Authenticating Windows to openLDAP server on Ubuntu 9.

10
This is a quick guide to setting up LDAP on your server so that Linux/Windows users can
join your domain. This was written specifically because I saw several people complaining
that it could not be done on Ubuntu 9.10 and I figured, "Hey I've worked it out, so why not
share it?"

I have used the guide at least 4 times on a clean install of Ubuntu 9.10. It has worked
100% without so much as a hiccup. It should work for you too ;)

Edit: I forgot to mention, but this is based on this thread and is simply updated for 9.10 and
fixed up a little in a few random areas.

LDAP

At-a-Glance
1.Download necessary packages
2.Prepare the System
3.Configure slapd
4.Prepare LDAP for use with Samba

Download necessary packages

apt-get --yes install slapd ldap-utils db4.2-util samba-doc

You can use Synaptic Package Manager if you want, just make sure the following four
packages are installed (make sure to accept any dependencies as well)

slapd
ldap-utils
db4.2-util
samba-doc

I chose to use the terminal window because Ive given you the entire command to just copy
and paste. Its a lot quicker than searching through Synaptic.

Prepare the System

Rather than having LDAP store every user we create in the home directory, were going to
create a separate directory for LDAP to use. This is really more of a house keeping issue
than anything else. It make keeping track of things a little easier (in my opinion).

1.Make the directory

Open a new terminal window and as a regular user enter
mkdir /ldaphome

2.Make the directory available to everyone

chmod 777 /ldaphome -R
Configure slapd

There is one important thing you should know before following this part of my guide. slapds
latest build allows you to dynamically make changes to the directory structure without
requiring a restart. This is a great feature but there is one small problem: It sucks. Ive
spent HOURS reading the official documentation trying to figure out how to use the stupid
thing and it still makes no sense. Its bulky, complicated, and requires way too much work
to make changes. It needs some serious revision (like an easy to use GUI) before I make
the transition (Or at least some better documentation, shesh).

However, using the old method is a temporary solution. Its a known fact that at some point
the people who release slapd will remove support for the older way of modifying slapd. So
you have two choices.

1.Follow this guide to replace the new method (slapd.d directory structure) with the original
method (slapd.conf file) and then be forced to upgrade at some point in the (distant, not so
distant?) future.
2.Use this guide as a basis for what to do, but learn how to use the new method yourself.
Okay, with that out of the way...

1.The first step is to completely remove the slapd.d directory. To do so open a terminal
window with root privileges and enter the following command.
rm -r /etc/ldap/slapd.d

2.Next we need to edit the main slapd file.

gedit /etc/default/slapd

Around the 6th line you should see

SLAPD_CONF=

Were going to change the line to

SLAPD_CONF=/etc/ldap/slapd.conf

3.Add the samba schema for ldap

Enter the following two commands in a terminal window with root privileges

gunzip /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
cp -v /usr/share/doc/samba-doc/examples/LDAP/samba.schema /etc/ldap/schema

4.Decide on a LDAP administrator password and generate a SSHA hash key for it

slappasswd -s YOUR-PASSWORD-GOES-HERE

It will return a line that looks something like this:

{SSHA}LQFFfwELK3few56afcsdaDSADS135w
5.Create an init.lidf file

In just a minute were going to use this file to populate our LDAP server. Enter the
command

gedit /etc/ldap/init.ldif

Since there is no file by that name yet, gedit will automatically create it for you. Copy and
paste the following into your empty init.ldif file. Remember to replace each dc=example,
dc=local with your own domain information. Look below the box for a description of the
main term in this file.

Code:
dn: dc=example,dc=local
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: My Example File

dn: cn=admin, dc=example,dc=local

objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}paste-here-the-results-of-slappaswd

dn: ou=Users, dc=example,dc=local

objectClass: organizationalUnit
ou: Users

dn: ou=Groups, dc=example,dc=local

objectClass: organizationalUnit
ou: Groups

dn: ou=Computers, dc=example,dc=local

objectClass: organizationalUnit
ou: Computers

dn: ou=Idmap, dc=example,dc=local

objectClass: organizationalUnit
ou: Idmap

6.Create the slapd.conf file

Okay so weve told slapd to use the old method of configuration, but the slapd.conf file
doesnt actually exist yet.

To create it enter the following command

gedit /etc/ldap/slapd.conf

Copy and paste the following then save and close it. Remember to replace example.local
with your actual domain information.

Code:
# Remember to replace suffix "dc=example,dc=local" with your domain name
# Change the rootpw entry with the results from slappaswd (Must match the
same you pasted on init.ldif)

# /etc/ldap/slapd.conf
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

########################################################################
#Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema

# Where the pid file is put. The init.d script

# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server

argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible valuesloglevel 0

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb

# The maximum number of entries that is returned for a search operation

sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1

suffix "dc=example,dc=local"

# rootdn directive for specifying a superuser on the database. This is

needed
# for syncrepl.
rootdn "cn=admin,dc=example,dc=local"
rootpw {SSHA}iPFTqrtwr3yT3XGQot2wxCuuljKA9vMU #
REMEMBER! REPLACE THIS WITH THE RESULTS FROM SLAPPASSWD

# Where the database file are physically stored for database #1

directory "/var/lib/ldap"

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.

# Number of objects that can be locked at the same time.

dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1

#index objectClass eq, pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index uniqueMember
eq,pres
index uid pres,sub,eq
index displayName pres,sub,eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default
sub
#index uid pres,eq,sub

# Save the time that the entry gets modified, for database #1
lastmod on

# Where to store the replica logs for database #1

# replogfile /var/lib/ldap/replog

# The userPassword by default can be changed

# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=example,dc=local" write
by anonymous auth
by self write
by * none

# Ensure read access to the base for things like

# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else

# can read everything.
access to *
by dn="cn=admin,dc=example,dc=local" write
by * read

# For Netscape Roaming support, each user gets a roaming

# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=example,dc=ch" write
# by dnattr=owner write

######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>

# The base of your directory for database #2

#suffix "dc=debian,dc=org"
7.Initialize the LDAP database

First stop the slapd service

/etc/init.d/slapd stop

Ensure that the ldap folder is clean

rm -rf /var/lib/ldap/*

Add the .ldif file you created

slapadd -v -l /etc/ldap/init.ldif

If all goes well you should see a final line that looks like this:

#################### 100.00% eta none elapsed none fast!

Make sure that LDAP has the correct privileges to access its own directory

chown -R openldap:openldap /var/lib/ldap

Start the slapd service back up

/etc/init.d/slapd start

If everything was done correctly it will say starting OpenLDAP: slapd

If you get an error message go back and make sure youve done everything correctly

8.Test to see if everything is working

ldapsearch -xLLL -b "dc=example,dc=com"

If its working then it should list all the entries that we created in the init.ldif file.

Samba

At-a-Glance
1.Install Samba
2.Configure Samba
3.Configure smbldap-tools

Install Samba
Again, we have two options of installing Samba. For those who want to use a bash prompt:
apt-get --yes install samba libpam-smbpass smbldap-tools

For the Synaptic fans make sure you install the following packages

samba (not samba 4! I've discovered at the time of this writing Samba 3.4 is
one of two versions (the other is 3.3.4) of samba that can allow Windows 7
machines to join the domain! samba 4 might work, but use it at your own risk!
So PLEASE use 3.4!)
libpam-smppass
smbldap-tools

Configure Samba for use with LDAP

1.Create Samba folders that have not been automatically created ..

mkdir -v /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir -v -p /var/lib/samba/netlogon

2.Edit the smb.conf file

gedit /etc/samba/smb.conf

Delete EVERYTHING that is there and replace it with the following. Be sure to replace
EXAMPLE with your information.

Code:

[global]
# Domain name ..
workgroup = EXAMPLE
# Server name - as seen by Windows PCs ..
netbios name = SERVERNAME
# Be a PDC ..
domain logons = Yes
domain master = Yes
# Be a WINS server ..
wins support = true

obey pam restrictions = Yes

dns proxy = No
os level = 35
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam password change = Yes
 # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
unix password sync = no
ldap passwd sync = yes

# Printing from PCs will go via CUPS ..

load printers = yes
printing = cups
printcap name = cups

# Use LDAP for Samba user accounts and groups ..

passdb backend = ldapsam:ldap://localhost

# This must match init.ldif ..

ldap suffix = dc=example,dc=com
# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
# This is done by running 'sudo smbpasswd -w'.
ldap admin dn = cn=admin,dc=example,dc=com

# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
# (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
# Samba and LDAP server are on the same server in this example.
ldap ssl = no

# Scripts for Samba to use if it creates users, groups, etc.

add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

# Script that Samba users when a PC joins the domain ..

# (when changing 'Computer Properties' on the PC)
add machine script = /usr/sbin/smbldap-useradd -w '%u'

# Values used when a new user is created ..

# (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
logon drive =
logon home =
logon path =
logon script =

# This is required for Windows XP client ..

server signing = auto
server schannel = Auto
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No

[Profiles]
comment = Roaming Profile Share
# would probably change this to elsewhere in a production system ..
path = /var/lib/samba/profiles
read only = No profile
acls = Yes
browsable = No

[printers]
comment = All Printers
path = /var/spool/samba
use client driver = Yes
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
public = yes
writable = yes
admin users = root
write list = root

[print$]
comment = Printer Drivers
Share path = /var/lib/samba/printers
write list = root
create mask = 0664
directory mask = 0775
admin users = root

3.Store LDAP password for Samba use

smbpasswd -W

It will display the following

Setting stored password for "cn=admin,dc=example,dc=com" in secrets.tdb

New SMB password:
Retype new SMB password:
Make sure that the password you type in is the same one you created with slappasswd -s

4.Restart Samba

/etc/init.d/samba restart

Configure smbldap-tools

1.Getting smbldap-tools ready

cd /usr/share/doc/smbldap-tools/examples/

Then execute the following commands

cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/
gzip -d /etc/smbldap-tools/smbldap.conf.gz

Open up the smbldap-tools directory:

cd /etc/smbldap-tools/

2.Get your netSID for your domain

net getlocalsid

It will return something like:

SID for domain SERVERNAME is: S-1-5-21-2899629268-4176875250-2352135513

Copy this number

3.Edit your smbldap.conf file

gedit /etc/smbldap-tools/smbldap.conf

We need to make the following changes, but you cannot just copy and paste them into the
file. You need to search for them and make the adjustments.

Code:
SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the
same SID as when you ran "net getlocalsid"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=local"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}" ## Be careful with
this section!!
userHome="/ldaphome/%U" ## This is found in the UNIX section.
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="example.local"

4.Open the file /etc/smbldap-tools/smbldap_bind.conf file for editing:

gedit /etc/smbldap-tools/smbldap_bind.conf

Edit the file so the following is correct according to your setup

Code:

slaveDN="cn=admin,dc=example,dc=local"
slavePw="12345"
masterDN="cn=admin,dc=example,dc=local"
masterPw="12345"

5.Set the correct permission for the above two files

chmod 0644 /etc/smbldap-tools/smbldap.conf

chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

6.Populate the LDAP database with essential Samba entries.

This includes the creation of standard groups, such as Administrators and Domain Users.

smbldap-populate

You will see an output like

Populating LDAP directory for domain EXAMPLE(S-1-5-21-2899629268-4176875250-
2352135513)

At the very end it will ask you to enter a password for samba. Go ahead and enter the same
password you used when you used the command slappasswd s

7.Stop the LDAP server, run slapindex, and restart the LDAP server.

/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start
Slapd should start with no problem. If it doesnt retrace your steps in the config files and
check for the following. Especially check smbladp_bind.conf and make sure you didnt
misspell your password. Otherwise check your smbldap.conf file and make sure you made
all the appropriate changes.

You shouldnt need to look anywhere else but those two files. The reason being that slapd
was already running successfully up to this point. Any reason for its failure should be
isolated to the changes you just made.

OpenLDAP

At-a-Glance
1.Add a User
2.Add LDAP authentication
3.Add a Windows computer to the domain

Add a User

Your directory is almost ready for use, but so far no one is in it! Lets add a user. Ill use the
example of matthew, but you might as well change it to be whatever user name you plan on
using yourself (well be giving it root privileges). I suggest on making the name different
from user name you set up during installation just to keep things clean.

1.Add the user

smbldap-useradd -a -m -M matthewb -c Matthew B matthewb

The -a sets up a Samba (and UNIX) account
The -m will create a home directory for the user if one does not yet exist
The -M sets their username as part of their e-mail
The -c sets their fully name
matthewb is the name of the user

Before were done setting up this user account, we need to add a password.

smbldap-passwd matthewb

It will prompt you for a password.

2.Give it administrator privileges

/usr/sbin/smbldap-groupmod -m 'matthewb' 'Administrators'

/usr/sbin/smbldap-groupmod -m 'root' 'Administrators'

Configure Authentication

1.Add LDAP Authentication on the Server

apt-get --yes install ldap-auth-client

It will ask you a series of questions, heres how to answer them.
LDAP server Uniform Resource Identifier:ldap://127.0.0.1
Distinguished name of the search base:dc=example,dc=com
LDAP version to use: 3
Make local root Database admin:Yes
Does the LDAP database require login?No
LDAP account for root:cn=admin,dc=example,dc=com
LDAP root account password:< enter the LDAP admin password>>

2.Edit your ldap.conf file

gedit /etc/ldap.conf

Find the following referenced lines and make the changes indicated (Make sure to
uncomment them if they are commented out)

Code:
host 127.0.0.1
base dc=example,dc=loca
luri ldap://127.0.0.1/
rootbinddn cn=admin,dc=example,dc=local
bind_policy soft

3.Copy your ldap.conf into the correct folder

cp /etc/ldap.conf /etc/ldap/ldap.conf

4.Configure the authentication

Create a new file by running

gedit /etc/auth-client-config/profile.d/open_ldap

Copy and paste the following into the new file

Code:
[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
nss_netgroup=netgroup: nis
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth
nullok
auth sufficient pam_ldap.so
use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5
shadow use_authtok
password sufficient pam_ldap.so
use_first_pass
password required
pam_deny.so
pam_session=session required pam_limits.so
session required
pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_unix.so
session optional pam_ldap.so

5.Enable the new profile

auth-client-config -a -p open_ldap

If you receive the following error:

Error in updating the file: 'nss_netgroup' not found

Then open your open_ldap file

gedit /etc/auth-client-config/profile.d/open_ldap

Delete the line that says

nss_netgroup=netgroup: nis

And replace it with

nss_netgroup=netgroup: compat ldap

Finally, run the

auth-client-config -a -p open_ldap

Command again, youll get server error messages about how a certain command already
exists. As long as you do not see

Error in updating the file: 'nss_netgroup' not found

Then everything installed correctly and youre good to go!

6.Enable Samba in Firewall

All that's left to do is to allow Samba services through your firewall (Ports 137-139 and 445).
This is necessary because we are using Samba as a stop-gap between LDAP and the
windows machines.

7.Restart the server

You can now join a computer to your domain like normal (If you are using XP, Vista and 7
have some more steps on the client's end). When it prompts you for a user name with
administrative passwords, don't use root. Use the one you made. The reason is that
Ubuntu disables root, so I don't think that username will work if you try to use it.

I really hope this guide helps you. Windows and openLDAP certainly aren't the easiest thing
to get to work together (A direct authentication via Kerberos would be awesome), but it
CAN be done! Good luck guys (and gals too I guess:P)!

Getting Vista and Windows 7 to Join Domain

THIS IS NOT NECESSARY FOR XP MACHINES!

While getting one of my machines to join the domain I learned two very nasty little tidbits.
The first is that Vista and 7 have about 3 too many versions (stupid Microsoft) and for some
reason only professional and up have the ability to actually join a domain. The second thing
I learned was that they both require some... convincing to join a Samba domain. I don't
have Vista so I couldn't test if the second part was needed or not, if you use vista please let
me know if it worked and if it didn't what did work for you in the end.

Steps for both Windows 7 and Vista on a Samba Domain.

1. Click on the Windows button (It used to be the Start button)

2. In the "Search programs and files" box type in "secpol.msc"

3. Go to:
Local Policies -> Security Options
4. Find the Policy named "Network Security: LAN Manager authentication level.

5. Change it to "Send LM & NTLM - use NTLMv2 session security if negotiated"

6. Click okay and close the secpol.msc window.

At this point, I am unaware of anything else Vista needs to get onto the domain. Windows
7, however needs some more work.
1. Samba 3.4 MUST be installed. I mentioned this earlier but there are some known issues
with samba and windows 7. Samba 3.4 does not have those problems (3.4 is, at the time of
this writing, the most recent version of the "samba" package)

2. You need to make the following registry edits

Go to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic
es\LanmanWorkstation\Parameters]

And add two new dword values:

DomainCompatibilityMode (set to 1)
DNSNameResolutionRequired (set to 0)

The above need to be added to allow the join to work.

Then go to: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic

es\Netlogon\Parameters]
And make sure the following two values are set to 1 (they should already exist)

RequireSignOrSeal
RequireStrongKey

Okay, Windows 7 should now join the domain! Good luck to all!