF8 packets and when I run #rpm -Uvi smbldap-tools-0.9.5-3.1.noarch.rpm

I get answer: error: Failed dependencies: perl(Unicode::Map) is needed by smbldap-tools perl(Unicode::MapUTF8) is needed by smbldap-tools

Need be sure it does not require any new RPM packets or dependecy. If does not then run with option --nodeps: #rpm -Uvi --nodeps smbldap-tools-0.9.4-3.2.noarch.rpm

Install pam_smb #wget http://download.opensuse.org/distribution/11.0/repo/oss/suse/i586/pam_smb-2.0.0rc6-123.1.i586.rpm #rpm -Uvi pam_smb-2.0.0rc6-123.1.i586.rpm

Clear folder :/sources/: after sucessful installation.

3. SSL configuration.
Modifying company information in the /etc/ssl/openssl.conf, it helps to create certificates. But I will need repeat the same for root (CA) certificate. In the YaST "Security and Users" - "CA Management" I create CA root certificate. Define required options - country, city, certificate time live. Need define common name as host name, where is later certification center will up. In the "Advanced options" - "Key Usage" need check "digital Signature":

Set password and follow next to close tab. Root CA certificate has been created. To next opening this tool need select CA in the CA tree, click Enter CA and enter root certificate password. In the opened form go to tab Certificates to create host certificate of PDC as "Add" - "Add server certificate". Common certificate name should be the same as full server name, if you change server name later then you need re-create server certificate as well. Save certificate to file by click on the button "Export", for example to /root/docs/security/vitanaserver.p12 using format "PKCS12 including chain" (and close password). Import vitanaserver.p12 in the PDC using YaST "Security and Users" - "Common server certificate".


  1. The same result you can get using command line tools.

4 . Starting LDAP.
Open YaST tab "Network Service" - "Server LDAP" - "Settings" - "Common Settings" - "Schema file". Set option autorun at server start up. Check or add following schemas: core.schema, cosine.schema, nis.schema, inetorgperson.schema, misc.schema, samba3.schema, yast.schema, ppolicy.schema.

Go to tab "Databases" - "Add database", create database, dn database, (for example: dc=vitana), dn root object is cn=Administrator,dc=vitana, set password in the line below it. Save root LDAP configuration by click on the button Apply. Go to YaST "Network services" - "LDAP server" - "Configuration" - "Common Settings" - "TLS settings" - "TLS activation" and check Yes there. TLS encryption requires a key and certificate and I select there option "Select certificate" and select common server certificate to use. YaST creates required files and move them to :

  • root certificate: /etc/ssl/certs/YaST-CA.pem
  • LDAP server certificate: /etc/ssl/servercerts/servercert.pem
  • LDAP server key: /etc/ssl/servercerts/serverkey.pem

Start LDAP daemon: #rcldap start

and if you get "done" then everything is good, it is up.

Open YaST tab "Network services" - "LDAP client" to set connection to our server:

Configuring LDAP client in the GUI

In the tab "Advanced settings" - "Administration settings" type (may be it is there already) LDAP administrator DN. In the same tab set option "Create configuration objects by default", as result I have created "ou=ldapconfig,dc=:" LDAP container. In the tab "Client settings" check named context:

  • user map ou=people,:
  • password map ou=people,:
  • group map ou=group,:

Save client configuration by click button Apply. Configure passwords policy by opening LDAP server (Add policy - Save to - in the container ou=ldapconfig:) and set password time live, timeout and so on. Policy object is not visible in the directory but required is added to slapd.conf.

Open YaST tab "Network services" - "LDAP browser" and check opening directory.

Create file /etc/ldap.secret and insert there password of root account database cn=Administrator,dc=vitana:

#echo "" > /etc/ldap.secret

Check done:

#rcldap restart ;-restart ldap
#ps aux | grep slapd ;-returns information about started daemon
#netstat -nap | grep slapd ;-returns information about slapd opened ports, it is important to have opened port 389 of source and with label LISTEN.

Everything made you can configure in the /etc/openldap/slapd.conf - LDAP server and /etc/ldap.conf - LDAP client. Below is more important strings from these files.

slapd.conf: pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # references to dynamic modules: modulepath /usr/lib/openldap/modules #default access directory settings access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=Administrator,dc=vitana" write #; by dn="cn=root,ou=People,dc=vitana" write #; by dn="cn=proxyuser,ou=People,dc=vitana" read by * none ## Yast2 samba hack ACL done access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read ########################################################### # BDB database definitions ########################################################### loglevel 0 #can be to 10 #TLSCipherSuite :SSLv3 #TLSCACertificateFile /etc/ssl/certs/YaST-CA.pem TLSCACertificatePath /etc/ssl/certs/ TLSCertificateFile /etc/ssl/servercerts/servercert.pem TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem database bdb suffix "dc=vitana" rootdn "cn=Administrator,dc=vitana" #;rootdn "cn=root,ou=People,dc=vitana" rootpw "{ssha}hash code is generated automatic with server" directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 #object search parameters in the directory index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq # overlay ppolicy ppolicy_default "cn=Default Policy,ou=ldapconfig,dc=vitana"

ldap.conf: #URL ,-no IP-address, because it works with certificate host vitanaserver.vitana base dc=vitana uri ldap:// #uri ldaps:// #can enable later #uri ldapi://%2fvar%2frun%2fldapi_sock/ ldap_version 3 #;binddn cn=proxyuser,ou=People,dc=vitana #;bindpw proxy user password # Password is stored in /etc/ldap.secret rootbinddn cn=Administrator,dc=vitana #;rootbinddn cn=root,ou=People,dc=vitana port 389 #set timelimit to avoid nss_ldap errors timelimit 30 bind_timelimit 30 # Reconnect policy policy, bind_policy soft nss_connect_policy persist idle_timelimit 3600 nss_paged_results yes pagesize 1000 # Filter to AND with uid=%s pam_filter objectclass=account pam_login_attribute uid # available UID range pam_min_uid 1000 pam_max_uid 60000 pam_password exop nss_initgroups_ignoreusers root,ldap # Enable support for RFC2307bis (distinguished . . . # NDS mappings nss_map_attribute uniqueMember member # OpenLDAP SSL mechanism - for now it is main ssl start_tls pam_filter objectclass=posixAccount #following 3 rows are created by LDAP client configuration #?one defines request level: nss_base_passwd ou=People,dc=vitana?one nss_base_shadow ou=People,dc=vitana?one nss_base_group ou=Group,dc=vitana?one #allows to work with selfsigned certificate: tls_checkpeer no #ssl on # OpenLDAP SSL options # For now we need start_tls, native SSL is disabled, #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/CA.pem #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # Client certificate and key. For now use created key pair, copy it to /etc/ssl/ldap/: tls_cert /etc/ssl/ldap/servercert.pem tls_key /etc/ssl/ldap/serverkey.pem

Configuration file with search records ordering - nsswitch.conf: passwd: compat shadow: files group: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis aliases: files ldap passwd_compat: ldap

5. Start Samba server.
Open YaST tab "Network services" - "Samba server", in the "Loading" set autostart option, in the "Common resources" check netlogon, in the "Identification" set domain name and PDC role, in the "Advanced settings" - "User identification" set LDAP settings ldap:// All changes will be saved when I close it with samba server administrator password definition.

All made changes are defined in the smb.conf, I use vi text editor to check/edit settings of global part: [global] workgroup = vitana server string = XPS_PDC printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = "" logon home = "" logon drive = P: usershare allow guests = Yes add machine script = /usr/sbin/smbldap-useradd -a -g 'Domain Computers' -d /dev/null -s /bin/false "%u" domain logons = Yes domain master = Yes local master = Yes netbios name = vitanaserver os level = 255 preferred master = Yes hosts allow = 192.168.1. 127.0.0. security = user domain master = yes domain logons = yes wins support = yes log level = 5 log file = /var/log/samba.log.%m max log size = 1000000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add group script = /usr/sbin/smbldap-groupadd -p "%g" add user script = /usr/sbin/smbldap-useradd -a -m -g 'Domain Users' -s /bin/false "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete group script = /usr/sbin/groupdel "%g" delete user from group script = /usr/sbin/smbldap-groupmor -x "%u" "%g" delete user script = /usr/sbin/smbldap-userdel "%u" ldap admin dn = cn=Administrator,dc=vitana ldap delete dn = No ldap passwd sync = Yes ldap suffix = dc=vitana passdb backend = ldapsam:ldap:// set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap user suffix = ou=People ldap machine suffix = ou=Computers admin users = root ldap timeout = 15 ldap ssl = Start_tls winbind enum users = yes winbind enum groups = yes

Add root account password of ldap administrator of samba: #smbpasswd -w[HisPassword]

Check smb.conf configuration with testparm and restart daemon: #rcsmb restart

check using samba ports: #netstat -nap | grep smbd

check accesibility samba resources: #smbclient -L localhost -U administrator

it returns samba resources information (if there is some errors then need set log level = 2 and investigate logs in the /var/logs/).

6. Configuration smbldap-tools.
LDAP-TLS certificates I can use with smbldap-tools. Copy serverkey.pem and servercert.pem files from /etc/ssl/servercerts to /etc/smbldap-tools. I can not get working server*.pem from common folder and copied them to another folder.

Get domain SID:

#net getlocalsid - returns domain SID

Copy configure.pl file from /usr/share/doc/packages/smbldap-tools to /usr/sbin and run. It asks some questions with default answers. As result I get configuration files in the /etc/smbldap-tools folder. Check smbldap.conf and smbldap_bind.conf:

  • domain SID should be the same as "net getlocalsid" command returns
  • Slave and Master LDAP server is the same server with ip

ldapTLS="1" -TLS is enabled already, cafile="/etc/ssl/certs/YaST-CA.pem", clientcert="/etc/ssl/servercerts/servercert.pem" clientkey="/etc/ssl/servercerts/serverkey.pem" suffix="dc=vitana" #dn, computers, users, groups definitions: usersdn="ou=People,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Group,${suffix}" idmapdn="ou=Idmap,${suffix}", #UID/GID counter definition: sambaUnixIdPooldn="sambaDomainName=VITANA,${suffix}" # encryption: hash_encrypt="SSHA" #Option to increase encryption hash - salt crypt_salt_format="%s" #Template settings: userSmbHome=""."" userProfile=""."" userHomeDrive="''" userScript=""

Current administrator password of primary and secondary servers is defined in the smbldap-bind.conf. Need set this passwrod twice in plain-text format because primary and secondary servers is the same server.

Using YaST need create domain Posix-groups, with correct GID - ntadmins gid=512, mashines gid=515, ntguests gid=514, ntusers gid=513.

Notice: posix-groups nt* and mashines will be mapped with LDAP domain objects.

7. Population openldap directory.
Run commands from smbldap-tools packet: #smbldap-populate

returns list of created objects and asks to set new password of domain administrator (its dn: cn=root,ou=People.. and so on).

Notice: Check TLS settings first if something does not work.

Check group mapping to be sure it works automatic: #net groupmap list Domain Admins (S-1-5-21-. . .111-512) -> ntadmins

and so on

Set Domain Admins group required permissions: #net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -Uroot

Create posix user of PDC, user name ends with $ symbol. #useradd -G machines -d /home/vitanaserver -s /bin/false vitanaserver$

Add PDC to domain: #net join

It will ask administrator password.

Configure pam modules with two pam-config commands: #pam-config -a --unix2 #pam-config -a --ldap

then need enable pamsmbd in the YaST "System" - "Service management". Restart ldap and smbd, check them: #getent passwd

returns users list.

8. Live with samba.
Samba PDC is ready. Create admin samba user and add him to "Domain Admins" (ntadmins) group to avoid using root when need add new network user

To move host test_host from Windows domain to Samba need:

  • remove test_host from Windows domain to workgroup

  • join test_host to Samba domain

  • create test_user user in the Samba domain

  • Export test_user user profile from test_host samba domain

  • close all network connections to samba PDC (for example: logoff and login in the windows)

  • import user test_user to test_host from PDC (the same as in the windows PDC)

  • logoff as admin

  • login as test_user to samba domain

    Create posix-user of user host, join to domain (the same as in the Windows domain) using root. (Joining host to PDC can create posix-user automatic, it is dependent on "add machine script" and "add user script" of samba configuration). Need populate samba users account info when they are created.

    To add host test_host to domain need make following:

  • adding windows host to samba PDC exactly the same as to windows PDC, samba will create required posix users automatic.
    (if host name is not test_host then need rename it in the workgroup, restart host, add to domain).

  • if you could not add it automatic then need add by hand and then repeat #smbldap-useradd -a -g 'Domain Computers' -d /dev/null -s /bin/false test_host$ Back

    To add new test_user domain user need make following #smbldap-useradd -a -m -g 'Domain Users' -s /bin/false test_user #smbldap-passwd -s test_user #useradd -G ntusers test_user #chown test_user:ntusers /home/test_user (Pay attention we created test_user posix user without shell access (shell is /bin/false) and without any password.)

    Export user profile test_user to domain controller

  • Login to local host as local administrator (it should not be test_user)

  • In the context menu My Computer -> Properties -> Advanced -> User Profiles, button Settings

  • Select test_user profile and click Copy To

  • Field Permitted to use, button Change

  • Field Enter the object name to select, enter DOMAIN USER, click OK

  • Button Locations... -> select samba PDC, OK

  • "Advanced" -> Find

  • Enter PDC root login/password to get access to domain users list and select there test_user, click OK and again click OK

  • In the "Copy To" window, click Borwse -> connect to PDC as test_user

  • Select folder /test_user in the PDC, (because in the samba config we defined profile "path = %H")
    (as result we get path \PDCtest_user),

  • In the filed need add test_user to defined "PDC_netbios_namepublichomeProfiles" ( as result we get path \PDCtest_usertest_user),

  • User profile has beed copyied to PDC

  • Done!

    Windows 7 joining:
    For some unclear me reason windows 7 host requires corresponding Unix user but windows xp does not. If your windows 7 host name is test_host then you should create test_host$ Unix user before. useradd -s /bin/false test_host$ And I did the follow changes to join and login from my windows 7:

  • 1 - I had to upgrade my samba server to version 3.5.2

  • 2 - I did these changes in the registry [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanmanWorkstationParameters] "DomainCompatibilityMode"=dword:00000001 "DNSNameResolutionRequired"=dword:00000000 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetlogonParameters] "Update"="no" "DisablePasswordChange"=dword:00000000 "MaximumPasswordAge"=dword:0000001e "RequireSignOrSeal"=dword:00000001 "RequireStrongKey"=dword:00000001 "SealSecureChannel"=dword:00000001 "SignSecureChannel"=dword:00000001

  • If it does not work then:
    3 - Check/change network adapter configurations:
    3.a - Wins server should be the samba server address.
    I set samba server as alternative dns server because samba and DNS servers are different in my network.
    3.c - Configure the primary DNS Suffix with the same samba server address.

  • Looks for "something"
    To find host "universal" in the PDC you can use one of following tools:

  • ldap search tool, looks for based on some criteria #ldapsearch -LLL "(|(displayName=universal$)(cn=universal$))" -D 'cn=Administrator,dc=vitana' -x -W User does not have "$" as last character.
    "(|(displayName=universal$)(cn=universal$))" - is a criterion

  • tool for administration of Samba # net rpc user

  • smbldap perl tool #smbldap-usershow universal$
  • No comments:

    Post a Comment