posted Nov 4, 2015, 2:07 AM by Joshua S
[
updated Nov 10, 2015, 1:38 PM
]
This tutorial will implement a Samba server using the OpenLDAP server set up previously. Ultimately, this server will be the "authorization and authentication" server.
Samba can be leveraged to support Windows shares under the SMB protocol. Samba is the standard Windows interoperability suite of programs for Linux and Unix.
With any of the Dabbles on this site, if you have questions, suggestions, or thoughts, please feel free to send me an eMail (I'm still working to figure out how to enable comments on Google Sites -- suggestions would be appreciated)!
- RaspberryPi – The actual RaspberryPi hardware this will all be built around. In this tutorial, a Raspberry Pi 2 is used and has a memory card with the Raspbian operating system pre-installed.
- PuTTY SSH Client – PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. Other SSH tools can be used, but this tutorial will leverage PuTTY.
- LDAP Admin – LDAP Admin is a free Windows LDAP client and administration tool for LDAP directory management. I have not yet found a Linux administration tool that I like, and this tool does not play nicely in WINE, but there are Linux tools for anyone who does not have access to Windows.
Prerequisites: - Install Raspbian on a memory card for the Raspberry Pi – for a tutorial to do this, try:
- Configure Raspbian so the basic setup is complete. For a tutorial to do this, try:
- Shrink the Raspbian operating system to remove unused components thus increasing efficiency and decreasing the attack surface. For a tutorial to do this, try:
- Configure a DNS server to allow for name based addressing which is managed centrally. For a tutorial to do this, try:
- Configure an LDAP server to provide the base authentication and authorization service. For a tutorial to do this, try:
- Update Raspbian to the latest software versions. This should be periodically and prior to making any changes to the RaspberryPi. For a tutorial to do this, try:
Project: - I know I said this guide was going to be comprehensive and not skip any steps, so what better way to start this off than by skipping steps. I am not writing out instructions for the following (and illustrating from XKCD):
- Buying a MicroSD Card
- Buying a RaspberryPi
- Finding the IP Address of your Pi
- This can be done in many ways, including on your router or using an IP scanner such as (AngryIP Scanner or NMAP) -- if there are requests from the "Contact Me" form; I'll look to create a tutorial for this.
- Obtaining and installing PuTTY
- Using PuTTY (or the SSH client of your choice) enter the IP Address or DNS Name of the RaspberryPi.
- If this is the first time you connect, you will get a warning that the RaspberryPi's host key is unknown. Click "Accept" or "Connect Once" to proceed with the connection.
- Once connected, log onto the Pi using the credentials you created. If you have not defined your own credentials, you should, but these are the default credentials:
- UserID: pi
- Password: raspberry
- Now, we'll integrate the Samba structure into LDAP and enhance our server setup. Let's start by installing Samba onto our RaspberryPi.
sudo apt-get -y install samba samba-common-bin smbldap-tools
- samba – SMB/CIFS file, print, and login server for Unix.
- samba-common-bin – Samba common supporting files.
- smbldap-tools – Scripts to manage Unix and Samba accounts stored on LDAP.
- With Samba installed, we now need to copy the Samba schema from the Samba examples folder into the OpenLDAP configuration folder. Essentially, this allows OpenLDAP to understand the new Samba object types. Use these commands.
sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gunzip /etc/ldap/schema/samba.schema.gz
- To import the configurations, we need to create a file for OpenLDAP. We'll create the samba.conf file implicitly in our home directory (where we are right now) by using nano, our text editor.
sudo nano samba.conf
- Edit the file and add the following lines. A sample file is included attached below.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
- We will now create a temporary directory to hold our files while we work.
mkdir /tmp/slapd.d
- Next we'll use the OpenLDAP slaptest utility to read our config file and write it to our temporary directory as a config directory.
slaptest -f samba.conf -F /tmp/slapd.d/
- Navigate to the schema directory within our config directory. Copy it into the OpenLDAP schema directories, and change the owner and group permissions of the ldif file to openldap.
cd /tmp/slapd.d/cn\=config/cn\=schema/
sudo cp cn\=\{4\}samba.ldif /etc/ldap/slapd.d/cn\=config/cn\=schema/
sudo chown openldap:openldap /etc/ldap/slapd.d/cn\=config/cn\=schema/cn\=\{4\}samba.ldif
- Restart the Samba service.
sudo service slapd restart
- Now let's clean up our working files with these commands.
cd ~
rm samba.conf
sudo rm -r /tmp/slapd.d
- Good job! OpenLDAP is now configured to work with Samba. Now we need to configure Samba to work with OpenLDAP. We'll use files from the smbldap-tools we installed earlier to keep this deployment simple. We'll start by moving the default Samba configuration and copying over a template for an LDAP integrated deployment.
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf
- Let's use nano to open the /etc/samba/smb.conf file and change these settings. A copy of the full config file, with applied changes, is attached below. A couple notes. First, this deployment is not encrypting traffic using SSL/TLS. This simplifies the setup, but there will be a future Dabble to enable this functionality. Second, the first, fourth, and fifth setting reference AcademicDabbling settings -- you will want to populate these with your own settings.
workgroup = ACADEMIC-DABBLING
passdb backend = ldapsam:"ldap://localhost/"
ldap ssl = off
ldap admin dn = cn=admin,dc=academicdabbling,dc=com
ldap suffix = dc=academicdabbling,dc=com
- With the config file updated, we need to restart Samba and bind it to OpenLDAP. This is done using the smbpasswd command and providing the password we used for the admin account we created when setting up OpenLDAP. With that complete, we'll restart Samba again and it will connect to LDAP and create a Samba object for the domain. Note -- in the older versions of Raspbian (prior to Jessie / the implementation of systemd) you need to issue the restart command sudo service samba restart instead of sudo service samba-ad-dc restart. Finally, let's reboot the Pi before connecting and checking if Samba is working.
sudo service samba-ad-dc restart
sudo smbpasswd -W
sudo service samba-ad-dc restart
sudo reboot
- With this accomplished, we can log on to our domain using LDAP Admin, and we should see an integrated Samba installation.
- OK, now that we know Samba and OpenLDAP are integrated with each other, let's copy a couple of template configuration files into place to actually deploy Samba within OpenLDAP. We'll use the following commands to copy a file, copy a compressed file, and decompress the file we've copied.
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
sudo gunzip /etc/smbldap-tools/smbldap.conf.gz
- With the files copied, we need to configure our "bind" configuration. Essentially the bind is what links Samba and OpenLDAP together. We need to configure the /etc/smbldap-tools/smbldap_bind.conf file so the slaveDN and masterDN fields to be our LDAP admin, and need to include the OpenLDAP admin password in the configuration file. A completed file, with passwords redacted, is included at the end of this for reference.
slaveDN="cn=admin,dc=academicdabbling,dc=com"
slavePw="<Password>"
masterDN="cn=admin,dc=academicdabbling,dc=com"
masterPw="<Password>"
- Let's now update the /etc/smbldap-tools/smbldap.conf file, using nano, to link it also. A copy of the configured file is attached below for reference. The SID can either be gathered from the LDAP Admin tool (as demonstrated) or by issuing the sudo net getlocalsid command on the RaspberryPi. Let's populate the following values:
SID="S-1-5-21-784227383-4071461505-2784196558"
sambaDomain="ACADEMIC-DABBLING"
slaveLDAP="localhost"
masterLDAP="localhost"
ldapTLS="0"
suffix="dc=academicdabbling,dc=com"
- OK, our links should be all set, now all we need to do is populate the Samba objects inside the OpenLDAP directory. During this process, you will be prompted to provide the password to the domain root -- this should be both a different password from the one we used for the OpenLDAP administrator, and a long complex password. You will need this password to join a computer to this domain. Use the command:
sudo smbldap-populate
- Now, let's log onto LDAP Admin to make sure our directory has been updated. It should look a little something like the below image with root, nobody, and a series of Organizational Units (OUs) -- they look like folders -- defined.
- Note, to log onto accounts using Samba, you will need to use the format of Domain\UserID -- in this case it would be ACADEMIC-DABBLING\USER_ID.
- Congratulations! Your Authentication Server is now integrated with Samba and ready to go!
|
 Updating... Joshua S, Nov 4, 2015, 2:07 AM Joshua S, Nov 4, 2015, 2:07 AM Joshua S, Nov 4, 2015, 2:07 AM Joshua S, Nov 4, 2015, 2:07 AM
|
