LDAP-based authentication for Samba Install and configure Samba as a primary domain controller with LDAP on Linux Skill Level: Intermediate Keith Robertson ([email protected]) Advisory software engineer IBM 31 Jan 2006 This tutorial shows you how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism. The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Windows® clients can log on to your Samba server and have shared drives automatically mounted for them based on their group membership. Section 1. Before you start About this tutorial This tutorial shows you how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism. You get an overview of how LDAP integrates with Samba, and then you learn: • How to install and configure LDAP (installing OpenLDAP and the IDEALX LDAP Samba toolkit; configuring OpenLDAP necessities, the slapd.conf file, the /etc/ldap.conf file, and the Pluggable Authentication Modules (PAM); and starting OpenLDAP) • How to install and configure Samba (installing and starting Samba and the Logon Profile Generator; creating the required directories and the shared drives; configuring the smb.conf file and setting the LDAP database-access password; populating the database; adding the PAM LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2005. All rights reserved. Page 1 of 27 developerWorks® ibm.com/developerWorks and other users; adding Microsoft® Windows® workstations; and debugging the Samba installation if needed) • How to enable and test security for the system (the Transport Layer Security for OpenLDAP, PAM, and Samba) The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Windows clients are able to log on to your Samba server, which acts as a primary domain controller, and have shared drives automatically mounted for them based on their group membership. Prerequisites To get the most out of this tutorial, you should have moderate UNIX® or Linux® familiarity, as well as experience with basic IP networking concepts. The Linux distribution is Fedora Core 3, but the setup described here works on other Linux distributions or UNIX variants such as AIX, Solaris, or HP-UX. All applications and utilities used in this tutorial are open source and are available from either your Linux vendor or the application vendor's home page. I recommend that you get a precompiled version (such as an RPM) from your Linux vendor's ftp mirror. This tutorial uses the following software and explains how to download and install each as you go along. In other words, you do not need to install these components in advance: • OpenSSL • OpenLDAP • Samba • Perl module Crypt::SmbHash • Perl module Digest::SHA1 • Perl module IO::Socket::SSL • Perl module Net::SSLeay • IDEALX Samba LDAP tools Specific versions of the various software components are indicated. You might have success with earlier versions of the software, but I cannot guarantee that they will work. In general, software that is newer than the versions described in this tutorial should work. Tutorial network layout The network described in this tutorial is intended to be small so that you can easily LDAP-based authentication for Samba Page 2 of 27 © Copyright IBM Corporation 1994, 2005. All rights reserved. ibm.com/developerWorks developerWorks® duplicate the examples on a home or lab network. For this setup, I used a typical home broadband router with a built-in firewall. Figure 1 shows the physical network layout. Figure 1. Tutorial network configuration This Microsoft Windows network contains three classes of users: marketing, engineering, and management. Marketing and engineering each have a shared drive where users from each group may place files for others in that same group to see; however, members from one group cannot see files on the other group's shared drive. For example, a marketing employee may not view a file on the engineering drive. Management also has a shared drive that is visible only to managers. In addition, managers have special privileges so that they can see files from both marketing and engineering. Section 2. Introducing LDAP LDAP is a popular mechanism for authentication and for storage of personally identifiable information. It has several advantages over traditional flat-file-based authentication mechanisms like /etc/passwd. One of these advantages is that LDAP can be used to produce the Holy Grail of password management: a single sign-on. Single sign-on is available because software applications can authenticate remotely against a common LDAP-based user repository across a TCP/IP network. The LDAP method of authentication is in direct contrast to flat-file-based authentication schemes that are typically tied to a single machine and do not distribute well. LDAP manages data in a directory information tree. This tree helps to organize data through categorization. Many LDAP servers use SQL databases to store their information because they are a natural fit. As with a traditional SQL database, LDAP uses schemas to define where data should be located and how data should be formatted. The use of schemas and the similarities with traditional SQL databases are key advantages of LDAP because they contribute greatly to its extensibility. LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2005. All rights reserved. Page 3 of 27 developerWorks® ibm.com/developerWorks Integrating Samba with LDAP There are three main integration points between Samba and an LDAP server: • The first is the inclusion of Samba's schema into the LDAP server. • The second is configuring Samba to authenticate through the LDAP server. Authentication takes place with the help of Linux's PAM utility (Pluggable Authentication Modules). The PAM utility abstracts the process of authentication away from software applications running on Linux so that they do not have to understand the complexities of a particular authentication mechanism. As such, PAM gives software applications an enormous degree of flexibility because a software application can call one API for authentication and PAM decides if it should use flat file, LDAP, or some other mechanism for authentication. • The third integration point involves a set of tools that aid in the management of Samba's LDAP directory information tree. This toolkit is produced by a third-party; however, it is covered under the GNU Public License. Security A key strength of LDAP is its use as an authentication mechanism for software applications that could be scattered across a network. A side effect of this strength is that passwords may flow across the network during the authentication phase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL (Secure Sockets Layer) and TLS. In this tutorial, the LDAP server is running on the same physical server as Samba; thus, there isn't much need for encryption. However, I demonstrate how to encrypt the channel between LDAP and Samba because it is relatively simple and necessary if you host Samba and LDAP on different machines. This tutorial unfolds in two phases. The first phase details how to configure Samba and LDAP in an unsecured mode. Once the first phase is complete, encryption is enabled to secure the channel between Samba and the LDAP server. This two-phase approach makes it easier to install, configure, and diagnose problems in an unsecured mode. Section 3. Configuring LDAP LDAP-based authentication for Samba Page 4 of 27 © Copyright IBM Corporation 1994, 2005. All rights reserved. ibm.com/developerWorks developerWorks® Step 1. Installing OpenLDAP To install OpenLDAP: 1. Check to see if your distribution has OpenLDAP installed. Issue the following command at a terminal: rpm -qa | grep ldap. If you do not get a response of openldap-2.2.13 or greater, then you should either upgrade or install anew (which is described next). 2. If you don't have OpenLDAP version 2.2.13 or greater, go to your distribution's mirror and download a binary package. In my case, I went to Fedora's mirror list and downloaded openldap-2.2.13-2.i386.rpm. Then I issued the following command: rpm -Uvh openldap-2.2.13-2.i386.rpm. Step 2. Installing IDEALX's LDAP Toolkit for Samba A toolkit from IDEALX is required to automate many of the important interactions between Samba and your LDAP server. Included in the toolkit from IDEALX are scripts that Samba automatically calls to add users, modify users, add machines, etc. The scripts are written in Perl and can also be used from the command line. To install the IDEALX toolkit: 1. Go to IDEALX's home page and download version .0.9.1 or later of the toolkit (smbldap-tools-.0.9.1.tgz). 2. In a temporary directory, unpack the toolkit with this command: tar -zxf smbldap-tools-0.9.1.tgz. 3. Create a directory for the IDEALX scripts to live in. At the command prompt type: mkdir -p /var/lib/samba/sbin. Then type: chmod -R 755 /var/lib/samba. 4. Change into the directory created by the tar command. Type: cd smbldap-tools-0.9.1. 5. Copy the required scripts from the temporary directory to the permanent directory with this command: cp smbldap* configure.pl /var/lib/samba/sbin. 6. Set the correct ownership and permissions by changing into the /var/lib/samba/sbin directory and issuing these commands in order: 1. chmod 750 * LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2005. All rights reserved. Page 5 of 27 developerWorks® ibm.com/developerWorks 2.