Or how to migrate to LDAP
© 2011-2013 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later
Copy the samba3.schema to /etc/openldap/schema/
Add to slapd.conf:
# Include samba support
include /etc/openldap/schema/samba3.schema
...
# Make sure no-one can read or write the samba password fields,
# except the LDAP manager.
access to attr=sambaLMPassword,sambaNTPassword
by dn="cn=manager,dc=example,dc=com" write
by anonymous auth
by * none
...
# Create samba indexes
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Make OpenLDAP work with the new settings:
service ldap stop slapindex service ldap start
The NT Domain starts with S-1-5-21. Per domain it has a 96 byte unique RID. das_passgen can be used to create a RID like this:
./das_passgen -c 3 -l 30 418744952774608737365306093569If you split this random number like this: 4187449527-7460873736-5306093569, it can act as the domain RID. The complete domain SID will then look like this: S-1-5-21-4187449527-7460873736-5306093569
For the windows networking (NETBIOS) domain we use the name EXAMPLE. Domain names in a Windows NT4 domain, which is what SAMBA 3 provides, can have a maximum of 15 characters. In the root of our LDAP domain we create an object called sambaDomainName=EXAMPLE, which looks like this:
dn: sambaDomainName=EXAMPLE,dc=example,dc=com sambaDomainName: EXAMPLE objectClass: sambaDomain sambaSID: S-1-5-21-4187449527-7460873736-5306093569 sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0
SAMBA uses Unix groups for its objects. This means that groups are mapped, there is thus no such thing as a SAMBA group. There are Unix groups and they are linked with a SID to make it into a group that Windows understands. This also means that if certain Unix users are a member of such a group they are also regarded as members by the Windows operating systems, and they thus need a SID!
According to the RFCs an LDAP server supports the use of multiple CN entries for a single object. This has the benefit that one can give an object in the LDAP tree a Unix and a Windows name. Using this one can create the following LDIF to add the Domain Admins:
dn: cn=domadms,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: domadms cn: Domain Admins description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. gidNumber: 512 sambaSID: S-1-5-21-1654374101-3569970681-3921896634-512 sambaGroupType: 2 displayName: Domain AdminsOn a Unix system one can use domadms or "Domain Admins". On a Windows system one has the SID for the Domain Admins group. So everybody should be happy. Also lookups for (cn=Domain Admins) should be resolved correctly by our LDAP server.
The description of the object is copied from Well-known security identifiers in Windows operating systems.
The domadms name and the gidNumber are of course completely arbitrary and you can choose something completely different then provided here. For the Unix name I tried to create a name that looks like the Windows name but still fits within the 8 character boundry of older Unix systems.
Builtin groups seem to be the same group type as local groups, and are not needed in our situation.
Another field is the sambaGroupType. SAMBA supports as far as I can tell 3 differnt group types, of which only one is relevant to us.
The defined sambaGroupTypes are:
| 2 | Domain group |
| 4 | Local group (alias) |
| 5 | Builtin |
For SAMBA to function correctly one needs a couple of essential groups to be present. The following table gives an overview of these essential groups and suggests Unix names and GIDs to use:
| Unix group name | Unix gid number | Windows group name | RID |
|---|---|---|---|
| domadms | 512 | Domain Admins | 512 |
| domusrs | 513 | Domain Users | 513 |
| domgsts | 514 | Domain Guests | 514 |
The following groups are non-essential, but might make life easier:
| Unix group name | Unix gid number | Windows group name | RID | Notes |
|---|---|---|---|---|
| domdevs | 515 | Domain Computers | 515 | Add. You can add computer accounts to this group |
| domcons | 516 | Domain Controllers | 516 |
From the BUILTIN (S-1-5-32) domain we need a couple of essential groups to be added to LDAP:
| Unix group name | Unix gid number | Windows group name | RID |
|---|---|---|---|
| binadms | 544 | Administrators | 544 |
| binusrs | 545 | Users | 545 |
| bingsts | 546 | Guests | 546 |
Within a Windows network (Domain) there are two types of accounts: machine and user accounts. The machine accounts are better kown as Computer accounts since they live in the ou=Computers. OpenLDAP uses objectClass=person and objectClass=device for this. Hence the choice for ou=Devices and ou=People in the DIT structure.
There are three ways that one can distinguish a machine account from a user account:
Accounts have passwords, so persons and devices can have a password associated with the account. SAMBA can work with LanManager passwords and NT passwords. LanManager should not be used anymore, so we will only provide LDIFs with the NT4 password field set.
In LDAP there is an sambaAcctFlags attribute which consists of a [ 11 positions of information or spaces and a ]. A regular user account looks like this: [U ], while a machine account looks like this: [W ]. Next to an account type indicator one can also set account settings to for example disable an account. The available options are:
Account types
Account settings
Before a user can log in to a Windows Domain, the workstation has to first built a trust with the domain. To be able to build this trust there needs to be a machine account on the Domain servers. Machines need to be joined to the domain to create this account. The password is generated by the workstation and is changed regularly by the workstation.
The device object class is part of the core schema and requires a cn entry. sambaSamAccount is part of the samba3 schema and requires a UID and a sambaSID. The rest is up to the system administrator (or the workstation) to add.
An LDIF for a machine account in OpenLDAP looks like this:
dn: cn=ws42,ou=devices,dc=examlpe,dc=com objectClass: top objectClass: device objectClass: posixAccount objectClass: sambaSamAccount cn: ws42 cn: ws42$ uid: ws42 uid: ws42$ homeDirectory: /dev/null loginShell: /bin/false uidNumber: 1042 gidNumber: 515 sambaSID: S-1-5-21-1654374101-3569970681-3921896634-1042 sambaPrimaryGroupSID: S-1-5-21-1654374101-3569970681-3921896634-515 sambaAcctFlags: [W ] sambaNTPassword: 895849BF581FB4FECBCBB5FA9B6FAF51
As a primary group we have choosen the SID of the Domain Computers group.
Within the People OU we find the user accounts. The POSIX accounts need a sambaSamAccount object class which requires a sambaSID as an extra attribute in the LDIF. A couple of extra attributes are needed to make to account functional, like sambaNTPassword attribute.
There are two well known accounts in the Windows world that should be present on every system: Administrator and Guest. The local Administrator has a SID of S-1-5-21-machine_RID-500 and the Guest account uses S-1-5-21-machine_RID-501. The "machine_RID" is the same type of number as for a domain. So actually there is a local machine domain, which could be compared to the 127.0.0.0 (local) network on a Unix machine.
On the domain there is a domain Administrator and a domain Guest, which are conveniently called Administrator and Guest and which can only be destinguished by their SID, S-1-5-21-domain_RID-500 and S-1-5-21-domain_RID-501 respectively.
| Unix user name | Unix uid number | Windows user name | RID |
|---|---|---|---|
| admin | 500 | Administrator | 500 |
| guest | 501 | Guest | 501 |
| krbtgt | 502 | KRBTGT | 502 |
Make sure the Guest account is disabled by setting the right account flags.
dn: cn=Administrator,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Administrator sn: Administrator uid: Administrator gidNumber: 1001 uidNumber: 1000 sambaPrimaryGroupSID: S-1-5-21-1654374101-3569970681-3921896634-512 sambaSID: S-1-5-21-1654374101-3569970681-3921896634-500 loginShell: /bin/false homeDirectory: /dev/null gecos: Administrator sambaAcctFlags: [U ] sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 1267280010 shadowLastChange: 14622 sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaPwdLastSet: 1263392010 shadowMax: 45 description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.
Windows makes domain accounts members of local domains by nesting groups. The domain group becomes a member of the local group, effectively placing domain accounts into local groups. Which results in domain accounts having the same rights as the local members of a group.
The domain Administrator (RID: 500) is member of the Domain Admins (RID: 512) group.
The local Administrator (RID: 500, but with a different domain ID then the network Domain) is member of the local Administrators (SID: S-1-5-32-544) group.
When a computer joins a domain, the Domain Admins (RID: 512) group is made a member of the local Administrators (SID: S-1-5-32-544) group.
dn: cn=domadms,ou=Groups,dc=example,dc=com changetype: modify add: memberUid memberUid: admin
The domain Guest (RID: 502) is member of the Domain Guests (RID: 514) group.
The local Guest (RID: 501, but with a different domain ID then the network Domain) is member of the local Guests (SID: S-1-5-32-546) group.
When a computer joins a domain, the Domain Guest (RID: 514) group is made a member of the local Guests (SID: S-1-5-32-546) group.
dn: cn=domgsts,ou=Groups,dc=example,dc=com changetype: modify add: memberUid memberUid: guest
A simple domain overview looks like this:
# net rpc info -U<username> Password: Domain Name: EXAMPLE Domain SID: S-1-5-21-1654374101-3569970681-3921896634 Sequence number: 1358151901 Num users: 471 Num domain groups: 91 Num local groups: 0
To gain more information if a machine is connected to an AD domain use:
net ads info -Uadministrator
A tool that comes in handy to check you setup is the net tool supplied by the SAMBA team. If you have a SAMBA server running you can query it for its different objects by using:
net sam list users List SAM users net sam list groups List SAM groups net sam list localgroups List SAM local groups net sam list builtin List builtin groups net sam list workstations List domain member workstationsUse the verbose parameter to get even more info.