Though, long time passed since Ive posted the very first post regarding this subject. There I promised to show configuration files... so, Ive got authentication working but the Windows client machines are complaining about profile directory permissions. It says that it should be owned by that user or Admin Users group. I did try different permissions but the problem stays as it is.
The question : what folder is XP talknig about? The profiles folder where sits all the user profiles or just users profile?
Here are configuration files.
rc.conf:
Code:
defaultrouter="192.168.1.1"
hostname="varde.skola.local"
#ifconfig_rl0="inet 192.168.1.100 netmask 255.255.255.0"
ifconfig_rl0="DHCP"
linux_enable="YES"
sshd_enable="YES"
named_enable="NO"
cupsd_enable="YES"
nscd_enable="NO"
samba_enable="YES"
apache22_enable="YES"
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:///"'
slapd_sockets="/var/run/openldap/ldapi"
The Samba configuration file:
Code:
# Global parameters
[global]
workgroup = SKOLA
netbios name = VARDE
security = user
username map = /usr/local/etc/samba/smbusers
server string = Serveris Varde %v
encrypt passwords = Yes
#unix password sync = yes
#ldap passwd sync = no
#passwd program = /usr/local/sbin/smbldap-passwd -u "%u"
#passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home = \\%L\%U
logon path = \\%N\profiles\%U
domain logons = Yes
domain master = Yes
local master = yes
os level = 33
preferred master = auto
wins support = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=skola,dc=local
ldap suffix = dc=skola,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://ldap.skola.local
idmap uid = 10000-20000
idmap gid = 10000-20000
#winbind uid = 10000-20000
#winbind gid = 10000-20000
#winbind separator = .
#winbind enum users = yes
#winbind enum groups = yes
#winbind use default domain = yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
create mask = 0640
directory mask = 0750
nt acl support = No
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon
comment = Network Logon Service
read only = yes
[profiles]
path = /home/profiles
read only = no
#hide files = /desktop.ini/
create mask = 0600
directory mask = 0700
[public]
path = /tmp
guest ok = yes
browseable = Yes
writeable = yes
[homes]
writeable = yes
browseable = no
guest ok = no
admin users = xeon juris "Domain Admins"
The OpenLDAP configuration file:
Code:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_ldap
# moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to dn.base=""
by self write
by * auth
access to attrs=userPassword
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
loglevel 256
schemacheck on
idletimeout 30
backend bdb
checkpoint 1024 5
cachesize 10000
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=skola,dc=local"
rootdn "cn=Manager,dc=skola,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {CRYPT}QKBN0WohKsFyg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Global ldap client configuration (I understood that it is used by NSS_LDAP module):
Code:
host 127.0.0.1
base dc=skola,dc=local
binddn dc=skola,dc=local
rootbinddn cn=Manager,dc=skola,dc=local
ldap_version 3
port 389
scope sub
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
nss_base_passwd ou=People,dc=skola,dc=local?one
nss_base_shadow ou=People,dc=skola,dc=local?one
nss_base_passwd ou=Computers,dc=skola,dc=local?one
nss_base_shadow ou=Computers,dc=skola,dc=local?one
#nss_base_group ou=Groups,dc=skola,dc=local?one
NSS_LDAP module configuration file is exactly the same as ldap.conf... I don't remember which guide told to do so...
DB_CONFIG file:
Code:
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.4 2007/12/18 11:51:46 ghenry Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See the Oracle Berkeley DB documentation
# <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
# <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
# <http://www.openldap.org/faq/index.cgi?file=1075>
# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Data Directory
#set_data_dir db
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs
# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
The PAM is configured by two files. The ldap file was added as include into system.
The ldap file:
Code:
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
The system file:
Code:
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth include ldap
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
That's it. Sometimes I'am getting the LDAP server is unavailable in first FreeBSD virtual console but I have checked browsability and also authentication on XP machines... everything is working. I just can't understand where is the problem with the permissions... I am reading Samba HOWTO and also "by Example" the second time