Wednesday, December 24, 2008

Installing the Wyse 6: adding LDAP and Samba for centralized user management

I like to have my users, that will be logging in on different types of machines on the network, stored in a central place. The ideal solution for this is an LDAP repository and configuring Samba to talk to this repository and configure it as a Primary Domain Controller.
This solution will enable users running Linux to authenticate using pam_ldap and users running Windows (NT and up) authenticate against a Samba Domain Controller. Linux users can also join their machines on the Samba domain, and create shares accessible to other users known by the Domain Controller.
This setup caused me a second headache, since the Samba server running on Ubuntu Hardy could not join the Samba Domain Controller running on Etch. This is because there is a compatibility issue between Samba 3.0.28a (Hardy) and Samba 3.0.24a (Etch). I had to fetch some more recent source packages here and compile and build them on Etch. This is not a procedure for the faint of heart, so if you haven't upgraded to Lenny yet, now is the time (at the time of this writing, Lenny has Samba 3.2.5).
I was planning on providing a step by step procedure to install and configure all of the necessary stuff, but apparently, someone already did. Following these instructions to the letter, will get you up and running in no time. The only thing you have to do is add these lines to libnss-ldap.conf:

bind_policy soft
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 3

This is necessary, because otherwise the machine will try forever finding accounts in the LDAP server when it boots and is populating /dev. Populating /dev happens very early in the boot stage when no network or LDAP server is started yet.
I also created an additional LDAP user (next to the admin user) that is only capable of reading entries (instead of reading _and_ writing) as suggested here. This user is called nss and is used to configure pam_ldap on the client Linux machines.
My pam configuration file are also a bit different, so here they are for completeness:

common-session


session required pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so

common-password


password required pam_passwdqc.so
password sufficient pam_ldap.so
password required pam_unix_passwd.so use_first_pass md5 shadow

common-account


account sufficient pam_ldap.so
account required pam_unix_acct.so

common-auth


auth sufficient pam_ldap.so
auth required pam_unix_auth.so use_first_pass

Please note that messing with pam modules could be dangerous and could lead to a system where you're unable to login. The above configuration definitely works, but it's always safe to have backups of your original pam files and have a bootable medium (CD, DVD, floppy, USB) at hand.

If you want to have a graphical user interface to be able to browse the LDAP you can use Apache Directory Studio (advanced but heavyweight application) or LDAP Browser (basic lightweight application). Both are Java based, so should run on anything that provides a Sun JDK or JRE.

If you find errors in this post, in fact, if you find errors in any post, please leave a comment or send me a mail.

No comments: