LDAP-based authentication for Samba Install and configure Samba as a primary domain controller with LDAP on Linux Skill Level: Intermediate Keith Robertson ([email protected]) Advisory software engineer IBM 31 Jan 2006 This tutorial demonstrates how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism. It also describes how to configure the LDAP server, OpenLDAP, for PAM-based authentication and how to secure the link between Samba and OpenLDAP with Transport Layer Security (TLS). The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Windows® clients are able to logon to your Samba server which acts as a primary domain controller and have shared drives automatically mounted for them based on their group membership. Section 1. Before you start About this tutorial In this tutorial -- about how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism -- I'll: • Introduce LDAP, show how it integrates with Samba, and discuss security concerns LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 1 of 32 developerWorks® ibm.com/developerWorks • Go through the steps of configuring LDAP, including installing OpenLDAP and the IDEALX LDAP Samba toolkit; configuring OpenLDAP necessities, the slapd.conf file, the /etc/ldap.conf file, and the Pluggable Authentication Modules (PAM); and explain how to start OpenLDAP • Next, show you how to configure Samba, including installing and starting Samba and the Logon Profile Generator; creating the required directories and the shared drives; configuring the smb.conf file and setting the LDAP database-access password; populating the database; adding the PAM and other users and adding Windows workstations to the domain; and debugging the Samba installation in case it didn't work • Finally, cover security issues and talk about how to enable security for this system, including enabling the Transport Layer Security for OpenLDAP, PAM, and Samba and how to test the security of your system The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Microsoft Windows clients are able to logon to your Samba server which acts as a primary domain controller and have shared drives automatically mounted for them based on their group membership. This tutorial is best suited for readers with moderate UNIX or Linux familiarity and experience with basic IP networking concepts. The author used Fedora Core 3 as the Linux distribution, but other Linux distributions or UNIX variants, such as AIX, Solaris, or HP-UX, would also work for the setup described in the tutorial. All applications and utilities used in this tutorial are open source and are available from either your Linux vendor or the application vendor's homepage. Prerequisites The Linux distribution is Fedora Core 3; however, there is no reason why the setup described here would not work on other Linux distributions or UNIX variants such as AIX, Solaris, or HP-UX. The software is free and obtained in a number of ways. I recommend that you get a precompiled version (such as an RPM) from your Linux vendor's ftp mirror. Here is a list of software used in this tutorial. There is no need to get the list beforehand as the tutorial describes how to download and install them. • OpenSSL. • OpenLDAP. LDAP-based authentication for Samba Page 2 of 32 © Copyright IBM Corporation 1994, 2008. All rights reserved. ibm.com/developerWorks developerWorks® • Samba. • Perl module Crypt::SmbHash. • Perl module Digest::SHA1. • Perl module IO::Socket::SSL. • Perl module Net::SSLeay. • IDEALX Samba LDAP tools. Note: This tutorial identifies the specific versions of the various software components tested. You might have success with earlier versions of the software, but I cannot guarantee that they will work. In general, software that is newer than the versions described in this tutorial should work. Tutorial network layout The network described in this tutorial is intended to be small so that you can easily duplicate the examples on a home or lab network. For this setup, I used a typical home broadband router with a built-in firewall. The following diagram depicts the physical network layout. Figure 1. Tutorial network configuration This Microsoft Windows network contains three classes of users -- marketing, engineering, and management. Engineering and marketing each have a shared drive where users from each group may place files for others in that same group to see; however, members from one group cannot see files on the other group's shared drive. For example, a marketing employee may not view a file on the engineering LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 3 of 32 developerWorks® ibm.com/developerWorks drive. Management also has a shared drive that is visible only to managers. In addition, we give managers special privileges so that they can see files from both engineering and marketing. Section 2. Introducing LDAP Now I'll introduce LDAP, show how it integrates with Samba, and discuss security concerns. A brief introduction to LDAP LDAP is a popular mechanism for authentication and as a repository for storing personally identifiable information. It has several advantages over traditional flat-file-based authentication mechanisms, for example /etc/passwd. One of these advantages is that LDAP can be used to produce the Holy Grail of password management, a single sign-on. Single sign-on is available because software applications can authenticate remotely against a common LDAP-based user repository across a TCP/IP network. The LDAP method of authentication is in direct contrast to flat-file-based authentication schemes that are typically tied to a single machine and do not distribute well. LDAP manages data in what is termed a directory information tree. This tree helps to organize data through categorization. Many LDAP servers use SQL databases to store their information because they are a natural fit. As with a traditional SQL database, LDAP uses schemas to define where data should be located and how data should be formatted. The use of schemas and the similarities with traditional SQL databases are key advantages of LDAP because they contribute greatly to its extensibility. Integrating Samba with LDAP There are three main integration points between Samba and an LDAP server: • The first is the inclusion of Samba's schema into the LDAP server. • The second is configuring Samba to authenticate through the LDAP server. LDAP-based authentication for Samba Page 4 of 32 © Copyright IBM Corporation 1994, 2008. All rights reserved. ibm.com/developerWorks developerWorks® Authentication takes place with the help of Linux's PAM utility (Pluggable Authentication Modules). The PAM utility abstracts the process of authentication away from software applications running on Linux so that they do not have to understand the complexities of a particular authentication mechanism. As such, PAM gives software applications an enormous degree of flexibility because a software application can call one API for authentication and PAM decides if it should use flat file, LDAP, or some other mechanism for authentication. • The third integration point involves a set of tools that aid in the management of Samba's LDAP directory information tree. This toolkit is produced by a third-party; however, it is covered under the GNU Public License. Security A key strength of LDAP is its ability to be used as an authentication mechanism for software applications that could be scattered across a network. A side effect of this strength is that passwords may flow across the network during the authentication phase and, as a result, could be intercepted. Fortunately, LDAP supports both SSL (Secure Sockets Layer) and TLS. In this tutorial, the LDAP server is running on the same physical server as Samba; thus, there isn't much need for encryption. However, I will demonstrate how to encrypt the channel between LDAP and Samba because it is relatively simple and necessary for the reader who hosts Samba and LDAP on different machines. This tutorial proceeds in two phases. The first phase details how to configure Samba and LDAP in an unsecured mode. Once the first phase is complete, encryption is enabled to secure the channel between Samba and the LDAP server. I am proceeding in a two-phase approach because in general, it is usually easier to install, configure, and diagnose problems in an unsecured mode. Section 3. Configuring LDAP Step 1: Installing OpenLDAP To install OpenLDAP: LDAP-based authentication for Samba © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 5 of 32 developerWorks® ibm.com/developerWorks 1. Check to see if your distribution has OpenLDAP installed. Issue the following command at a terminal: rpm -qa | grep ldap. If you do not get a response of openldap-2.2.13 or greater, then you should either upgrade or install anew (which is described next). 2. If you don't have OpenLDAP version 2.2.13 or greater, go to your distribution's mirror and download a binary package. In my case, I went to Fedora's mirror list and downloaded openldap-2.2.13-2.i386.rpm. Then I issued the following command: rpm -Uvh openldap-2.2.13-2.i386.rpm. Step 2: Installing IDEALX's LDAP Toolkit for Samba A toolkit from IDEALX is required to automate many of the important interactions between Samba and your LDAP server. Included in the toolkit from IDEALX are scripts that Samba automatically call to add users, modify users, add machines, etc. The scripts are written in Perl and can also be used from the command line.