# Central user authentication for linux and windows machines

## ksenos

Greetings to all.

I am trying to set-up a server on the company network that will replace an existing windows server that handles the domain. I was planning to use openldap and samba to authenticate both linux users and windows users, but also to authenticate users from a mail server (pop3, imap, smtp). 

The truth is that I am a newbie and can't find a single gentoo how-to on setting up openldap and samba to achive the above.  There are plenty of generic how-to's but I think that I've messed up the system   :Wink: . 

Could someone point out some key points or suggest me a configuration? Thanx a lot  :Very Happy: .

Kostas

----------

## lblblb

hmmm.

The how-to's and tools from idealx.org probably have all you need to know for samba3+openldap.

my $0.02 on gentoo-specific stuff:

Add the following to your USE flags in /etc/make.conf :

```
ldap samba
```

and (I think, depending on what you want to do eventually) considering adding the following USE flags to the same file:

```
acl hardened kerberos berkdb slp cups sasl oav
```

Better yet, emerge and use ufed (the USE flag editor) -- it tells you what's available, what the default flags were, and lets you change them in an ncurses tool.

If you didn't have the right USE flags, you may need to re-emerge the packages below.

jxplorer is a good ldap management gui.  If you want it, add the following line to your /etc/portage/package.keywords :

net-nds/jxplorer      ~x86

jxplorer is a java tool, so you can also run it on a windows box, if that's your desktop.

or maybe you'll like gq? (not cross-platform, I believe).

then:

```
emerge openldap

emerge samba

emerge nss_ldap

emerge pam_ldap
```

You need smbldap-tools to do it the idealx way, and I think they make it much easier, though I don't remember if smbldap-tools is provided by another package or not.  If they're installed, stuff will show up in /etc/smbldap-tools/

then, after following, step-by-step, the how-to from idealx.org and testing your setup:

```
rc-update add samba default

rc-update add slapd default

rc-update add nscd default
```

I hope that's a push in the right direction.  If you need help with specific issues, that's much easier for people to help with than a general plea for help.

Oh, and a word of caution: Don't assume down the road that upgrading openldap or samba or other packages related to this will go flawlessly: test the updates on a second machine before rolling them onto the live server.  Before you update the live server, back up your server and make sure you're doing it at a time that you have enough time to roll back the changes if something breaks.  And make sure you're there when people show up in the morning.

If the samba system is hosting user home directories and/or profiles, then there are a whole slew of other concerns.  A couple of those are:

compile extended attributes support for whatever file system type the partition is into your kernel.  Mount with the partition with the "acl" option.

reiserfs is working fine for me with extended posix acls.  SGI's xfs was the first, I think, to support extended posix acls.  Make sure your backup solution supports extended posix acls. (for example "star" supports them).

One last word of advice: Start out simple (e.g. no TLS/SSL to start out with, no local packet filtering rules).  Get it working, and *then* add on layers, restarting relevant daemons and testing all basic functionality after each change.

If for some reason that machine hosts a vmware vm, you can probably safely rename to whatever.bak some of the files in /opt/vmware/bin/ , including *smb* and *nmb* .  Otherwise, the vmware scripts will screw with your samba environment.  You would have to make this change every time you update the vmware packages.

I'm novice, so take this all with a grain of salt, but samba is working for me.

----------

## ksenos

Thanks a lot for your suggestions  :Very Happy: .

Before checking the idealx.org how-to, I used some tutorials that I've found and I have succedded in some way to get ldap authentication (no samba yet).

I had already found jxplorer (great tool!!) and I use it. The problem is that the add/del user and passwd commands only affect the /etc/passwd and /etc/shadow file. I need to use the migrate-passwd tool to export the ldif file which then I edit to get only the user info and then add it to the directory. 

This seems a little tedius, right? Isn't there a simpler way to add, edit and delete a user's info when using ldap, or do I have to write my own scripts?

Thank a lot  :Very Happy: 

----------

## ksenos

I've noticed that the idealx how-to uses samba 2.x.x.  Could this be a problem?

----------

## lblblb

 *ksenos wrote:*   

> This seems a little tedius, right? Isn't there a simpler way to add, edit and delete a user's info when using ldap, or do I have to write my own scripts?
> 
> Thank a lot 

 the smbldap-tools have the scripts you need to do simple smb+ldap user/group/machine/password functions.  e.g. smbldap-useradd -a jdoe

and if you've set up /etc/smbldap-tools/*.conf , the details that you don't specify on the command line should be filled in with system defaults.

Was that your question?

Glad to help.

----------

## lblblb

 *ksenos wrote:*   

> I've noticed that the idealx how-to uses samba 2.x.x.  Could this be a problem?

 There are both a samba3 and samba2 PDC how-to on their page.  see http://www.idealx.org/prj/samba/smbldap-howto.en.html for the version of the How-To in CVS, which refers specifically to Samba 3.0.2a .  

Note, however, that this is iirc for an NT Domain style set up.  Samba doesn't yet (as far as I know) support working at the head of an Active Directory.

Also, if you are planning to set up your users' outlook/express clients to use the LDAP, you might need to adjust your schemas as per the howto I list below.

The following URLs are to documents that I found helpful for different aspects of the Windows/Samba environment:

Very useful -- "Making Users Happy"

User Profile management

Gentoo central outlook addressbook with openldap How-To

ldapguru.org

----------

## ksenos

I want to first understand how ldap authentication works. So far I can't get a user log in using only ldap authentication (although when logged in as root and "su <user>" it works and also creates a home directory if its doesn't already exist. If I add a user normally (unix authentication) then an ldap entry is not neccessary. What I am not doing right? Thanks a lot.

 :Very Happy: 

----------

## ksenos

OK... So I am near the end I suppose (although I have read the 1/4 of the how-to). But why oh is it neccessary to use the "Users" node instead of the "People" node where the migrate-passwd puts the existing system users? How will I get other linux machines to authenticate with this ?

----------

## lblblb

 *ksenos wrote:*   

> I want to first understand how ldap authentication works. So far I can't get a user log in using only ldap authentication

 

Just to make sure -- you don't want to use *only* ldap authentication -- you always pam to fall back to files, in case the you have problems with ldap.

 *Quote:*   

>  (although when logged in as root and "su <user>" it works

 

My guess is that to su when you're root doesn't query any authentication -- only checks that the target UID is valid.

So:

1. Can you connect to your directory server [b]as the same user(s) that pam and nss use[b] using jxplorer and browse the entire tree?  If not, then there's your problem. If so:

2. Are you sure you're using the same password as pam and nss are trying to use? (you specified the correct hash types in /etc/pam.d/system-auth and /etc/ldap.conf?)

----------

## ksenos

damn... I quit for today. I have installed openldap using a different how-to and for some reason I can't get it work correctly. 

When I said only ldap authentication I meant that the user info are only included in the ldap directory and not in the passwd and shadow files. 

I use the same damned password everywhere!! JXplorer works fine. I see all the tree and can edit any node.

I think I will start over again tommorow. I hope I'll be more lucky  :Razz: .

lblblb... thanks a lot  :Very Happy: 

----------

