How to configure deepOfix as a Centralized Authentication Server (Using SAMBA)
Introduction
This How-to will help you to configure deepOfix as a Centralized Authentication Server (using SAMBA) for all GNU/Linux clients and Windows Clients. If you have any query before configuring it, please feel free to shoot out any question at deepofix-users ( at ) list.deeproot.in
Role of SAMBA in deepOfix
When you add users to deepOfix, each user also has all the Samba attributes as a part of the LDAP record. Samba passwords are also automatically generated and stored in LDAP. Similarly when you change passwords, the Samba password is also modified as are Samba attributes like ambaPwdLastSet, sambaPwdCanChange and sambaPwdMustChange. Samba services are also active. All you will need to do to get Samba to run properly is to put in the correct config file. We have outlined the steps below:
STEP - 1
Use the attached config files (Check at bottom of the page). We have put in inline comments indicating where you must change things for your setting. Get the Configuration file from:
Now Copy this file to:
/etc/samba/smb.conf
You can overwrite the default file there. Now restart Samba related services:
sv t smbd nmbd
STEP - 2
Run the following command to tell Samba abour your LDAP root password:
smbpasswd -w <your-root-password>
Samba will store your password in its own database now. This needs to be done whenever you use EasyPush? to "change system password". Your domain authentication will stop working unless you do this.
STEP - 3
Test out Samba authentication on the command-line:
smbclient -L localhost -U <username>
When promted, use the same password that you use for email. It should be working now.
STEP - 4
Are you planning to get machines to join the domain controller? Then you will also need to add machine accounts. We used to have a small UI for this within deepOfix but its not live anymore. So the only way to add machine accounts is on the command line. You can run commands as follows:
adduser --force-badname --system --no-create-home <your-computer-name$>
Note: '$' character at the end is necessary.
smbpasswd -a -m <computer-name>
This will add the machine account in LDAP itself under a separate OU called ou=computers. Additionally, do the following:
mkdir /etc/skel/profile
Now a profile directory will get created whenever a new user is added to your server. For existing users you will need to create the /home/<username>/profile/ directory and change the ownership to <username>:easypush so that the user can access it. This profile will only be used if you configure roaming profiles on your Windows client.
STEP - 5
* Add machine account for all windows which should use your deepOfix as a domain controller
* Join the machine to the domain. Use 'root' as the username while joining.
* You will find the necessary logs in the /var/log/samba/ directory. You will find two sorts of logs here:
- Main Samba logs: /var/log/samba/log.smbd & /var/log/samba/log.nmbd
* The attached configuration will also create per machine log files:
/var/log/samba/<machine-name>.log
- <machine-name> is either the netbios name of your windows machine or its IP address.
Do you want to share printers via Samba / CUPS? deepOfix can let you do that as well! Its not very difficult to get windows to work properly with such a setup. But given the fact it is windows (and most importantly proprietary software), there are things it does that are not only beyond our control but also beyond comprehension. :) Samba logs are the most important resources in such cases. Even if you mail the log files to us we can give you an idea of windows is doing wrong and how to handle that behavior on the Samba side.
Configuration of GNU/Linux clients
After, running SAMBA successfully, we have to configure all GNU/Linux clients to work with it. We have outlined the steps below:
STEP - 6
Ensure that you distribution has the following packages installed:
openldap pam_ldap nss_ldap
Package names for Debian / Ubuntu will be:
libpam-ldap libnss-ldap ldap-utils
STEP - 7
Now configure your NSS (Name Serve Switch) to use LDAP. Copy the contents of the /etc/libnss-ldap.conf file from your deepOfix server to your client machine. Under Debian, the filename will be the same as deepOfix. Edit the client config file to change to the host IP. In deepOfix it would say "host 127.0.0.1". Change this to your deepOfix LAN IP.
STEP - 8
Edit the /etc/nsswitch.conf file to append 'ldap' to the passwd, group and shadow lines:
passwd: compat ldap group: compat ldap shadow: compat ldap
Now you should be able to query users from deepOfix LDAP. Try it out:
getent passwd getent group
If this doesn't work, then there is something wrong in your nss-ldap configuration.
STEP - 9
Next configure your PAM-LDAP to use deepOfix LDAP for authentication. Copy the contents of the /etc/pam_ldap.conf file to the same file on your client machine. Filenames will be the same for Debian and derived operating systems. Change the LDAP host IP in this file as well. Point it to your deepOfix LAN IP.
STEP - 10
Now any service that uses PAM can be configured to authenticate against the deepOfix LDAP. You just need to edit it corresponding PAM config file. PAM config files are generally located in the /etc/pam.d/ directory. On Debian changing authentication settings for *all* services on a client is very easy - just update the following files. These are in turn sourced inside other config files:
common-auth common-account common-session
You can always use the deepOfix config files as a guide. Do send us your pam_ldap.conf (you can mask or remove the password line) file and the corresponding pam config file to debug problems with PAM authentication.
Note
With an excellent auth system such as PAM, it is possible to use local authentication for some services while using deepOfix LDAP for others. You could also layer your PAM configuration to authenticate locally if the LDAP authentication fails. The key is always that users should not have root access to their local GNU/Linux clients - otherwise you will not be able to force them to authenticate against LDAP.
If you found this How-to very helpful to you. Please send acknowledgment at deepofix-users ( at ) list.deeproot.in. If you found any problem in this How-to or any query regarding this please feel free to shoot out any question at deepofix-users ( at ) list.deeproot.in.
