samba - Feb 2003 - example: Samba + OpenLDAP on FreeBSD (4.7)

Hello all,
   This message is  simple instructions to install Samba + OpenLDAP on 
FreeBSD (4.7). Hope it would help someone.



1. To keep ports update, better install cvsupit in the beginning

    mis3# cd /usr/ports/net/cvsupit
    mis3# make install clean

    Reference: FreeBSD Unleashed (by Urban and Tiemann), p. 425

2. To use Samba + OpenLDAP  with the option "ldap ssl = start_tls" in 
smb.conf, install the three following packages in order:

    mis3# cd /usr/ports/security/openssl
    mis3# make install clean
    mis3# cd /usr/ports/net/openldap2
    mis3# make install clean
    mis3# cd /usr/ports/net/samba
    mis3# make install clean

    (a) Create a self-signed certificate (Openssl) in order to use the 
"start_tls" option
        mis3# cd /usr/local/openssl
        mis3# mkdir openldapCA; cd openldapCA
        mis3# ../misc/CA.sh -newca

        Answer the questions prompted. The important things to keep in mind:
        (1) PEM pass phrase couldn't be too long (that's according to 
experience, probably 15/16 chars. Maybe I was wrong about this point. 
However, when I first set a very long password, it couldn't work.)
        (2) Common name must be used as fully qualified domain name. For 
example: mis3.fgs.org.tw

        mis3# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
        mis3# ../misc/CA.sh -sign
        mis3# cp demoCA/cacert.pem .
        mis3# mv newcert.pem servercrt.pem
        mis3# mv newreq.pem privatekey.pem
        mis3# chmod 600 privatekey.pem

       Reference:  http://www.openldap.org/faq/data/cache/185.html

    (b) Configure OpenLDAP
       (1) Open /usr/local/etc/openldap/lapd.conf (OpenLDAP client config.) 
with text editor
           HOST  mis3.fgs.org.tw
           BASE  dc=fgs,dc=org,dc=tw
           ssl start_tls
           tal_checkpeer  yes  # this setting seems not necessary
           TLS_CACERT   /usr/local/openssl/openldapCA/cacert.pem
	# Note: The host name and base settings are based on your own.

       (2) mis3# cp /usr/local/share/examples/samba/LDAP/samba.schema 
/usr/local/etc/openldap/schema/samba.schema
	copy the schema of samba

       (3) Open /usr/local/etc/openldap/slapd.conf (OpenLDAP server 
config.) with text editor
           # Add the following include
           include  /usr/local/etc/openldap/schema/cosine.schema
           include  /usr/local/etc/openldap/schema/inetorgperson.schema
           include  /usr/local/etc/openldap/schema/nis.schema
           include  /usr/local/etc/openldap/schema/samba.schema
           # The following is for TLS
           TLSCACertificateFile   /usr/local/openssl/openldapCA/cacert.pem
           TLSCertificateFile     /usr/local/openssl/openldapCA/servercrt.pem
           TLSCertificateKeyFile  /usr/local/openssl/openldapCA/privatekey.pem
           # The following is for password hash method
           password-hash  {CRYPT}
           # The following is for database setting. LDBM Database is fine.
           suffix          "dc=fgs,dc=org,dc=tw"  # must be consistent
with
"ldap suffix" option in smb.conf
           rootdn          "cn=Manager,dc=fgs,dc=org,dc=tw"  # must be
consistent with the "ldap admin dn" option in smb.conf
           # cn stands for Common Name. This can be changed. For example: 
cn=Admin
           rootpw          secret_passwd  # the password is set here. I 
haven't figured out how to use hash password
           # So be sure this file is only accessible by root

           # Add some indices
           index uid pres,eq
           index rid eq
           # Leave ACL setting as a second-stage task.  :)

       (4) To make sure mis3.fgs.org.tw can be reached, better edit /etc/hosts
           # Add mis3.fgs.org.tw to this lookup file
           192.168.1.2  mis3.fgs.org.tw mis3 mis3.fgs.org.tw.
	# IP here is based on your own.

       (5) The way to start/stop OpenLDAP server
           (1) Manually:
               mis3# /usr/local/libexec/slapd start
               mis3# /usr/local/libexec/slapd stop
           (2) Start from boot
               mis3# cp /usr/local/etc/rc.d/slapd.sh.sample slapd.sh
               # then next time when reboot, the server will be brought up 
automatically.

       (6) Verify if the server works
           mis3# ldapsearch -x -b '' -s base '(objectclass=*)'
namingContexts
           # You should be able to see the suffix you just defined in 
slapd.conf

    (c) Configure Samba
        It would be much easy to use SWAT for configuration. Make sure the 
service of swat is open
        In file /etc/inetd.conf, uncomment the last line (which should be 
related to swat)
        (1) For options related to OpenLDAP
            ldap server = mis3.fgs.org.tw  # better keep consistent with 
the common name in CA
            ldap ssl = start tls
            ldap port = 389 # must be 389 for start tls
            ldap suffix = "dc=fgs,dc=org,dc=tw"
            ldap admin dn = "cn=Manager,dc=fgs,dc=org,dc=tw"
        (2) To store the password of rootdn, which is the value of rootpw 
in slapd.conf, into the database for samba,
            mis3# smbpasswd -w secret_passwd
	Note: Here "secret_passwd" is the plain text password, consistent
with
that in slapd.conf. So better clear the command history ASAP. (I don't know 
how to do it neatly. What I did is logout and login again.)
        (3) To start/stop Samba from reboot
            mis3# cp /usr/local/etc/rc.d/samba.sh.sample samba.sh    # I 
forgot if it is done by system. Check it out yourself.
            mis3 # /usr/local/etc/rc.d/samba.sh start
            mis3 # /usr/local/etc/rc.d/samba.sh stop
        (4) To add samba users, make sure there are corresponding FreeBSD 
user accounts generated in advance.
            mis3# smbpasswd -a <useraccount>

            Check if the account written into LDAP database: dump the LDAP 
database
            mis3# slapcat -l <logfilename> -f 
/usr/local/etc/openldap/slapd.conf -b "<suffix>"
            e.g.
            mis3# slapcat -l dump.ldif -f 
/usr/local/etc/openldap/slapd.conf -b "dc=fgs,dc=org,dc=tw"
            mis3# less dump.ldif
            Then you should see the account added.
        (5) To add machine accounts, make sure there are corresponding 
FreeBSD account names appended $.
            This can be done by adding an account w/o $ appended. Then
            mis3# vipw -d /etc
            Then add $ by yourself.

            mis3# smbpasswd -m -a <machine_account>                    #
no
$ appended
            mis3# slapcat -l dump.ldif -f 
/usr/local/etc/openldap/slapd.conf -b "dc=fgs,dc=org,dc=tw"
            mis3# less dump.ldif
            Then you should see the machine added.

------------------------------- the end --------------------------

   Once I try Samba as PDC and BDC successfully, I'll summarize it.  Now 
that's all I achieved.

Long-Sheng   Feb. 11, 03

Hi Everyone,
            Me and my unix expert have been beating our head against this
one. We have created machine accounts on the server, have the root account
created for smb, have done everything we can think of. Netbios name is
correct have check the logged files nothing that is unusual.

The problem is that the win2k clients just keep saying domain not found. The
linux server is a dell 2600, we recompiled samba on it. Have read all the
manuals possible!

I know samba is still kind of in its infancy for pdc and version 3.0 is
about to be released. So I have come to the experts here. I even went to the
point of talking to the guys at Linuxcare and even they won't help. Sorry If
I sound desperate but If I can't solve this I have no choice but to to setup
a machine that will do authentication only meaning a win nt 4.0 server and
then let that talk to the samba server :-(

Does anyone have any good docs as to what clients work and with what service
pack? I know some guys have had luck with debian, and win2ksp3. We have 17
clients in one building and then I would need to bring up two bdc (samba
servers) if possible for the remote locations.

TIA,

Raj


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003

So here comes a fully functional skeleton for win2K,9x,NT, without ldap, 
pam, etc

I got the problem with the nmbd restarting (wins forget the netbios names).



Samba PDC instant guide by skylark
(Samba PDC HOWTO, Using Samba as PDC by IBM DeveloperWorks)

smb.conf:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
[global]
	workgroup = skynet
	netbios name = skybox
	server string = Skybox (%v)
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192

	os level = 64
	preferred master = yes
	local master = yes
	domain master = yes

	security = user
	encrypt passwords = yes
	domain logon = yes
	log file = /var/log/samba/log.%m
	log level = 2
	max log size = 50
	hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0
	
	logon home = \\%L\%U\.profile
	logon drive = H:
	logon path = \\%L\profiles\%U
	logon script = netlogon.bat

	add user script = useradd -d /dev/null -g pdc_machines -s /bin/false -M %u

	unix password sync = yes
	passwd program = passwd %u
	passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
	*passwd: *all*authetication*tokens*updated*successfully*


[profiles]
	path = /home/samba/profiles
	writeable = yes
	browseable = no
	create mask = 0600
	directory mask = 0700

[netlogon]
	path = /home/netlogon
	read only = yes
	write list = szabop skylark

[homes]
	comment = Home Directories
	browseable = no
	writeable = yes

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
group -g 200 pdc_admins
group -g 201 pdc_machines
mkdir -m 0775 /home/netlogon
chown root.pdc_admins /home/netlogon
mkdir /home/samba /home/samba/profiles
chmod 1757 /home/samba/profiles
useradd domainuser
passwd domainuser (xxx)
smbpasswd -a domainuser (xxx)