个人工具

UbuntuHelp:LDAP-Samba PDC (for Linux and Windows)

来自Ubuntu中文

Wikibot讨论 | 贡献2007年12月3日 (一) 19:11的版本

(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航, 搜索

DO NOT USE THESE INSTRUCTIONS. THEY ARE DANGEROUS AND UNTESTED

1. Introduction

This Howto discusses how to setup a Linux authentication and file server for both Linux and Windows clients. The OS's that we tested on are Ubuntu v6.06 and Windows XP SP2. LDAP and Samba Primary Domain Controller (PDC) are used to manage both Linux and Windows accounts. When an account is created on the server, the user can log into the account from either a Linux or a Windows client.

1.1. Overview

After countless hours of searching, we were unable to find a straightforward Howto for setting up a Linux authentication and file server for both Linux and Windows clients. We were only able to find bits of information scattered throughout many different howtos and websites. What we have done here is to combine these various howtos into one simple to use howto. This howto does not give much detail explanation as to why things are done the way they are, but just give simple step by step instructions to get the server and clients working.

1.2. End results

After this Howto is finished, you should be able to:

  • Setup a Linux authentication and file server
  • Connect a client to the server
  • Authenticate users from Linux clients
  • Authenticate users from Windows clients
  • Have working user roaming profiles
  • Provide mapped drives
  • Ability to use the same files from both Linux and Windows clients

1.3. Software needed

List of software to install:

1.3.1. Server

  • gvim (optional)
  • heimdal-kdc
  • ldap-utils
  • libnss-ldap
  • libpam-cracklib
  • libpam-foreground
  • libpam-ldap
  • libpam-modules
  • migrationtools
  • nfs-common
  • nfs-kernel-server
  • phpldapadmin
  • samba
  • samba-common
  • samba-doc (optional)
  • slapd
  • smbclient
  • smbldap-tools
  • ssh (optional)
  • ssh-askpass-gnome (optional)
  • ssl-cert (optional)

1.3.2. Unix client

  • libnss-ldap
  • libpam-cracklib
  • libpam-ldap
  • nfs-common

1.3.3. Windows client

  • Windows XP

1.4. Configuration file list

List of configuration files that will be modified:

1.4.1. Server

  • /etc/exports
  • /etc/ldap.conf
  • /etc/libnss-ldap.conf
  • /etc/nsswitch.conf
  • /etc/pam.conf
  • /etc/pam_ldap.conf
  • /etc/pam_ldap.secret
  • /etc/ldap/ldap.conf
  • /etc/ldap/slapd.conf
  • /etc/ldap/schema/samba.schema
  • /etc/pam.d/common-account
  • /etc/pam.d/common-auth
  • /etc/pam.d/common-password
  • /etc/pam.d/common-session
  • /etc/phpldapadmin/config.php
  • /usr/share/migrationtools/migrate_common.ph
  • /etc/samba/smb.conf
  • /etc/smbldap-tools/smbldap.conf
  • /etc/smbldap-tools/smbldap_bind.conf
  • /etc/network/interfaces

1.4.2. Unix client

  • /etc/ldap.conf
  • /etc/libnss-ldap.conf
  • /etc/nsswitch.conf
  • /etc/pam_ldap.conf
  • /etc/ldap/ldap.conf
  • /etc/fstab
  • /etc/pam_ldap.secret
  • /etc/pam.d/common-account
  • /etc/pam.d/common-auth
  • /etc/pam.d/common-password
  • /etc/pam.d/common-session

1.4.3. Windows client

  • None

2. Server Setup

This section provides the step by step instructions to set up the Linux server.

2.1. Base system

Install Ubuntu on the server machine if you have not yet done so. You can download Ubuntu here. Download the Desktop version if you like to work with a graphical user interface, or the Server version if you want to work in a command oriented mode. I suggest using the Desktop version if you are a novice. The downloaded file is an ISO disk image. You will need a special program to write this image file onto a CD. Click here for instruction on how to burn an ISO disk image to CD.

2.2. Installing the server software

We will now install the server software listed in Section 1.3.1 Here.

  1. Log into your server using an account with administrative priviledges.
  2. From the menu at the top, click on System | Administration | Synaptic Package Manager
  3. From the Synaptic Package Manager menu, click on Settings | Repositories
    1. Select all of the entries with the letters LTS
    2. Click on Close

1.#4 Back in the Synaptic Package Manager window, click on All in the left pane. All of the available packages will be listed alphabetically in the right pane.

  1. Click on any item in the right pane.

Tip: If the window for the list in the right pane is too small, drag the bottom border down to make the window larger. 1.#6 Mark all of the files listed in Section 1.3.1 to install.

  1. Type the first few letters of the file that you want. It will jump to the beginning of the files starting with those letters.
  2. Click on the square box on the left of the file that you want to mark.
  3. In the drop down menu, click on Mark for Installation. If the file is already install, or is already marked for installation, then you do not need to do anything.

1.#7 After you have marked all of the files, click on Apply.

  1. In the Summary window, click on Apply again.
  2. Watch the progress bar as the packages are begin installed. Some of the package installations will require user intervention.
    1. Configuring slapd

Type in the admin password, and click Forward.

  1. Once the installation is completed, you can close the Synaptic Package Manager.

2.3. Editing the server configuration files

IconsPage?action=AttachFile&do=get&target=keys.png

OpenLdap

  1. Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPServer.tar.gz to a temporary directory if you have not already done so.
  2. Open a terminal window to edit the configuration files.
  3. Log into the root account and change to the ldap directory.
$ sudo bash
Password: <enter root password>
# cd /etc/ldap
  1. Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command.
# cp -r <temporary directory> /etc
  1. Edit the /etc/ldap/slapd.conf file using the gvim editor (or whatever text editor you prefer).
    1. Replace all occurrances of the string dc=yourdomain,dc=edu to your actual domain name. For example, ldap.lasierra.edu will be dc=ldap,dc=lasierra,dc=edu
IconsPage?action=AttachFile&do=get&target=IconNote.png The LDAP domain structure is arbitrary, it can be anything you wish, even dc=example,dc=com. Just make sure you maintain consistancy
# gvim slapd.conf
  1. Get the encrypted root password by typing slappasswd –h {Md5}
# slappasswd –h {Md5}
New Password: <enter root password>
Re-enter new password: <enter root password>
<Encrypted password string>
  1. Copy the encrypted root password string to slapd.conf by issuing the echo command next. Replace the encrypted password string between the quotes with the actual encrypted password string that you obtained in the previous step.
# echo rootpw ‘encrypted password string’ >> /etc/ldap/slapd.conf

  1. Edit the /etc/ldap.conf file (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap)
    1. Once again replace all occurrances of dc=yourdomain,dc=edu to your domain name.
#/etc/ldap.conf
suffix		"dc=yourdomain,dc=edu"
uri ldap://localhost/
pam_password exop
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=Computers,dc=yourdomain,dc=edu
nss_base_passwd ou=People,dc=yourdomain,dc=edu
nss_base_shadow ou=People,dc=yourdomain,dc=edu
nss_base_group  ou=Group,dc=yourdomain,dc=edu
nss_base_hosts  ou=Hosts,dc=yourdomain,dc=edu
bind_policy soft

  1. Edit the /etc/ldap/ldap.conf file. Enter your own BASE, HOST, URI.
#/etc/ldap/ldap.conf
BASE	dc=yourdomain,dc=edu
HOST    127.0.0.1 
URI	ldap://localhost/

  1. You Should now test your LDAP configuration by the following command
    1. You will be promted with a "Configuration File Testing Succeded" if everything went correctly.
    2. Restart LDAP.
    3. Check that you can search the LDAP database and make sure there are no Errors.
#slaptest
#/etc/init.d/slapd restart
#ldapsearch -x -D "cn=root,dc=yourdomain,dc=edu" -W

Migrating Data

  1. Migrate Existing User and Group Data
    1. Edit /usr/share/migrationtools/migrate_common.ph
export ETC_SHADOW=/etc/shadow
#gvim /usr/share/migrationtools/migrate_common.ph

a.#2 Change the following two lines to look like this (With your corresponding domain)

$DEFAULT_BASE = "dc=yourdomain,dc=edu";
$EXTENDED_SCHEMA = 1;

a.#3 Change Directory to /usr/share/migrationtools and run the following commands

 
#cd /usr/share/migrationtools
# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_group.pl /etc/group /tmp/group.ldif
# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
# ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/base.ldif
# ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/group.ldif
# ldapadd -vxc -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/passwd.ldif
# ldapadd -x -D "cn=root,dc=yourdomain,dc=edu" -W -f /tmp/hosts.ldif

a.#4 Restart LDAP or the Server

#/etc/init.d/slapd restart
OR
#reboot
  1. Check the LDAP install and Database by browsing to http://localhost/phpldapadmin
    1. Log in with user: cn=root,dc=yourdomain,dc=edu and the ldap root password

a.#2 If after you log in there is a "dc=no domain" then you must configure phpldapadmin

# gvim /etc/phpldapadmin/config.php

a.#3 Look for the "dc=no domain" and add "dc=yourdomain,dc=edu" instead and log in again. (You need to make sure PHP is setup on the server for this to work. sudo a2enmod php5 followed by sudo /etc/init.d/apache2 restart.)


NFS (Network File System)

  1. Now we can edit the NFS (Network File System) on the server
    1. Edit /etc/exports
#gvim /etc/exports

a.#2 NFS uses the following format for directories:

directory machineA(option,option) machineB(option,option)

Where:

  • directory = directory to export (e.g. /mnt/hdb1)
  • machine(A|B) = machines allowed to mount this exported directory (see below)
  • option = options for the exporting (see below)
By IP address:
/opt/media 192.168.0.100(async,no_subtree_check,rw) 192.168.0.101(async,no_subtree_check,rw)
By DNS name:
/opt/media spunkster(async,no_subtree_check,rw) nivvy(async,no_subtree_check,rw)
Or by IP range:
/opt/media 192.168.0.0/255.255.255.0(async,no_subtree_check,rw)

a.#3 You may find more information about other options by the following command

 
#man exports

Static IP

  1. You should also change your IP address on your server to be static
    1. Edit /etc/network/interfaces and change dchp to static for your workin interface, usually eth0
#gvim /etc/network/interfaces
iface eth0 inet static
	address 10.1.31.4
	netmask 255.255.255.0
	network 10.1.31.0
	broadcast 10.1.31.255
	gateway 10.1.31.1

a.#2 Restart your Network Interfaces

#/etc/init.d/networking restart

a.#3 Test NFS from a Linux client

#mkdir test
#mount 10.1.31.4:/nfs test
#umount 10.1.31.4:/nfs

a.#4 If errors occured make sure that on the NFS server /etc/exports has the right IP Address range for your client's IP.


IconsPage?action=AttachFile&do=get&target=dont.png Not Finished

3. Linux Client Setup

This section provides the step by step instructions to set up the Linux client(s).

3.1. Base system

Install IconsPage?action=AttachFile&do=get&target=IconUbuntu.png on the client machine(s) if you have not yet done so. The base system for the client(s) is identical to the base system for the server. Refer to Section 2.1 for installing the base system.

3.2. Installing the client software

We will now install the client software listed in Section 1.3.2. The procedure for installing these software is identical to that for the server. The only difference is in the software that are to be installed. Start up the Synaptic Package Manager and install the packages as listed in Section 1.3.2 Here.

3.3. Editing the client configuration files

IconsPage?action=AttachFile&do=get&target=keys.png

  1. Download all of the server configuration files from https://help.ubuntu.com/community/LDAP-Samba PDC (for Linux and Windows)?action=AttachFile&do=get&target=LDAPClient.tar.gz to a temporary directory if you have not already done so.
  2. Open a terminal window to edit the configuration files.
  3. Log into the root account and change to the ldap directory.
$ sudo bash
Password: <enter root password>
# cd /etc/ldap
  1. Copy all of the downloaded files from the temporary directory to /etc. You can use either the GUI interface or the command.
# cp
  1. Edit the ldap.conf file using the gvim editor (or whatever text editor you prefer).
# gvim slapd.conf
  1. Enter your own Base, Host, and URI for LDAP:
#/etc/ldap/ldap.conf
BASE	dc=mcsauth,dc=edu
HOST  10.1.31.4
URI	ldap://10.1.31.4/

  1. Now Change Directory to /etc
  2. Edit ldap.conf (NOTE: There are two different ldap.conf one in /etc, and one in /etc/ldap)
# cd /etc
# gvim ldap.conf
#/etc/ldap.conf
suffix		"dc=mcsauth,dc=edu"
uri ldap://10.1.31.4/
pam_password exop
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=mcsauth,dc=edu
nss_base_shadow ou=People,dc=mcsauth,dc=edu
nss_base_group  ou=Group,dc=mcsauth,dc=edu
nss_base_hosts  ou=Hosts,dc=mcsauth,dc=edu
bind_policy soft

  1. Now edit libnss-ldap.conf, Enter your Host, Base and Ldap Version
#gvim libnss-ldap.conf
#/etc/libnss-ldap.conf
host 10.1.31.4
base dc=mcsauth,dc=edu
ldap_version 3

  1. Now edit pam_ldap.conf, Enter your Host, Base, Ldap Version and root account
#gvim libnss-ldap.conf
#/etc/libnss-ldap.conf
host 10.1.31.4
base dc=mcsauth,dc=edu
ldap_version 3
rootbinddn cn=root,dc=mcsauth,dc=edu
pam_password crypt

  1. You now want to enter your ldap root password into pam_ldap.secret
  2. IconsPage?action=AttachFile&do=get&target=important.png This file will contain your root password in clear text, it is very important you change it's permission so that only root can see it.
# gvim pam_ldap.secret
#/etc/pam_ldap.secret
<YOUR ROOT PASSWORD HERE>
#chmod 600 /etc/pam_ldap.secret

  1. Now edit nsswitch.conf, This file should be left this way
#gvim nsswitch.conf
#/etc/nsswitch.conf
passwd:      compat
shadow:      compat
group:       compat
passwd:      db files ldap
shadow:      db files ldap
group:       db files ldap
hosts:       files wins dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files nis
bootparams:  files
automount:   files
aliases:     files

  1. Now Change Directory to /etc/pam.d
  2. This directory contains several files but we only need to concentrate on four of them:
    • common-account
      • common-auth
      • common-password
      • common-session
  3. Now Edit common-account
#/etc/pam.d/common-account
account requisite  pam_unix.so
account sufficient pam_localuser.so
account required   pam_ldap.so

1.#4 Now Edit common-auth

#/etc/pam.d/common-auth
auth    required    pam_env.so
auth    sufficient  pam_unix.so likeauth nullok shadow
auth    sufficient  pam_ldap.so use_first_pass
auth    required    pam_deny.so

1.#5 Now Edit common-password

#/etc/pam.d/common-password
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok use_first_pass
password   required     pam_deny.so

1.#6 Now Edit common-session

#/etc/pam.d/common-session
session required    pam_limits.so
session required    pam_unix.so
session required    pam_mkhomedir.so skel=/etc/skel/ umask=0027
session optional    pam_ldap.so

  1. Lastly we edit fstab file in /etc so that you mount NFS on bootup.
  2. Add this to the end of the fstab file under each column (remember to change the IP to your NFS server)
#/etc/fstab
# <file system> <mount point>       <type>  <options>       <dump>  <pass>
10.1.31.4:/nfs	/nfs		nfs	rw		0	0
  1. You may optionally test that the NFS mount is working
#mkdir test
#mount 10.1.31.4:/nfs test
#umount 10.1.31.4:/nfs

1.#2 If errors occured make sure that on the NFS server /etc/exports has the right IP Address range for your client's IP.


IconsPage?action=AttachFile&do=get&target=stop.png Restart Computer

4. Windows Client Setup

No Configuration files are needed for Windows Clients, just follow these steps:

  1. Log in to a Local Administrator account
  2. Click Start | Control Center | System | Network Identification | Change
  3. Click on the Radial Button for Domain and enter the Ldap Samba Domain Name.
IconsPage?action=AttachFile&do=get&target=IconNote.png You can find this in your to http://localhost/phpldapadmin under SambaDomainName.
  1. If everything succeded you will be promted for an authorized user and password (Usually ldap root and ldap password)
  2. Windows will welcome you to the new domain.
IconsPage?action=AttachFile&do=get&target=stop.png Restart Computer

F.A.Q.

IconsPage?action=AttachFile&do=get&target=IconFAQ.png You can Ask Questions in this Section by Editing this part of the Page. We will try to answer them promptly.

Q: Do You have to use NFS for user Data? A: No, You may use any other type of storage, even local storage on each client if you wish, but "roaming profiles" for Linux won't work.
Q: Having trouble importing the passwd.ldif. I get "ldap_add: Invalid syntax (21) additional info: objectClass: value #5 invalid per syntax" after every single user it attempts to add. When viewing phpLDAPadmin, there are no entries in ou=People. EDIT: yes, i am using -vxc, no root is added, groups are migrated properly. Could this be a problem with my passwd using crypt and your setup using MD5? Also another thing I noticed is that it seems to be tripping up on the 5th value per user (value #5?) which is sn. sn, cn and givenName all seem to be encrypted (cn:: QmFyYiBCZWxsaWdpbw== givenName:: QmFyYg== sn:: QmVsbGlnaW8= is an example) Finally I noticed (as you can see from that paste) that cn, sn, and givenName all have :: after them instead of : on every user.. is this correct? I have a feeling this could get out of hand, maybe it is better transfered to email? Let me know, and thanks for the help. I want to contribute to this page once I get past this bump.. we are going to be deploying ubuntu+openldap+samba at work. A: The documentation is still not complete, but when doing "ldap_add" are you passing "-vxc" as arguments? At the very least you should have "root" as an entry. You may also manually add users, migration_tools is not required. Do the entries in group get migrated?. I can try to see what could be wrong as soon as I go back to my office to have a machine to play with.
Also worth mentioning that the "#5" refers to the fifth value for the particular attribute (counting the first one as "#0", by the way) -- objectClass in this case -- not to the fifth line of the overall entry.
Q: Me too, value #5 invalid... I have objectclass entry #6 like: <objectClass: krb5Principal> and an entry like <krb5PrincipalName: [email protected]> . If i delete this 2 entries the import goes well. Is it ok to delete them? After this, all work A: Same answer for previous question, install package heimdal-kdc to get the kerberos schemas installed in /etc/ldap/schema, otherwise ldap_add doesn't know about krb5Principal or krb5PrincipalName. If you have already add the items, use the same command line with ldap_modify instead.
Q: The link to LDAPServer.tar.gz doesn't seem to be working. Is it still available somewhere?
Q: I had problems installing the heimdal-kdc package. Investigation showed that the problem was a lack of a dnsdomainname: on my system, hostname -d gives hostname: Unknown host. I "fixed" this by temporarily setting a domainname (hostname <hostname>.somedomain) before running apt-get install heimdal-kdc. Not sure what the wider implications of this are, or whether this was a good fix. Certainly one side effect is the inability to open any new windows on the X system until you put the name back to its previous state. I also had to manually add the include /etc/ldap/schema/hdb.schema line into slapd.conf. Not sure if this is related to my installation problems, or to the inability to download LDAPServer.tar.gz, or just the way the installs work...
To use the migrationtools, I needed this schema: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema. It did _NOT_ get installed when installing heimdal-kdc. I needed to install it by hand (copy it onto the server and put it into /etc/ldap/slapd.conf).

Links

IconsPage?action=AttachFile&do=get&target=IconGlobe.png [1] [2] [3] [4] [5]