Integrating LDAP and Samba using openSUSE

English - June 08, 2008

User identification across windows and Unix shares

Usually you would need a user database for many purposes, one of them is to give the same user the possibility to access information that is on SMB shares as well as NFS ones. The user would be able to access identify himself either using a Linux computer or a Windows one, accessing his personal folder in a transparent way, either from Samba when using a Windows computer, of through NFS when using a Linux computer.
This document will present you with the needed steps to integrate LDAP user database with many attributes, to be used by the Samba system to provide some shares. NFS would also be possible with the same set of users and files provided by Samba.
It is assumed that you have a normal openSUSE default installation (tested with 10.3) and that you have root access.

First you have to install some basic packages. Go to YaST, and Software Management.
Under "Patterns", select the "File Server", and the services you want, that should be at least "nfskernel-server", "samba" and "vsftpd".

Now select the pattern "Directory Server (LDAP) or the packages nss_ldap, openldap2 and yast-ldap-server.


Press "Accept" and eventually some more packages will be automatically selected in order to resolve dependencies. Press "continue". All the necessary packages will be downloaded either from DVD or internet repositories if you have previsouly defined them. After installing everything, pleas close YaST Control Center.

Now you have to enable the advanced YaST interface. Open a konsole or other terminal of your choice (you could also do this editing the file under konqueror or nautilus, using a text editor):

Edit the file /etc/YaST2/ProductFeatures, and search for the line that says "ui_mode" (you could edit the file with kate or your favorite text editor):



Now change ui_mode = "simple" to "expert". Save and close the file.



Now, back to YaST Control Center, select "Security and Users" section, and open "CA management":



You will create a new root Certificate Authority. Press "Create Root CA"
Type the "Common Name", requested information, reading the help lines from the left frame.



Now you have to choose the password you want to lock the certificate. Then press next.



Now it's time to check the data entered, and generate the root certificate authority. If you feel everything is ok, press "Create".


Back to the CA management, you now have a root certificate authority in the CA Tree. Select the CA you want, and "Enter CA". You will be asked a password to open.


After entering the Certificate Authority, select the "Certificates" tab, and "Add", "Add Server Certificate".



Type the data you want for the server certificate, but make sure the "Common name" matches the fully qualified name of your server, otherwise warnings could arise. Follow the same steps you already did to create the root CA.



Again you are asked for a password to lock the certificate. Write it somewhere safe, otherwise you could regret it.



After checking all the data, just press "Create".



Now you have a brand new server certificate. Make sure you have selected the right certificate, and then press "Export", and "Export as Common Server Certificate".



If you have the certificate different than the full qualified hostname, a warning will be presented.



Now type the password that unlocks the server certificate:



After the certificate has been exported, it should give a success message.



Press OK, and leave the Certificate Authority and CA Management module.
Back to YaST Control Center, now you should select "LDAP Server" under "Network Services":



If this is going to be a server, LDAP should start every time the server boots, so "Start LDAP Server" should be changed to "Yes". Press "Configure".



Under "Global Settings" select "Schema Files". Press "add", and select the schema "samba3.schema" from the directory /etc/openldap/schema.



Under "Log Level Settings", select "Log Connections, Operations, and Result". This will give you important information, at least while you are debugging things during first phases. Other options could be selected, but they are very verbose.



The "Allow Settings" have some interesting options, but leave them as they are now. Select "TLS Settings" and change "TLS Active" to "Yes". This will encript all LDAP communication between a client and a server. If LDAP communications are just between a Samba Server and LDAP Server under the same computer, perhaps you won't need this enabled.
In order for the encription to work, you have to select a certificate to work with, that would need to be shared (the public key) between the computers that take part of the TLS communication.
Press "Select Certificate" and "Use Common Server Certificate", then press "OK".



Before finishing, you have to create an LDAP database. In "Databases", press "Add Database..."
Type the "Base DN". In this example, the distinguished name is "example.com", so base dn becomes "dc=example,dc=com". Also type the root DN as "cn=Admin" and the password for that root DN. Under "Database Directory" place a directory name like "/var/lib/ldap/example.com".



The database will now be created.



Press "Finish".



Going back to YaST Control Center, select "LDAP Client" module. This configuration will adjust this computer settings from a client perspective, in order for example "LDAP Browser" to work.
Under "User Authentication" press "Use LDAP but Disable Logins". This will happen if you just want to have a repository of the users, but they do not actually log on to the system. If the users are to log, like in LTSP server environment with LDAP server in the same computer, you would say "Use LDAP".
Under "LDAP Client" make sure the address is "localhost" or "127.0.0.1", and "Fetch DN" of the LDAP server or directly type his base DN. Check that TLS/SSL is enabled if you have enabled in the server configuration.
Now press "Advanced Configuration...".



Select "Administration Settings" tab and type "cn=Admin" under "Administrator DN". Make sure to check "Append Base DN". Configuration Base DN" should already be correct.
Check "Create Default Configuration Objects". Also check "Home Directories on This Machine".
Press "Configure User Management Settings..."



You should provide now the password to access the LDAP server with the user cn=Admin. The module will see that there is no "ldapconfig" sub-tree, so he will ask if you want to create it. Say "Yes" to create it now.



Now you need to create a "New" configuration module under the ldapconfig sub-tree you have created.



For the object "susegroupconfiguration", the name of the new module will be "groupconfiguration". Press "OK".



Press "New" again, and now you will create the object "suseuserconfiguration", with the associated value of "userconfiguration". Press "OK".



Back in the module configuration, select the suseminuniqueid for the userconfiguration module, and type a new value of 10000. Please note that there was a bug in OSS 10.3, that should be already fixed, that didn't saved this value. You will need to check here again later, and if the value is not here, write it again. This time it will be saved.



Now select the susenextuniqueid for the userconfiguration module, and type a new value of 10000.



After setting these new values, press accept to get out of the module configuration, back to the advanced configuration.
Select "Client Settings". Make sure "Group Member Attribute" is "member". Press "Accept" to get back to "LDAP Client Configuration".



I am not sure if you need the option "Create Home Directory on Login" if the users are not to ne logging in to this server.
Press "Finish". The LDAP Client configuration will be writen. We need to get back again to the LDAP Client in order to check that "susminuniqueid" value. From the YaST Control Center, call LDAP Client module again.



Go to the advanced configuration. Change the naming contexts. "Browse" each setting, so that users and passwords will be collected from the Organizational Unit "ou=people" and groups from the "ou=group".
Press "Administration Settings" tab. Press "Configure User Management Settings..." and type the password for the cn=Admin root LDAP user.



Change the "Configuration Module" to "userconfiguration". Check again that suseminuniqueid is 10000. If not, change it again.






Do the same check for susenextuniqueid attribute. Value should be 10000. If not, change it back again. This time it will be written. Press "Accept" twice, and then "Finish" the LDAP Client Configuration module.



This ends the LDAP server and LDAP client configurations.
Now we are back in YaST Control Center, and select "Samba Server". Type the workgroup or domain name that Samba will be participating. Press "Next".



Depending on the type of participation that you need, select the Samba Server Type. If this samba server is to be part of an existing Windows domain, select "Not a Domain Controller". If you want Windows computers to be logging into a domain, making user authenticate against this server at login time, then select "Primary Domain Controller".



You will probaby want the Samba server to be available even through boots, so check Service Start "During Boot" under Start-Up tab.



Under "Identity" tab, you should already have the workgroup or domain name previously selected, as well as the role of the server. Normally, you will not need to change anything, except the netBIOS hostname that will be presented for this Samba server. Usually you type your hostname, up to 15 characters, in uppercase. Leaving this tab, you will be presented with a warning that says users will be tied to the SID created from the netBIOS name define here. If you change this value, another SID will be created, and users can no longer authenticate as domain members.



In the "LDAP Settings" tab, check "Use LDAP Password Back-End". A messagebox will be show, warning that all existing Samba configurations will be rewritten.



All the values will be automatically filled, and you just need to provide the password to access the LDAP server (for the cn=Admin user), and test the connection.



I am not sure that you will be asked to define a password for the Samba server administrative account. If so, please type one.



After you type "Finish", all configurations will be written, and the Samba server will be attached to the LDAP server for user identification and authentication as well as groups.



Back to YaST Control Center, we will now create our first LDAP user and group.
select "Group Management".



In the lower right corner, "Set Filter" to LDAP Users.



Open the LDAP repository with the cn=Admin password.



Notice that "Filter" in the top right corner is set to "LDAP Groups". Select "Groups" and then press the button "Add".



Under "Group Data" tab, set "Group Name" to "users" or other you want. Notice that this group ID (gid) will be 1000 as defined in the "groupconfiguration" ldap configuration module, object "suseminuniqueid".
Press "Accept"



Press "Accept". The LDAP group will be created.
Back to the "User and Group Configuration", select users, not forgetting that the Filter should still be set to LDAP Groups. Press the button "Add".
Type all the needed user information. Then go to the "Details" tab.



Notice the user ID (uid) is set to 10000 as stated in LDAP configuration modules. Just set the parameters you want, and probably make him member of the new "users" ldap group created.
You will be able to inspect Samba user parameters through the "Plug-ins" tab.



Here you will be able to "Launch" the "Manage samba account parameteres" plugin, and ghange any values that you see fit.



Of course the default values will be fine by now.



After pressing "Accept" you will be brought back to "User and Group Administration", and the user will be created when you press "Finish".



Now it's time to check that those users are really created in the LDAP repository. Open the "LDAP Browser" in the YaST Control Center (under Netowrk Services).
You will be asked the password for the user cn=Admin to open the LDAP database.



Now you can freely browse all the structures inside the LDAP repository, and check if the group and user created are there, and their values are ok.



This information is from the sambaDomainName object



This information is from the user object.



Let's do one final test, trying to access a Samba share using one LDAP user. Open Konqueror or Nautilus, and try to access a user share using the url smb://johndoe@myserver where myserver is the netBIOS name of your samba server. You should be able to see the users share, and trying to access it, will ask for the password of johndoe. Then you should be given access to the folder.
This can also be tested from a network connected Windows computer.






Just to make sure, check the samba logs, in order to see that the user has been corerctly identified.



And that's all folks. I hope everything works fine for you. If not, or if you want to comment on this howto, please contact me to digiplan.pt(at)gmail.com

Back to LDAP+Samba integration howto.