From 7dac3aa65db3245cbc196aeddd51ff9fd5cb01c0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 22 Jun 2005 02:27:09 +0000 Subject: Progress commit. (This used to be commit 3ab50a9a28c8aece00895ce81ec8ec8dd875b5ab) --- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 112 +++++++++++++++++++++++++++++++---- 1 file changed, 102 insertions(+), 10 deletions(-) (limited to 'docs/Samba3-HOWTO/TOSHARG-Passdb.xml') diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index c9cea565ed..1065d55421 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -1317,11 +1317,19 @@ may be said that the solution is too clever by half! - The Samba-PDC-LDAP-HOWTO - maintained by Ignacio Coupeau. + +Samba-PDC-LDAP-HOWTO + The Samba-PDC-LDAP-HOWTO + maintained by Ignacio Coupeau. + - The NT migration scripts from IDEALX that are + +IDEALX +NT migration scripts +smbldap-tools + The NT migration scripts from IDEALX that are geared to manage users and groups in such a Samba-LDAP domain controller configuration. + Idealx also produced the smbldap-tools and the Interactive Console Management tool. @@ -1329,6 +1337,10 @@ may be said that the solution is too clever by half! Supported LDAP Servers +LDAP +ldapsam +OpenLDAP +Netscape's Directory Server The LDAP ldapsam code was developed and tested using the OpenLDAP 2.x server and client libraries. The same code should work with Netscape's Directory Server and client SDK. However, there are bound to be compile errors and bugs. These should not be hard to fix. @@ -1363,6 +1375,9 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY +samba.schema +OpenLDAP +OID The samba.schema file has been formatted for OpenLDAP 2.0/2.1. The Samba Team owns the OID space used by the above schema and recommends its use. If you translate the schema to be used with Netscape DS, please submit the modified @@ -1370,19 +1385,32 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY +smbpasswd +/etc/passwd +sambaSamAccount +AUXILIARY +ObjectClass +LDAP +RFC 2307. Just as the smbpasswd file is meant to store information that provides information additional to a user's /etc/passwd entry, so is the sambaSamAccount object meant to supplement the UNIX user account information. A sambaSamAccount is an AUXILIARY ObjectClass, so it can be used to augment existing user account information in the LDAP directory, thus providing information needed for Samba account handling. However, there are several fields (e.g., uid) that overlap - with the posixAccount ObjectClass outlined in RFC2307. This is by design. + with the posixAccount ObjectClass outlined in RFC 2307. This is by design. - - +account information +sambaSamAccount +posixAccount +ObjectClasses +smbd +getpwnam +LDAP +NIS +NSS In order to store all user account information (UNIX and Samba) in the directory, it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in combination. However, smbd will still obtain the user's UNIX account @@ -1398,6 +1426,10 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY OpenLDAP Configuration +sambaSamAccount +OpenLDAP +slapd +samba.schema To include support for the sambaSamAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory. The samba.schema file can be found in the directory examples/LDAP @@ -1408,6 +1440,14 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY +samba.schema +slapd.conf +sambaSamAccount +cosine.schema +uid +inetorgperson.schema +displayName +attribute Next, include the samba.schema file in slapd.conf. The sambaSamAccount object contains two attributes that depend on other schema files. The uid attribute is defined in cosine.schema and @@ -1429,6 +1469,10 @@ include /etc/openldap/schema/samba.schema +sambaSamAccount +posixAccount +posixGroup +ObjectClasses It is recommended that you maintain some indices on some of the most useful attributes, as in the following example, to speed up searches made on sambaSamAccount ObjectClasses (and possibly posixAccount and posixGroup as well): @@ -1480,6 +1524,10 @@ index default sub Initialize the LDAP Database +LDAP database +account containers +LDIF file +DNS Before you can add accounts to the LDAP database, you must create the account containers that they will be stored in. The following LDIF file should be modified to match your needs (DNS entries, and so on): @@ -1543,12 +1591,17 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +userPassword +slappasswd The userPassword shown above should be generated using slappasswd. +LDIF +LDAP The following command will then load the contents of the LDIF file into the LDAP database. +slapadd &prompt;slapadd -v -l initldap.dif @@ -1560,8 +1613,10 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +secrets.tdb Before Samba can access the LDAP server, you need to store the LDAP admin password in the Samba-3 secrets.tdb database by: +smbpasswd &rootprompt;smbpasswd -w secret @@ -1573,7 +1628,9 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz Configuring Samba - The following parameters are available in smb.conf only if your version of Samba was built with +LDAP +smbd + The following parameters are available in &smb.conf; only if your version of Samba was built with LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The best method to verify that Samba was built with LDAP support is: @@ -1666,12 +1723,14 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz User Management User AccountsAdding/Deleting - Because user accounts are managed through the sambaSamAccount ObjectClass, you should modify your existing administration tools to deal with sambaSamAccount attributes. +sambaSamAccount +/etc/openldap/sldap.conf +NSS Machine accounts are managed with the sambaSamAccount ObjectClass, just like user accounts. However, it is up to you to store those accounts in a different tree of your LDAP namespace. You should use @@ -1682,6 +1741,10 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +POSIX +posixGroup +Domain Groups +ADS In Samba-3, the group management system is based on POSIX groups. This means that Samba makes use of the posixGroup ObjectClass. For now, there is no NT-like group system management (global and local @@ -1697,18 +1760,23 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +sambaSAMAccount There are two important points to remember when discussing the security - of sambaSamAccount entries in the directory. + of sambaSAMAccount entries in the directory. Never retrieve the SambaLMPassword or +SambaNTPassword SambaNTPassword attribute values over an unencrypted LDAP session. Never allow non-admin users to view the SambaLMPassword or SambaNTPassword attribute values. +clear-text +impersonate +LM/NT password hashes These password hashes are clear-text equivalents and can be used to impersonate the user without deriving the original clear-text strings. For more information on the details of LM/NT password hashes, refer to the @@ -1716,6 +1784,10 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +encrypted session +StartTLS +LDAPS +secure communications To remedy the first security issue, the &smb.conf; parameter defaults to require an encrypted session (on) using the default port of 636 when @@ -1726,12 +1798,18 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +LDAPS +StartTLS +LDAPv3 Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS extended operation. However, the OpenLDAP library still provides support for the older method of securing communication between clients and servers. +harvesting password hashes +ACL +slapd.conf The second security precaution is to prevent non-administrative users from harvesting password hashes from the directory. This can be done using the following ACL in slapd.conf: @@ -1839,6 +1917,8 @@ access to attrs=SambaLMPassword,SambaNTPassword +PDC +sambaSamAccount The majority of these parameters are only used when Samba is acting as a PDC of a domain (refer to Domain Control, for details on how to configure Samba as a PDC). The following four attributes @@ -1846,6 +1926,10 @@ access to attrs=SambaLMPassword,SambaNTPassword +sambaHomePath +sambaLogonScript +sambaProfilePath +sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath @@ -1853,6 +1937,9 @@ access to attrs=SambaLMPassword,SambaNTPassword +sambaSamAccount +PDC +smbHome These attributes are only stored with the sambaSamAccount entry if the values are non-default values. For example, assume MORIA has now been configured as a PDC and that \\%L\%u was defined in @@ -1967,6 +2054,7 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 SAM backendmysqlsam +SQL backend Every so often someone comes along with what seems to them like a great new idea. Storing user accounts in a SQL backend is one of them. Those who want to do this are in the best position to know what the specific benefits are to them. This may sound like a cop-out, but in truth we cannot document @@ -1979,6 +2067,7 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 Creating the Database +MySQL You can set up your own table and specify the field names to pdb_mysql (see MySQL field names for MySQL passdb backend for the column names) or use the default table. The file @@ -2126,6 +2215,7 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 +plaintext passwords If you would like to use plaintext passwords, set `identifier:lanman pass column' and `identifier:nt pass column' to `NULL' (without the quotes) and `identifier:plain pass column' to the @@ -2165,6 +2255,8 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 SAM backendxmlsam +libxml2 +pdb_xml This module requires libxml2 to be installed. The usage of pdb_xml is fairly straightforward. To export data, use: -- cgit