Samba LVS PDC Configuration

PDC configuration

In our study case, we focus on a PDC server for authentication purpose with an underlying LDAP directory. We have also to define a share in order to validate both authentication and access to resource from a client.

Samba service

First, we want to define a real server configuration in order to get an operating samba server.We want to build a PDC configuration. This how-to is not designed to describe Samba capabilities but I will give as many details as I can to point out some of the problems that I have encountered. I have built this configuration using samba-3.0.0 on a Red Hat AS 3. I believe that this methodology should apply to any distribution.

All the following occurs in the /etc/samba/smb.conf file for Samba configuration First, we have to define the NetBIOS domain name and server name. Our PDC should answer to a generic name that is shared between all real servers. To keep an individual identification for each server, we can use the netbios aliases parameter to have many names for a server.

[global]
workgroup = DOMAIN
netbios name = server1
netbios aliases = samba-server

Next, we have to define the server as a PDC, the following parameters force the Samba server to become a domain controller.

security = user
encrypt passwords = Yes
local master = Yes
domain master = Yes
domain logons = Yes
preferred master = Yes
os level = 64

Finally, we have to define the LDAP support. The choice of LDAP is quite important in such an architecture, we want to share the load of Samba service but keep a single point for authentication database. As a first scheme, we will consider a single directory service, but for performance reasons, we can deploy local LDAP replicas on each Samba servers. This point will be focused later on. Here is the LDAP parameters needed for Samba to rely on:

passdb backend = ldapsam:ldap://ldap-server
ldap suffix = dc=domain
ldap admin dn = "cn=admin,dc=domain"
ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers

LDAP service

As defined in the previous configuration file, a corresponding LDAP directory must be accessible through the server ldap-server. This directory service has to integrate the Samba schema that is joined in the Samba archive. We have to copy the samba.schema in the /etc/ldap/schema directory and to configure the /etc/ldap/slapd.conf file. This file should be similar to this:

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses’s
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath
/usr/lib/ldap
moduleload
back_bdb

#######################################################################
# Specific Backend Directives for bdb:
backend bdb
#######################################################################
# Specific Directives for database #1, of type bdb:
database bdb
# The base of your directory in database #1
suffix "dc=domain"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Administrator ID
rootdn "cn=admin,dc=domain"
# Administrator password : secret
rootpw {SSHA}T3z64Tw1J+AOQ/dli1GKl4kngh2gH8jh
For optimization purpose and to secure passwords access, some more parameters may be needed such as those :
# Indexing options for database #1
index objectClass eq
# Samba indexes
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName pres,eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile
/var/lib/ldap/replog
# These access lines apply to database #1 only
access to attribute=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=domain" write
by anonymous auth
by self write
by * none
# The admin dn has full write access
access to *
by * read

We have now to give Samba the password for admin dn entry, this must be done with the following command:

smbpasswd -w secret,

and it will create a secret.tdb file that will keep the LDAP password protected.

To deploy the LDAP database, we can just need a standard tree separating users, group and computers accounts. Both solutions can be considered here, either use a LDIF file to build LDAP structure by hand or use an administration tool such as LDAP Account Manager (LAM) which create each branch of the tree for us. I will give now the LDIF result for the database we consider.

# domain
dn: dc=domain
objectClass: organization
objectClass: dcObject
dc: domain
o: domain

# Users, domain
dn: ou=Users,dc=domain
objectClass: organizationalunit
ou: Users

# Groups, domain
dn: ou=Groups,dc=domain
objectClass: organizationalunit
ou: Groups

# Computers, domain
dn: ou=Computers,dc=domain
objectClass: organizationalunit
ou: Computers

# Domains, domain
dn: ou=Domains,dc=domain
objectClass: organizationalunit
ou: Domains

To complete the configuration to create a NetBIOS domain name to our PDC, we choose example in our case and we add the Windows administrative groups: the Domain Admins, Domain Users and Domain Guests groups.

# example, Domains, domain
dn: sambaDomainName=example,ou=Domains,dc=domain
objectClass: sambaDomain
sambaDomainName: example
sambaSID: S-1-5-21-0
sambaAlgorithmicRidBase: 1000

# ntadmins, Groups, domain
dn: cn=ntadmins,ou=Groups,dc=domain
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: ntadmins
gidNumber: 10000
description: Domain Admins
sambaSID: S-1-5-21-0-512
sambaGroupType: 2
displayName: Domain Admins

# ntusers, Groups, domain
dn: cn=ntusers,ou=Groups,dc=domain
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: ntusers
gidNumber: 10001
description: Domain Users
sambaSID: S-1-5-21-0-513
sambaGroupType: 2
displayName: Domain Users

# ntguests, Groups, domain
dn: cn=ntguests,ou=Groups,dc=domain
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: ntguests
gidNumber: 10002
description: Domain Guests
sambaSID: S-1-5-21-0-514
sambaGroupType: 2
displayName: Domain Guests

Finally here is an example of a user declaration inside our LDAP tree. Actually, this user is a generic definition that we can reuse in scripts for generating a large number of users. Do not forget that we may want to study a load-balancing solution and those users may simulate later on a real activity on a large scale network.

# template, Users, domain
dn: uid=template,ou=Users,dc=domain
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
cn: template
uid: template
uidNumber: 10000
gidNumber: 10001
homeDirectory: /home/template
givenName: template
sn: template
loginShell: /bin/bash
gecos: template template
description: template template
displayName: template
userPassword:: e1NTSEF9Sng3WUpNazdsdVZsU0E2aHYvN3JlS085UVdBaHZFblU=
shadowMin: 1
shadowMax: 365
shadowWarning: 10
shadowInactive: 10
shadowLastChange: 12451
shadowExpire: 21914
sambaSID: S-1-5-21-0-21000
sambaPrimaryGroupSID: S-1-5-21-0-513
sambaAcctFlags: [UX]
sambaHomePath: \\samba-server\template
sambaHomeDrive: U:
sambaDomainName: example
sambaNTPassword: 6D3986E540A63647454A50E26477EF94
sambaLMPassword: 9D51F8EC4F16C9ADAAD3B435B51404EE
sambaPwdLastSet: 1075829073
sambaPwdCanChange: 1041375601
sambaPwdMustChange: 1893452401

The definition is certainly too complete for our use as it supports POSIX authentication parameters. We can shorten this file by suppressing shadow account values. You may notice as well that the home directory of the user is referred to samba-server. This point will be focus later, if we intent to centralize all data for storage solutions and concurrent accesses.

Share definition

Now that we have PDC configuration and a minimum of one user defined on it, we may need to create Samba share to validate connection to our server. Let notice that there is already the home directory of our user that is accessible, here we want to create a share for anonymous usage, like a /tmp area to point out the alternative connection from one server to the other.

We must complete the /etc/samba/smb.conf file with the necessary shares. First of all, on a PDC we have to define a [netlogon] section as a logon scripts repository, as well as a [profiles] for users profiles hosting.

[netlogon]
path = /var/lib/samba/netlogon
writable = No
browsable = No
locking = No

[profiles]
path = /var/lib/samba/profiles
writable = Yes
browsable = No
guest ok = Yes
create mask = 0600
directory mask = 0700

Next, we have to share the users home directory and our temporary share. Those definitions do not intend to be a secure configuration, just to offer an access point to files one a PDC server.

[homes]
comment = %u’s Home Directory
writable = Yes
browsable = No
guest ok = No
create mask = 0600
directory mask = 0700

[test]
comment = Temporary test directory
path = /tmp
browsable = Yes
writable = Yes
guest ok = Yes

Samba tests

Before any other step, we have to test our PDC configuration. We must validate the following points to be sure of a normal behavior till now:

  • List all browseable shares
  • Authenticate a user against Samba/LDAP
  • Access to a user’s home directory
  • Access to the test share
  • Write in the test share to have witness file

To realize those tests we rely on the Samba tools suite, smbclient should be enough to pass all these points. Do not forget to check the Samba syntax with testparm to raise some miswriting errors. Once it is passed, we can start the interesting part of our configuration.

Google+