As promised in my last post regarding SLES11, I chose Samba + Openldap to be the first 2 services I’m going to try for the operational and stability in SLES11. Since we all knew this is trivial job for some system admin to configure both services and make it running well on SLES10 and some Linux Distro.
- To have Samba file sharing and user authentication via LDAP server.
- Samba Version 3.2.7-11.6-2057-SUSE-CODE11
Notes : All software will be installed by default during SLES11 installation. However I still have to install “perl-ldap” before I can run any “smbldap-tools” command.
Samba+Ldap also require “smbldap-tools” for user & group operation. Unfortunately, akin to the previous one, SLES11 also doesn’t come with “smbldap-tools”. I have to download it manually from somewhere which I forgot where
Notes : Once I downloaded & installed it on my SLES11, “smbldap-tools” not working properly and produced an error such “Can’t locate Unicode/MapUTF8.pm in @INC“. This can be resolved by manually run this command on my SLES11 system $perl -MCPAN -e ‘install Unicode::MapUTF8′
This can be done fairy easy from YasT2 and I just need to select the default one and use my proper base DN and Administrator login. However in SLES11, Openldap don’t use default slapd.conf which come together with the package, instead slapd.conf.YaST will be used.
Once everything done, start the Ldap server, and review the entry in my Ldap server via free tool call “LdapAdmin”.
Notes : You can view, create and modify Ldap object via LdapAdmin without problem. Unfortunately, LdapAdmin sometime failed to create successfully Ldap user account which require samba/unix integration. However, we can achieve this via “smbldap-tools” command.
First I need to install this rpm packages “$rpm -ivh smbldap-tools-0.9.5-26.1” then modify two files as below for my Ldap environment:
Now I’m going to create Ldap group call “finance” via .ldif format as below
$ldapadd -x -D “cn=Administrator,dc=no-x,dc=org” -W -f /var/lib/ldap/groups-bak.ldif
Enter LDAP Password:
adding new entry “cn=finance,ou=groups,dc=no-x,dc=org”
Then, create unix group “finance” as below :
$groupadd -g 1001 finance (Make sure gid number is similar with the one in .ldif)
Once finished, I link it between both Ldap and Unix group for RID via LdapAdmin as below :
As you can see both Samba group now link together successfully with Unix group. Now I will move user “faisyal” to this group with $smbldap-usermod -G finance faisyal. Since I don’t installed nss_ldap & pam_ldap, only Samba+ldap entry will be modified and Unix group will be remained as is. As attachment below, you can see user “faisyal” fall under “finance” Samba+ldap group but in Unix, he still sitting under group “admin” and able to access share folder (valid user=admin) //192.168.1.95/test while other user cannot.
To correct this, I have to manually move the user in unix manually via command $usermod -a -G finance faisyal. New user creation for both Samba+Ldap and Unix user account can be done with below command though it doesn’t populate the user to proper Unix group:
$smbldap-useradd -a -g 1001 -m -s /bin/bash -d /home/faisyal -F “” -P faisyal
Okay will continue this later. I have to go for my company dinner now….
Okay, after one hour hard work, I can confirm that my samba+ldap on SLES11 now running very well. Just need minor configuration as below :
- Install nss_ldap from YaST2
- Install pam_ldap from YaST2
- Configure LDAP Client from YaST2
Once finished all three configuration above I just create new user “febry” group “finance” and vola! he can access samba /finance folder belong to “finance” group without problem.
$smbldap-useradd -a -G ‘finance’ -m -s /bin/bash -d /home/febry -F “” -P febry
- When you, finished configured as PART II above, you will noticed there are some changes on /etc/nsswitch.conf
- New user creation via “smbldap-useradd” will create user in samba, ldap and user home directory. However, no user account will be created in /etc/passwd & /etc/group.
- Though no new user entry in /etc/passwd, user still can connect to server via ssh using ldap authentication
athlon_crazy 26/01/2009 2:04am
2 Comments so far
Leave a comment