Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: jcanfield on December 27, 2007, 05:33:14 am
-
I don't see much documentation on this, so I though I would write a quick HOWTO to join a linux box (ubuntu in the case) to an ebox samba domain. This is intended to be a rough draft, please feel free to add to it, perhaps we can find a more appropriate place like the wiki soon.
SERVER (EBOX):
1. Create a user with admin rights (Ex: admin)....remember the password! :)
2. Enable Samba as PDC
3. Gather the following info:
Base dn: dc=ebox
Admin dn: cn=admin,dc=ebox
Admin Pass: ebox2611130574 (This may vary...verify in /etc/ldap/slapd.conf)
Domain Name: EBOX (Whatever you set it to when you setup Samba as PDC)
Ebox Server IP/hostname: 192.168.1.1 (If you setup dns a hostname.domain would be better but an IP will work)
Client (DESKTOP-PC):
1. Install samba, ldap, etc...see ubuntu instructions:
https://help.ubuntu.com/community/LDAPClientAuthentication
2. copy your old smb.conf to a safe place
cp /etc/samba/smb.conf{,.orig}
3. Edit smb.conf. Erase everything and add the following:
[global]
unix charset = LOCALE
workgroup = EBOX
security = DOMAIN
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 137 138 139 445
name resolve order = wins bcast hosts
printcap name = CUPS
wins server = 192.168.1.1
ldap admin dn = cn=admin,dc=ebox
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Users
ldap suffix = dc=ebox
ldap user suffix = ou=Users
idmap backend = ldap:ldap://192.168.1.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = Yes
printing = cups
print command =
lpq command = %p
lprm command =
4. Test your new config.
#testparm
...you should see
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
5. Restart Samba.
/etc/init.d/samba restart
6. Join the domain
net join -U admin
Password: [admin password]
You should then see.
Joined domain EBOX
7. That's it...welcome to the EBOX domain!
-
Thanks for the nice write-up, I wasn't aware that ebox made it's LDAP directory available to the network.
-
Thanks for the nice write-up, I wasn't aware that ebox made it's LDAP directory available to the network.
Welcome! I'm assuming the ebox team has not yet addressed many of the security issues associated with ldap at this point, but they have a great foundation to build on. Perhaps I will write a ebox "hardening" HOWTO soon.
I have had a few small issues with the config above that you should be aware of.
1) If you are doing ldap auth on a ubuntu machine, make sure you have bind_policy=soft in your ldap.conf or your machine will lock on boot.
2) There is also an issue with uidNumber assignment when joining a machine to the domain via samba. I have an e-mail in on the devel mailing list to address this one.
3) User home directories are created in /home/samba/users/[username], so if pam creates home directories from skel...they are built with that path. Nothing wrong with this, but I find it mildly irritating. There is one advantage though - This way you know what users are domain users on a local machine. Effectively, the same as user.domainname on a windows profile.
-
Those are good points. As for the home directories beneath /home/samba, I'd appreciate the fact that I'd be able to tell local and LDAP userdirs apart as well.
Anyway, I'm sure one of the devs is already looking at integrating TLS into the stock slapd config to cut down on the eavesdropping. If you think about it, everything necessary is already there (certificates, working config, etc.), so it should be merely a matter of adding a bunch of lines to slapd.conf and a checkbox or 2 to the webinterface.
Right?
-
If you think about it, everything necessary is already there (certificates, working config, etc.), so it should be merely a matter of adding a bunch of lines to slapd.conf and a checkbox or 2 to the webinterface.
Right?
Correct. There would be a few other things to change like making sure TLS is ebabled in the ldap config, but once it's setup and working, everything would be pretty standard.
I'm really excited about this project. I've dreamed about having all this in a "quality" web interface for years.
-
Yes, this project is indeed very exciting. It's a shame that I don't know enough Perl to be of any help to the project, so I'll stick to making good suggestions. ;)
-
When I try to join the domain I get an error (I'm working with suse 10.3):
could not connect to server EBOX-SMB3
the username or password was not correct
connection failed: NT_STATUS_LOGON_FAILURE
I got the password from /etc/ldap/slapd.conf
What can be wrong?
-
When I try to join the domain I get an error (I'm working with suse 10.3):
could not connect to server EBOX-SMB3
the username or password was not correct
connection failed: NT_STATUS_LOGON_FAILURE
I got the password from /etc/ldap/slapd.conf
What can be wrong?
I don't think you can just use the md5-hashed password value from slapd.conf. You should be able to join the domain using any account that has been marked "Admin" in eBox.
-
You should be able to join the domain using any account that has been marked "Admin" in eBox.
OK! I did that and I got a message saying "welcome to the domain"!
Now I want to know how do I change the login so that I can login with the domain accounts.
Something like this:
(http://reverendted.files.wordpress.com/2006/09/sled-004-joined-displaymanager.png)
-
You should be able to join the domain using any account that has been marked "Admin" in eBox.
OK! I did that and I got a message saying "welcome to the domain"!
Now I want to know how do I change the login so that I can login with the domain accounts.
Unless I'm misunderstanding your question, I think all you need to do is create more regular users in eBox who should be able to log onto any PC in the domain.
-
I have lots of users!!!
But it seems that the login window only lets the users login in the computer and not in the domain.
Do I need to write instead of just using the username, use domain/username???
or
change the displaymanager??? gdm or kdm
-
I have lots of users!!!
But it seems that the login window only lets the users login in the computer and not in the domain.
Do I need to write instead of just using the username, use domain/username???
or
change the displaymanager??? gdm or kdm
OK, didn't see that screenshot before and thought you were using Windows clients on the domain... ;)
Anyway, please log onto the text console using the root account and tell me if the output of "getent passwd" contains any of your users on eBox.
-
I can only see users in the machine not in the domain.
What now?
To see the login window like the screen shot I need to change in yast --> editor /etc/sysconfig DISPLAYMANAGER_AD_INTEGRATION to yes, reboot, and there you go!
But in domain I can't see my domain, only local.
-
I can only see users in the machine not in the domain.
What now?
To see the login window like the screen shot I need to change in yast --> editor /etc/sysconfig DISPLAYMANAGER_AD_INTEGRATION to yes, reboot, and there you go!
But in domain I can't see my domain, only local.
Right, that means that your client isn't using the LDAP directory to retrieve the users in the domain. Make sure you go through https://help.ubuntu.com/community/LDAPClientAuthentication again until "getent passwd" and "getent group" show local as well as domain users.
-
I installed Hardy Desktop 8.04 and the instructions did not work.
WIndows XP authenticated immediately with no client configuration, and I was determined to get a linux box to authenticate. I finally succeeded after many hours of tampering and finding nothing online despite many searches and lots of reading.
The LDAP guide is nearly correct but there were a few things that also are important.
Now to my question:
Client user authentication works using the LDAP guide linked above along with some tampering, however, the rest of this page shows you how to join the domain. What benefits are there of joining the domain? I can authenticate whether I join the domain or not through LDAP so what is the point?
I am not an expert and this is my first time using ebox and openLDAP authentication so any information or ideas are appreciated.
-
Client user authentication works using the LDAP guide linked above along with some tampering, however, the rest of this page shows you how to join the domain. What benefits are there of joining the domain? I can authenticate whether I join the domain or not through LDAP so what is the point?
When you join the domain the primary benefit is Domain access, just as the windows machines gain rights to the domain shares and machines. True, you can authenticate w/o domain membership...but what fun is that if you are a second class citizen on the network? :)
See: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id350259
Also, You are right about having to make some changes that aren't covered in the howto, in fact, there are sereral things I would do differently. I have a rough set of notes from my hardy install, i just haven't gotten around to creating an updated howto. Feel free to post any necessary changes you made.
Hope this helps.
Jim
-
What should be in the LDAP base DN ?
-
Client user authentication works using the LDAP guide linked above along with some tampering, however, the rest of this page shows you how to join the domain. What benefits are there of joining the domain? I can authenticate whether I join the domain or not through LDAP so what is the point?
When you join the domain the primary benefit is Domain access, just as the windows machines gain rights to the domain shares and machines. True, you can authenticate w/o domain membership...but what fun is that if you are a second class citizen on the network? :)
See: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id350259
Also, You are right about having to make some changes that aren't covered in the howto, in fact, there are sereral things I would do differently. I have a rough set of notes from my hardy install, i just haven't gotten around to creating an updated howto. Feel free to post any necessary changes you made.
Hope this helps.
Jim
Sorry, I am still not following. I can authenticate to the server and I am able to access the network shares without joining the domain. If I use the "mount -t cifs" command I am able to access my shares. I am running Ebox as a PDC with roaming profiles.
In windows I know that you have group policy to push out to clients, but even if you do not join a windows domain, you can still access shares if you provide credentials.
Here are some of the changes that I used to configure client authentication:
On the client machine edit /etc/ldap.conf
- Ensure you comment out #pam_password md5
- Set the "host" parameter to your server regardless of the uri pointing to the server
These 2 seemed to be the main culprits in preventing the "getent passwd" command from pulling down the users from the server.
I apologise about my poor post formatting, I am new to posting to forums, I usually search for hours to find solutions and decided I might finally be in a position where I can start contributing.
-
What should be in the LDAP base DN ?
dc=ebox
cn=admin,dc=ebox
Regardless of what you have named your Domain. I got stuck trying to set these up myself based on the domain name. For example, if my domain is configured in Ebox as mydomain.com, I join a windows client to this domain by entering mydomain.com and entering the administrative password. However, with linux I was trying to use dc=mydomain,dc.com and it failed. Simply using ebox worked for me.
-
Sorry, I am still not following. I can authenticate to the server and I am able to access the network shares without joining the domain. If I use the "mount -t cifs" command I am able to access my shares. I am running Ebox as a PDC with roaming profiles.
...but you have to access the share via authentication (some you have no access at all) every time you need access. As a domain member, you do not have to authenticate. Does that make sense? Try browsing the windows network as a domain member vs a non-member.
-
Sorry, I am still not following. I can authenticate to the server and I am able to access the network shares without joining the domain. If I use the "mount -t cifs" command I am able to access my shares. I am running Ebox as a PDC with roaming profiles.
...but you have to access the share via authentication (some you have no access at all) every time you need access. As a domain member, you do not have to authenticate. Does that make sense? Try browsing the windows network as a domain member vs a non-member.
Yes Windows will send your credentials for you if you are a member of the domain. I understand the benefits of windows joining the domain but I found with that with Linux clients I am prompted for credentials when accessing a network share regardless of whether I join the domain or not. The only way that I found I could stop the prompts were to add the password to my keyring.
Do you find that joining the domain as a linux client you are never prompted for a password for protected shares?
If so then I have missed something in the configuration.
-
I installed Hardy Desktop 8.04 and the instructions did not work.
WIndows XP authenticated immediately with no client configuration, and I was determined to get a linux box to authenticate. I finally succeeded after many hours of tampering and finding nothing online despite many searches and lots of reading.
The LDAP guide is nearly correct but there were a few things that also are important.
Now to my question:
Client user authentication works using the LDAP guide linked above along with some tampering, however, the rest of this page shows you how to join the domain. What benefits are there of joining the domain? I can authenticate whether I join the domain or not through LDAP so what is the point?
I am not an expert and this is my first time using ebox and openLDAP authentication so any information or ideas are appreciated.
I think that the advantage of joining the domain would be the fact that, when doing and smb://yourserver you wouldn't need to put your username and password, since you have been already authenticated with that server when logging in your machine. But still, there must be another way to do this without samba, something more linux native... no!?
-
Hi all. A couple of questions before trying your setup:
- Can you login on the domain without a corresponding user account on the machine? And if you can, how do you define that you can use audio devices, mount drives, setup printers, do sudo, etc...? The eBox LDAP structure is prepared for Windows, users don't belong to unix groups such as audio and sudo, that's why I ask... =\
- Is there a way to have this centralized authentication without using samba? samba is mostly used for windows, since the server is linux, there must be a more native way to perform client pc's authentication agains the server's ldap db
- What happens if you tray to login without a connection to the server (like a road warrior)? Will the system use a cached password or it won't allow you to log in?
-
bump please....
-
dmeireles,
Those are actually some of the biggest issues you will see, especially on a ubuntu machine, Redhat handles ldap auth much better with a very simple authconfig interface. In my experience, you must either change the device groups or add the user locally to the Linux workstation. Concerning your road warrior issue, I've been working on that...You can log in using cached credentials [1] and log in when away from the ldap domain.
[1] https://help.ubuntu.com/community/PamCcredsHowto
Please post any progress you make on this issue back to the forums, this is one apple that needs polishing.
-jim
-
Can somebody provide a little how-to about joining the fedora 13 to ebox's ldap and pdc please.
-
I wasable to join a centos 5.6 using authconfig without issues.
The trouble was to get getent passwd/group working and getting infos from ebox ldap; i solved at last copying from pdc the file ldap.conf, after adjusting ldapi with ldap:
base dc=pdc,dc=xxxxx,dc=it
uri ldap://192.168.111.6
ldap_version 3
bind_policy soft
rootbinddn cn=ebox,dc=pdc,dc=xxxxx,dc=it
-
I need to read all the thread again but till now I'm a bit confused with some of the comment made here.
- What does it mean for Linux client to "join the domain"?
- Linux client side, use of LDAP as back-end for authentication and group membership requires PAM (for the authentication) and NSS to be configured to use LDAP. Notice that this doesn't provide SSO ;)
- in order for Linux client to benefit from NSS-LDAP, objectclass for POSIX attributes is required (RFC2307bis)
- I don't understand what is the "LDAP related" security issue :-[
-
As this thread has been read by 11308 times (as of now) shows the importance of the topic.
Can any expert / Zentyal rewrite this "how to" completely (and in current context and versions), would help lots of users like me ...
-
Don't you feel we should first clarify the "what" before rushing to write "How to".
Furthermore, this thread should be moved elsewhere as there is no "tips and Trick" here but rather question about "how to achieve something". Does it make sense?
-
Dear Christian, its really great that Zentyal has shown concern for the popular issue.
For me, if you simply help me to complete the document http://doc.zentyal.org/en/pdc-howto.html?highlight=desktop#adding-computers-to-the-pdc
what if / how to, if client is Ubuntu ....
(My motto is to completely switch over to Ubuntu ....)
-
Hi ALL,
Please help me!
I have:
"root@vt-hdg-quantv:~# net join -U itcnvt
Enter itcnvt's password:
Joined domain VT-HDG.COM."
But on this Logon interface, i dont login with user + pass on eBOX
ex: VT-HDG\itcnvt
????????????????????????????????????
-
You should be able to join the domain using any account that has been marked "Admin" in eBox.
OK! I did that and I got a message saying "welcome to the domain"!
Now I want to know how do I change the login so that I can login with the domain accounts.
Unless I'm misunderstanding your question, I think all you need to do is create more regular users in eBox who should be able to log onto any PC in the domain.
Hi,
Edit gdm or kdm,,
help me please...
-
I need to read all the thread again but till now I'm a bit confused with some of the comment made here.
- What does it mean for Linux client to "join the domain"?
- Linux client side, use of LDAP as back-end for authentication and group membership requires PAM (for the authentication) and NSS to be configured to use LDAP. Notice that this doesn't provide SSO ;)
- in order for Linux client to benefit from NSS-LDAP, objectclass for POSIX attributes is required (RFC2307bis)
- I don't understand what is the "LDAP related" security issue :-[
did you miss this link (https://help.ubuntu.com/community/LDAPClientAuthentication) that allready explains how to configure ldap on ubuntu...
question 2: the ldap security issue is that your connection to ldap is insecure and doesn't use ssl... any network sniffer could collect al your passwords... - specially if you have wifi enabled...
enabling ssl with slapd would solve this issue rather simple... and thats whant is meant when said that all tools are there allready.
-
thank you for the link ;)
Joke aside, I know this, at least enough to deploy it world wide for (very) large company because I did it already ;)
I fully share that lack of default LDAPS is a concern because of base64. I believe that reason of such design is that LDAP, at least at the beginning, was not designed to be accessible out of Zentyal box. Remember that default FW rules are not opening LDAP protocol. So I suspect this "bug" is inherited from this initial "all in one box" concept.
This doesn't prevent Zentyal to improve it. One more entry in the request features section? :D
-
Yes, we will try to add LDAPS support, and also in ADsync too.