As promised in my last post regarding SLES11, I chose Samba + Openldap to be the first 2 services I’m going to try for the operational and stability in SLES11. Since we all knew this is trivial job for some system admin to configure both services and make it running well on SLES10 and some Linux Distro.

Objectives:

• To have Samba file sharing and user authentication via LDAP server.

Software Requirements:

• Samba Version 3.2.7-11.6-2057-SUSE-CODE11
• Openldap2-2.4.12-7.14
• perl

Notes : All software will be installed by default during SLES11 installation. However I still have to install “perl-ldap” before I can run any “smbldap-tools” command.
Additional Software

• smbldap-tools-0.9.5-26.1

Samba+Ldap also require “smbldap-tools” for user & group operation. Unfortunately, akin to the previous one, SLES11 also doesn’t come with “smbldap-tools”. I have to download it manually from somewhere which I forgot where

Notes : Once I downloaded & installed it on my SLES11, “smbldap-tools” not working properly and produced an error such “Can’t locate Unicode/MapUTF8.pm in @INC“. This can be resolved by manually run this command on my SLES11 system $perl -MCPAN -e ‘install Unicode::MapUTF8′

OPENLDAP CONFIGURATION

This can be done fairy easy from YasT2 and I just need to select the default one and use my proper base DN and Administrator login. However in SLES11, Openldap don’t use default slapd.conf which come together with the package, instead slapd.conf.YaST will be used.

Once everything done, start the Ldap server, and review the entry in my Ldap server via free tool call “LdapAdmin”.

Notes : You can view, create and modify Ldap object via LdapAdmin without problem. Unfortunately, LdapAdmin sometime failed to create successfully Ldap user account which require samba/unix integration. However, we can achieve this via “smbldap-tools” command.

SMBLDAP-TOOL CONFIGURATION

First I need to install this rpm packages “$rpm -ivh smbldap-tools-0.9.5-26.1” then modify two files as below for my Ldap environment:

• smbldap.conf
• smbldap_bind.conf

Now I’m going to create Ldap group call “finance” via .ldif format as below

$cat /var/lib/ldap/groups-bak.ldif
dn: cn=finance,ou=groups,dc=no-x,dc=org
objectClass: posixGroup
objectClass: top
objectClass: namedObject
cn: finance
userPassword: {crypt}x
gidNumber: 1001

$ldapadd -x -D “cn=Administrator,dc=no-x,dc=org” -W -f /var/lib/ldap/groups-bak.ldif

Enter LDAP Password:
adding new entry “cn=finance,ou=groups,dc=no-x,dc=org” 

Then, create unix group “finance” as below :

$groupadd -g 1001 finance (Make sure gid number is similar with the one in .ldif)

Once finished, I link it between both Ldap and Unix group for RID via LdapAdmin as below :

 
As you can see both Samba group now link together successfully with Unix group. Now I will move user “faisyal” to this group with $smbldap-usermod -G finance faisyal. Since I don’t installed nss_ldap & pam_ldap, only Samba+ldap entry will be modified and Unix group will be remained as is. As attachment below, you can see user “faisyal” fall under “finance” Samba+ldap group but in Unix, he still sitting under group “admin” and able to access share folder (valid user=admin) //192.168.1.95/test while other user cannot.

To correct this, I have to manually move the user in unix manually via command $usermod -a -G finance faisyal. New user creation for both Samba+Ldap and Unix user account can be done with below command though it doesn’t populate the user to proper Unix group:

$smbldap-useradd -a -g 1001 -m -s /bin/bash -d /home/faisyal -F “” -P faisyal

Okay will continue this later. I have to go for my company dinner now….

ariyossss

PART II

Okay, after one hour hard work, I can confirm that my samba+ldap on SLES11 now running very well. Just need minor configuration as below :

• Install nss_ldap from YaST2
• Install pam_ldap from YaST2
• Configure LDAP Client from YaST2

Once finished all three configuration above I just create new user “febry” group “finance” and vola! he can access samba /finance folder belong to “finance” group without problem.

$smbldap-useradd -a -G ‘finance’ -m -s /bin/bash -d /home/febry -F “” -P febry

 

Notes :

• When you, finished configured as PART II above, you will noticed there are some changes on /etc/nsswitch.conf
• New user creation via “smbldap-useradd” will create user in samba, ldap and user home directory. However, no user account will be created in /etc/passwd & /etc/group.
• Though no new user entry in /etc/passwd, user still can connect to server via ssh using ldap authentication

ariyossss

athlon_crazy 26/01/2009 2:04am