2012. május 28., hétfő

Samba PDC on Ubuntu 12.04 Using LDAP Backend - Part Two

Last time we have added the Samba schema to our LDAP-server which means our LDAP-server is ready and waiting the Samba data. Today is the day of the PDC itself.
(Ez a cikk magyarul is olvasható.)
We set low priority so the installer asks all questions.
sudo dpkg-reconfigure debconf
Installing the Samba package:
sudo apt-get install samba
During the installation we answer the questions (translated from Hungarian, so the original questions on your system may have different wording):
  • Workgroup/Domain Name: ITTHON2012
  • Use password encryption? Yes
  • Do you alter smb.conf so the WINS settings will be obtained from DHCP? No
  • How to start Samba? daemons
  • Create samba password database (/var/lib/samba/passdb.tdb)? Yes
We see something like this in the last lines of the setup:
Importing account for nobody...ok
Importing account for a...ok
Importing account for localuser...ok
Importing account for jdoe...ok
If you do nozt want the local users in Samba, issue the following the command:
sudo smbpasswd -x localuser

Next job is to change the file /etc/samba/smb.conf:
   workgroup = ITTHON2012
   server string = %h PDC
   dns proxy = no

   log level = 2
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d

   security = user
   encrypt passwords = true

   passdb backend = ldapsam:ldap://localhost
   ldap suffix = dc=itthon,dc=cucc
   ldap admin dn = cn=admin,dc=itthon,dc=cucc
   ldap machine suffix = ou=Computers
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap ssl = no

   ldap passwd sync = yes

   domain logons = yes

   add machine script = /usr/sbin/smbldap-useradd -w '%u'
   add user script = /usr/sbin/smbldap-useradd -m '%u'

   comment = Network Logon Service
   path = /export/samba/netlogon
   guest ok = yes
   read only = yes

   comment = share
   read only = no
   locking = no
   path = /tmp
   guest ok = yes

Of course I do not want to tell anyone we have finished the editing of this file. For example the domain logons = yes implies roaming profiles and we have not defined the shares to store the profiles. No homeshares eighter. Printing is not mentioned. But for now it's okay. According to my experience these are far lesser problems to the two we are about to solve.
  • The first thing to be able to add Windows workstations to the Samba domain
  • The second is to enable user password changes from Windows
The next command tests the smb.conf file for errors:
sudo testparm
The output begins with a line like the next - do not get concerned:
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
We create the folders mentioned in the config file:
sudo mkdir -p /export/samba/netlogon
Restarting Samba:
sudo service smbd restart
sudo service nmbd restart
In the file /var/log/samba/log.smbd more and more lines appear with the following message: Connection to LDAP server failed for the 4 try! So we stop the server for now.
sudo service smbd stop
sudo service nmbd stop
All right, we have not told Samba the password it can connect to the LDAP server. So we tell the secret now.
sudo smbpasswd -W
Setting stored password for "cn=admin,dc=itthon,dc=cucc" in secrets.tdb
As you can see Samba asks for the password of the user specified in the file smb.conf. You also can see that it is stored in the default Samba3 location: secrets.tdb . We continue with the show:
sudo service smbd start
sudo service nmbd start
After the servers are started, we install a utility:
sudo apt-get install smbclient
We issue a command (in bold) and at the password prompt we press Enter, without specifing a password. If everithing is okay, the output looks like this:
smbclient -L localhost
Enter a's password: 
Anonymous login successful
Domain=[ITTHON2012] OS=[Unix] Server=[Samba 3.6.3]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk      Network Logon Service
    share           Disk      share
    IPC$            IPC       IPC Service (UBUSERVER)
Anonymous login successful
Domain=[ITTHON2012] OS=[Unix] Server=[Samba 3.6.3]

    Server               Comment
    ---------            -------
    UBUSERVER            ubuserver PDC

    Workgroup            Master
    ---------            -------
    ITTHON2012           UBUSERVER

You may have to wait a bit before the Master appears since if you've just started Samba it may have not won the elections for being the master browser.
At this point the following command has to run without errors. If you get an error meassage solve the problem before continuing.
sudo net getlocalsid

So the Samba server is operational but the LDAP directory is far too empty to be used.

We begin by doing everything mentioned in part called "Switch to the client computer" in this article on our server. For the URI you can use ldapi:/// provided your LDAP server and Samba PDC runs on the same machine. The aim is to have the commands getent passwd and getent group show the users and groups stored in the LDAP directory. When you are ready come back and read on.

From the next three commands the first will install the package smbldap-tools . We use it for two purposes:
  • we populate the LDAP directory with the entries needed for the Samba server
  • in the file smb.conf the options add machine script and add user script link to a command found in this package 
The second commands copies the file describing the connection between Samba and LDAP to the right place. The third command prevernts thw world from reading this file.

sudo apt-get install smbldap-tools
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf
sudo chmod 600 /etc/smbldap-tools/smbldap_bind.conf
Let us see what to write in the file /etc/smbldap-tools/smbldap_bind.conf :
After this we put another file to its palce - in this one we store the not-so-secret settings of smbldap-tools . (There used to be a file called configure.pl to create this file - many HOWTOs are mentioning it. It seems that it is not included in Precise Pangolin and to be honest I am happy with this fact. the config file is weel documented and should be enough.):
sudo sh -c "zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf"
You can make your smbldap.conf like this except for the SID line where you put the output of sudo net getlocalsid . (And I left the files cafile/clientcert/clientkey in place although there is neighter TLS nor SSL set up.)
# If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation.
userGecos="System User"
When ready with this file you might want to issue the command sudo smbldap-populate . This command will populate the LDAP with the entries needed for Samba 3. Do not issue that command, as the first user will get the UID 1000 and that is already in use. There are good chances you are logged on using that (man id). So you'd better:
sudo smbldap-populate -u 5000 -g 5000
In the terminal you will see lines like this: Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 522. Ignore the message for now, we are going to deal with it later. Sooner or later you will see:
Please provide a password for the domain root:
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 522.
Changing UNIX and samba passwords for root
New password:
You can type in for example the LDAP admin password (secret). The smbldap-tools will add root to the Samba users list with the right of Domain Demigod. It is a pity we will never use it :)

Now for the case of qw. Search the line in question in the file mentioned above and replace
for my $sig_name qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU) {
with this (the prathenses in bold(?) are new):
for my $sig_name (qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU)) {
We add our first samba user (suser1):
sudo smbldap-useradd -a -m -P suser1
And we get a slap in the face:
Failed to execute: /usr/sbin/smbldap-passwd.cmd: No such file or directory at /usr/sbin/smbldap-useradd line 668.
So let's remove suser1 :
sudo smbldap-userdel suser1
sudo rm -r /home/suser1/
Let us remove the trouble too:
sudo ln -s /usr/sbin/smbldap-passwd /usr/sbin/smbldap-passwd.cmd
And finally we create suser1 once again:
sudo smbldap-useradd -a -m -P suser1

Let us logon fisrt to a client running Linux. If you get a password aged message, you want to read this. If you can logon with no errors, we can turn suser1 into a Samba Domain Admin. (Yes I do know the next line makes suser1 'Administrator' but that is okay.)
sudo smbldap-groupmod -m 'suser1' 'Administrators'
If you logon to a Windows system (I like to try things first on an XP but a Windows 7 will do as well after some changes) then:
  • suser1 can add the Windows to the domain ITTHON2012,
  • and after that we can log on to the domain (of course there will be crying due to the missing cebtral profile but we ignore that for now),
  • and we can change our password.
There is still some work to do. Fist we have to take care of indexing the LDAP-attributes needed for Samba. The other is a bit more difficult:
  • if we change the Samba password in Windows, the change will be propagated to Linux since in the file smb.conf we set the ldap passwd sync = yes and because of this the Samba server will update not only the sambaNTPassword attribute in the LDAP database but also the Linux (Unix) password stored in the attribute userPassword .
  • but if we change our passowrd on a Linux client using for example the command passwd then the change is not propagated to Samba: onyl the userPassword is updated and the sambaNTPassword is not.
We are to help that.

Further reading:
zless /usr/share/doc/smbldap-tools/README.Debian.gz

26 megjegyzés:

Kevin Andrews írta...

Please check spelling on :

sudo smbldap-groupmod -m 'suser1' 'Adminstrators'
/usr/sbin/smbldap-groupmod: group Adminstrators doesn't exist


sudo smbldap-groupmod -m 'suser1' 'Administrators'

Other than that, GREAT GUIDES! :-D

raerek írta...

Thanks, corrected

insulae írta...

when i do:

sudo smbldap-useradd -a -m -P suser1

i have the error:
Failed to find sambaUnixIdPool to get next uidNumber at /usr/share/perl5/smbldap_tools.pm line 1202.

what is wrong?

raerek írta...

I can only guess. Samba finds next ID from this 'pool', and Samba finds this pool using the 'ldap idmap suffix = ou=Idmap' setting in the smb.conf file. Question: does this place exist in your LDAP tree? Can the user specified in 'ldap admin dn' read it?

insulae írta...

raerek i think my problem is here:

sudo smbldap-populate -u 5000 -g 5000

Populating LDAP directory for domain MSyDS (S-1-5-21-910831201-2985957224-1303129165)
(using builtin directory structure)

entry dc=MSyDS already exist.
entry ou=People,dc=MSyDS already exist.
entry ou=Groups,dc=MSyDS already exist.
adding new entry: ou=Computers,dc=MSyDS
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 500.
adding new entry: ou=Idmap,dc=MSyDS
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 500.

failed to search entry: invalid DN at /usr/sbin/smbldap-populate line 480.

you can help me?

raerek írta...

I think you should increase the log level (like in this post: http://raerek.blogspot.hu/2012/05/openldap-user-auth-in-ubuntu-1204.html) and read the syslog carefully.

insulae írta...

Ok, my problem was:

Let us see what to write in the file /etc/smbldap-tools/smbldap_bind.conf :

hehehe, I forgot to change the key

sorry for the inconvenience, your tutorial is excellent!


raerek írta...

thank you

SL írta...

Great guides! thanks for putting them up!

Any idea why in log.winbindd-idmap there are entries like this...

[2012/11/16 14:58:47.138170, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 14:58:47.139370, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 14:58:47.139419, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 14:58:47.139469, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.105035, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.106213, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.107596, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.107645, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.107684, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:12:43.107721, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:13:36.201824, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:13:36.203029, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:13:36.203078, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *
[2012/11/16 15:13:36.203117, 1] winbindd/idmap.c:201(idmap_init_domain)
idmap range not specified for domain *

Can they be ignored?

raerek írta...

Thanks. And no, I don't think that you should ignore that - check the idmap part of the LDAP tree, maybe there is something wrong with that.

Juan Cruz írta...

Hi from Argentina! Many thanks for this guide, It helps me a lot!

Now I have a problem adding a Windows 7 machine, I get "... Access denied" error. In some places says I have to add the machine manually Do I? The user I'm using is added to the Administrators group.
Thanks again!

raerek írta...

Hi there!
No, you don't. That was years ago, I in the past 9 years have never done so.
I'd check two things: a) http://wiki.samba.org/index.php/Windows7
and b) Maybe you have a problem with your ACL (check my articles about that) - meaning that the user you are adding the machine to the domain with ha no permissions to write everything into the LDAP database. Try and add the machine with the root user who under normal circumstances corresponds to the the main LDAP-admin in the LDAP tree. Und if you have not set up things in another way, this user will have access to every part of the LDAP tree.

To investigate further you should raise the loglevel (you will find articles about that here too) and watch the log:)

Good luck!

Juan Cruz írta...

Hi! Many thanks for your answer.
The problem was that, in /etc/smbldap-tools/smbldap.conf, I left the "usersdn" parameter with the default value (ou=Users) instead of change it to ou=People.

Bekes Ádám Hemues írta...

Szia !

Gratulálok, nagyon jó a cikk !
Nekem 1 olyan problémám van, hogy mident az általad leírtaknak megfelelően csináltam, látszólag minden rendben van, de mégsem tudok bejelentkezni semmilyen felhasználóval a samba-ra sajnos.

el tudom váltani a test2 user jelszavát (pl. ezzel sem tudok belépni). De amikor a samba kérdezi be, akkor már nem enged be.

Az idevágó rész a syslogból:

slapd[5783]: conn=1052 op=17 SEARCH RESULT tag=101 err=0 nentries=0 text=

Köszi előre is a segítéget, ha tusz rá mondani valamit.

raerek írta...

Halihó! Próbáld nagyobbra venni az LDAP loglevelt (http://raerek.blogspot.hu/2012/05/felhasznalok-hitelesitese-openldap-pal.html), akár a stats szint fölé. Tudnunk kéne, hogy pontosan mit keres a samba az LDAP-ban, mert így ránézésre az van, hogy keres, de nem talál.

Bekes Ádám Hemues írta...

Szia !

Köszönöm a segítséget, hogyan tudom megnövelni a méretet ?

A logokat ide másoljam be (csak mert lehet, hogy nagyok lennének) vagy esetleg tudunk picit priv-ben is kommunikálni ?

Olvastam a blogodat, csak GRATULÁLNI tudok hozzá ! :-)

Ami még megmozgatta az én fantáziámat egyébként a pureftp ldap adatbázisból úgy, hogy ftphomedir mehet máshonnan is akár, nem kötelezően a "homedir" változóval. (Ez nekem már megvan)
A másik, az a squid. Az sajnos nekem még csak "alap"-járaton működik. Csak simán ráauthentikál az ldap adatbázisra. Esetleg tudnál abban segíteni (persze csak ha kihívást érzel), hogy úgy megmódosítani a squid-ldap-auth -ot, akár paraméterekkel, hogy csak azokban az userekben keressen pl. akinek van egy squid: enabled változója ? Esetleg egy squid group tagja, esetleg mind a két funkció ?

Ami tervben van nekem: freeradius+ldap-ot is összelőni :-)

raerek írta...

A log szintjének beállításához nézd meg az előző válaszomban lévő URL-t, ott van róla szó.
SQUID-del kerberos kell majd az SSO miatt, de azzal szeptemberben elakadtam: a virtuális laborban nem volt gond, de a fizikaiban a Firefox egy akkor ismert bug-ja miatt újra meg újra feljött a fallback jelszókérés, így azóta nem kísérleteztem vele.

Bekes Ádám Hemues írta...

Samba: SAMBASid-el voltak a gondok, most már kijavítottam és működik jól.

Linux alá....hátha már belefutottál...lapszámlekérdezés / kvótázás. Utánanéztem és pykota ami "értelmesebb"? csak az meg nem akar sehogy sem működni 12.04 alatt.

Ötlet, bármi a nyomtatásos quota-ra ?

Próbáltam utánanézni és a /lic/cups/backend/sajat neven ha csinalok oda socketet és script-et, akkor azon keresztül fűzve már tudnék. Tapasztalat: sokkal lassabb a nyomtatás, mindig vár kb. 1-2 percet és utána kezd csak el nyomtatni. Elötte nézek egy lapszámot és utána lapszámot a nyomtatónál snmp-vel és annyival növelem meg ldap-ban. Jelenleg ez a csapásirányom, de bármilyen ötletet szivesen veszek (pykota legnagyobb hibája, hogy abiword 2.8 óta nem működik a lapszámolása word / excel = office-ra) sajnos.

raerek írta...

Ezt szoktam futtatni - nem kvótáz, de utólag tudod, hogy ki mennyit...

Ha lesz tapasztalatod, érdekel.

Bekes Ádám Hemues írta...

Köszi, kipróbálom :-)
Írom hamarosan a tapasztalatokat.

Bekes Ádám Hemues írta...

Hiába állítottam be a cupsd.conf-ba, hogy MaxLogSize 0, mindig letömöríti a /var/log/cups/page_log -ot gz-be. Te ezt hogyan tudtad kiküszöbölni ?
Vagy te hogy szoktad megoldani a heti / havi összesítést, hogy ki mennyit nyomtatott ?

Elvileg írtam egy "új" backend-et a cups-nak, hoyg azon átfuttatva menjen a lapszámlekérdezés (bármilyen script) és ezzel meg lehet oldani azt is, hogy quota legyen és hogy jogosult-e nyomtatni pl. Tehát nem mindenki mindenhova és nem akármennyit.

Teendők ilyenkor:
/usr/lib/cups/backend/mysocket -->

#! /bin/bash
# Have debug info in /var/log/cups/error_log:
/etc/scripts/hp-printer-lapszam > /var/log/cups/elotte.txt
set -x
# Output "device discovery" information on stdout:
if test "$#" = "0"
then echo 'network mysocket:// "Unknown" ""'
exit 0
# Set INPUTFILE to where the input comes from:
if test -n "$6"
then INPUTFILE="$6"
# 5 retries with 60 seconds delay to access the remote port:
for I in first second third fourth last
do if netcat -z 9100
then break
echo "INFO: busy - $I of 5 retries" 1>&2
sleep 60
sleep 1
if netcat -z 9100
then echo 'INFO: sending data to' 1>&2
sleep 1
else echo 'ERROR: failed to access' 1>&2
exit 1
# Send the data to the remote port:
if cat $INPUTFILE | netcat -w 1 9100
then echo 'INFO:' 1>&2
#lapszamlekrdezes utana
sleep 2
/etc/scripts/hp-printer-lapszam > /var/log/cups/utana.txt
exit 0
else echo 'ERROR: failed to send data to' 1>&2
exit 1

Elvileg teljesen jól működik akkor is, ha a cupsd-nek beállítom azt, hogy a mysocket-ra nyomtasson. MAJDNEM Minden szép, minden jó, egy gond van csak, hogy én úgy látom, hogy minden esetben a root nyomtat és nem a "tényleges" user.
Erre van tipped ?

raerek írta...

Miért zavar téged a gz? zcat-tal átadod a scriptnek, és kész.
Ha a backendet sikerül megoldani, nagyon érdekelne.

Bekes Ádám Hemues írta...

Zavarni csak azért zavar, mert bárki bármennyit nyomtathat :-)
Igen, köszi, tudom, hogy zcat, csak nem értem, hogy egyáltalán miért keletkezik, ha nem lenne neki szabad.
Ott már majdnem a finishben vagyok.
squid3-ldap auth-al már megy (ha érdekel), nem csak sima auth, hanem megvizsgálja, hogy az user egy adott attrbutumának az értékét. Pl. squid= enabled, csak akkor fogadja el a jelszavát, egyébként meg akkor sem, ha jó a jelszó.

Igen, már egy másik forrásomat is megkérdeztem, hogy a backend-re tudna-e valamit mondani. Neked bármi tipp / ötlet ?
A man-ja nem túl bőbeszédű sajnos. Egy perl script-et találtam, majd azzal indulok el most.

Felix írta...

I followed your guide but I'm having issues to join a windows xp client to the domain. When I try to add a new machine to the domain using administrator account I get "Access Denied" error.

It might be due to the fact that at first my domain name was too long. So I changed it in the the smb.conf file.

Right now smbclient -L local host returns the right informations. But I still can't join a computer to the domain. Any idea on what could be wrong with my configuration ?

I'm guessing it's an access right problem but I just can't figure out where it's happening.

raerek írta...

raise the level of LDAP logging (see this article, http://raerek.blogspot.hu/2012/11/bind-users-for-pam-samba-and-kerberos.html, do a search on olcLogLevel: stats acl) and look around in the logs.

Felix írta...

I'll try that and get back to you with the results.

In the mean time... another question, Any idea why when I try to join a computer with the "root" account I get "Account unknown" error (as if the root account was non-existent in my ldap directory) While it's actually there ?