Author Topic: Joining and authenticating a linux machine to an ebox domain.  (Read 24044 times)

jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Joining and authenticating a linux machine to an ebox domain.
« on: December 27, 2007, 05:33:14 am »
I don't see much documentation on this, so I though I would write a quick HOWTO to join a linux box (ubuntu in the case) to an ebox samba domain. This is intended to be a rough draft, please feel free to add to it, perhaps we can find a more appropriate place like the wiki soon.

SERVER (EBOX):

1.  Create a user with admin rights (Ex: admin)....remember the password! :)
2.  Enable Samba as PDC
3.   Gather the following info:

      Base dn:  dc=ebox
      Admin dn: cn=admin,dc=ebox
      Admin Pass: ebox2611130574  (This may vary...verify in /etc/ldap/slapd.conf)
      Domain Name:  EBOX (Whatever you set it  to when you setup Samba as PDC)
      Ebox Server IP/hostname:  192.168.1.1  (If you setup dns a hostname.domain would be better but an IP will work)

Client (DESKTOP-PC):

1.  Install samba, ldap, etc...see ubuntu instructions: 
     https://help.ubuntu.com/community/LDAPClientAuthentication

2.  copy your old smb.conf to a safe place
Code: [Select]
cp /etc/samba/smb.conf{,.orig}
3.  Edit smb.conf.  Erase everything and add the following:

Code: [Select]
[global]
        unix charset = LOCALE
        workgroup = EBOX
        security = DOMAIN
        log level = 1
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        smb ports = 137 138 139 445
        name resolve order = wins bcast hosts
        printcap name = CUPS
        wins server = 192.168.1.1
        ldap admin dn = cn=admin,dc=ebox
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Users
        ldap suffix = dc=ebox
        ldap user suffix = ou=Users
        idmap backend = ldap:ldap://192.168.1.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind trusted domains only = Yes
        printing = cups
        print command =
        lpq command = %p
        lprm command =

4. Test your new config.
Code: [Select]
#testparm
...you should see
Code: [Select]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

5.  Restart Samba.
Code: [Select]
/etc/init.d/samba restart

6.  Join the domain
Code: [Select]
net join -U admin
Password:  [admin password]
You should then see.
Code: [Select]
Joined domain EBOX

7.  That's it...welcome to the EBOX domain!

 
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #1 on: December 28, 2007, 09:01:44 am »
Thanks for the nice write-up, I wasn't aware that ebox made it's LDAP directory available to the network.


jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #2 on: December 28, 2007, 06:28:57 pm »
Thanks for the nice write-up, I wasn't aware that ebox made it's LDAP directory available to the network.

Welcome!  I'm assuming the ebox team has not yet addressed many of the security issues associated with ldap at this point, but they have a great foundation to build on.  Perhaps I will write a ebox "hardening" HOWTO soon. 

I have had a few small issues with the config above that you should be aware of.

1) If you are doing ldap auth on a ubuntu machine, make sure you have bind_policy=soft in your ldap.conf or your machine will lock on boot.

2) There is also an issue with uidNumber assignment when joining a machine to the domain via samba.  I have an e-mail in on the devel mailing list to address this one.

3) User home directories are created in /home/samba/users/[username], so if pam creates home directories from skel...they are built with that path.  Nothing wrong with this, but I find it mildly irritating.  There is one advantage though - This way you know what users are domain users on a local machine.  Effectively, the same as user.domainname on a windows profile.
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #3 on: December 29, 2007, 03:54:18 am »
Those are good points. As for the home directories beneath /home/samba, I'd appreciate the fact that I'd be able to tell local and LDAP userdirs apart as well.

Anyway, I'm sure one of the devs is already looking at integrating TLS into the stock slapd config to cut down on the eavesdropping. If you think about it, everything necessary is already there (certificates, working config, etc.), so it should be merely a matter of adding a bunch of lines to slapd.conf and a checkbox or 2 to the webinterface.

Right?

jcanfield

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +2/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #4 on: December 29, 2007, 04:06:31 pm »
If you think about it, everything necessary is already there (certificates, working config, etc.), so it should be merely a matter of adding a bunch of lines to slapd.conf and a checkbox or 2 to the webinterface.

Right?

Correct.  There would be a few other things to change like making sure TLS is ebabled in the ldap config, but once it's setup and working, everything would be pretty standard.

I'm really excited about this project.  I've dreamed about having all this in a "quality" web interface for years.       
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius...and a lot of courage - to move in the opposite direction."  --  Albert Einstein

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #5 on: December 30, 2007, 06:41:48 am »
Yes, this project is indeed very exciting. It's a shame that I don't know enough Perl to be of any help to the project, so I'll stick to making good suggestions. ;)

patcunha

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #6 on: April 21, 2008, 12:41:01 pm »
When I try to join the domain I get an error (I'm working with suse 10.3):

could not connect to server EBOX-SMB3
the username or password was not correct
connection failed: NT_STATUS_LOGON_FAILURE

I got the password from /etc/ldap/slapd.conf

What can be wrong?

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #7 on: April 21, 2008, 01:28:25 pm »
When I try to join the domain I get an error (I'm working with suse 10.3):

could not connect to server EBOX-SMB3
the username or password was not correct
connection failed: NT_STATUS_LOGON_FAILURE

I got the password from /etc/ldap/slapd.conf

What can be wrong?

I don't think you can just use the md5-hashed password value from slapd.conf. You should be able to join the domain using any account that has been marked "Admin" in eBox.

patcunha

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #8 on: April 22, 2008, 12:20:23 pm »
Quote
You should be able to join the domain using any account that has been marked "Admin" in eBox.

OK! I did that and I got a message saying "welcome to the domain"!

Now I want to know how do I change the login so that I can login with the domain accounts.
Something like this:
« Last Edit: April 22, 2008, 12:33:58 pm by patcunha »

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #9 on: April 22, 2008, 12:34:14 pm »
Quote
You should be able to join the domain using any account that has been marked "Admin" in eBox.

OK! I did that and I got a message saying "welcome to the domain"!

Now I want to know how do I change the login so that I can login with the domain accounts.

Unless I'm misunderstanding your question, I think all you need to do is create more regular users in eBox who should be able to log onto any PC in the domain.

patcunha

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #10 on: April 22, 2008, 12:54:55 pm »
I have lots of users!!!
But it seems that the login window only lets the users login in the computer and not in the domain.

Do I need to write instead of just using the username, use domain/username???

or

change the displaymanager??? gdm or kdm

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #11 on: April 22, 2008, 01:59:49 pm »
I have lots of users!!!
But it seems that the login window only lets the users login in the computer and not in the domain.

Do I need to write instead of just using the username, use domain/username???

or

change the displaymanager??? gdm or kdm

OK, didn't see that screenshot before and thought you were using Windows clients on the domain... ;)

Anyway, please log onto the text console using the root account and tell me if the output of "getent passwd" contains any of your users on eBox.

patcunha

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #12 on: April 23, 2008, 06:29:30 pm »
I can only see users in the machine not in the domain.
What now?

To see the login window like the screen shot  I need to change in yast --> editor /etc/sysconfig DISPLAYMANAGER_AD_INTEGRATION to yes, reboot, and there you go!

But in domain I can't see my domain, only local.
« Last Edit: April 24, 2008, 07:26:19 pm by patcunha »

drdebian

  • Zen Apprentice
  • *
  • Posts: 37
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #13 on: April 25, 2008, 09:37:08 am »
I can only see users in the machine not in the domain.
What now?

To see the login window like the screen shot  I need to change in yast --> editor /etc/sysconfig DISPLAYMANAGER_AD_INTEGRATION to yes, reboot, and there you go!

But in domain I can't see my domain, only local.

Right, that means that your client isn't using the LDAP directory to retrieve the users in the domain. Make sure you go through https://help.ubuntu.com/community/LDAPClientAuthentication again until "getent passwd" and "getent group" show local as well as domain users.

themachine

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Joining and authenticating a linux machine to an ebox domain.
« Reply #14 on: April 29, 2008, 01:56:41 am »
I installed Hardy Desktop 8.04 and the instructions did not work.

WIndows XP authenticated immediately with no client configuration, and I was determined to get a linux box to authenticate.  I finally succeeded after many hours of tampering and finding nothing online despite many searches and lots of reading.

The LDAP guide is nearly correct but there were a few things that also are important.

Now to my question:

Client user authentication works using the LDAP guide linked above along with some tampering, however,  the rest of this page shows you how to join the domain.  What benefits are there of joining the domain?  I can authenticate whether I join the domain or not through LDAP so what is the point?

I am not an expert and this is my first time using ebox and openLDAP authentication so any information or ideas are  appreciated.