Basic domain on Wheezy.. no Kerberos, no SSL/TLS

Debian domain

FOREWORD:

As you already know Active Directory is a powerful tool for network resource management, however did you know that its basic component LDAP can also help you to enhance and regulate collaborative processes between network users?
By using a centralized user/customer database you can connect apparently different applications and turn them into one (more or less :D) solid software solution.

Oh, and what about SSL and TLS? It means that the server we are going to build won’t implement any kind of encrypted authentication, but it will use so-called “plain” method.

OK, stop crying and think about the opportunities opening up to you: this guide doesn’t force you to use any specific encryption method, so you can decide to implement one later (which is highly recommended).

MY RECOMMENDATIONS:

I prefer starting from scratch, which means a fresh Debian Wheezy installation (you can set up one by using Debian netinst ISO).
Also I would recommend using a minimalistic configuration: without a standard desktop environment and as a consequence – no useless GUI applications pulled in automatically (by saying “useless” I mean that we don’t need word processing software or games on a Debian server).

So let’s start with package installation. First of all make sure that your /etc/apt/sources.list contains at least these few rows otherwise insert them and update your APT catalogs:

Now you can install a desktop environment and some handy GUI tools, such as terminal emulator:

Personally I avoid to install GUI stuff or at least remove it when the server goes to production.

INITIAL SETUP:

Let’s start with real stuff now. First of all install basic domain components such as Samba, OpenLDAP and integration tools for these applications.

When installation is finished you must add Samba schema in OpenLDAP, then create a temporary conf file in order to import Samba and some other schemes.

Now paste the following content into this new file:

Now let’s generate a ldif file

Edit the output file and remove “{12}” from line 1 and 3 so you will have this header:

..oh and remove lines below (placed at the end of the file):

Now you can merge the ldif file you’ve just exported ldif with your OpenLDAP database:

Now create another ldif file for samba indexes:

..and import it and restart OpenLDAP server:

UPDATE, thanks to hyc I discovered that the instruction below are potentially harmful:

/etc/init.d/slapd restart

Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

DAEMON CONFIGURATION:

Create or edit the /etc/ldap/ldap.conf file in order to set basic domain settings such as domain base name and master/slave addresses:

Now modify Samba settings, you can use an example conf file as a template:

Modify the configuration file as follows:

Now add Samba shares and create logon script, then append/modify shares at the bottom of /etc/samba/smb.conf file:

When creating logon script pay attention to Carriage Return/Linefeed (CR/LF).
Below there is an example of domain configuration with roaming user profiles enabled, if you don’t need/want it – just leave logon path parameter empty.

Insert Administrator user and insert it into Samba usermap ():

Finally you can check the conf file for errors by running “testparm” command.
Now let’s start to implement Samba< ->OpenLDAP integration. First of all insert a new password for Samba administration account:

I have bad news for you now: in Debian Squeezy (and lower) there was a possibility to configure the Samba and OpenLDAP integration automatically by using configure.pl script, but for some odd reason it’s not available in Wheezy smbldap-tools package, even if you try to extract it from older versions and try to run you will get a lot of errors from Perl interpreter.
So just copy example configuration files to /etc/smbldap-tools folder and change them as follows.

Edit /etc/smbldap-tools/smbldap.conf file first:

Now let’s edit /etc/smbldap-tools/smbldap_bind.conf as follows:

Then it’s /etc/ldap/slapd.conf turn:

Finally we can try to start the entire “thing” by starting each server individually (the execution order is very important):

If you get some errors please keep in mind that all of these services store their logs in /var/log/*, those are priceless for troubleshooting your domain issues icon wink Basic domain on Wheezy.. no Kerberos, no SSL/TLS

WINDOWS 7 COMPATIBILITY TWEAKS:

As first step add these rows into your /etc/samba/smb.conf file:

Then modify Windows registry on client computers by using the reg file below (needs restart to take effect):

[text light="true"]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowsSize"=dword:00020148
"TcpWindowsSize"=dword:00020148
"Tcp1323Opts"=dword:00000003
[/text]

WHAT’S NEXT?

Now you are ready for domain administration and client configuration.
If you are a Microsoft-oriented administrator you would prefer using a Windows GUI solution rather than using bash, I personally like LDAPAdmin, it’s intuitive, but still very powerful. It has one big limitation it does not provide support for “secure” domains implementing TLS (only SSL). Give a try:

http://ldapadmin.sourceforge.net/index.html

I would like to go on with domain stuff by sharing my experience in OpenLDAP-based service installation and consolidation (such as MediaWiki, Redmine/Bugzilla, Subversion, Pure-FTP, SOGo, IMAP/SMTP servers etc).

Please contact me if you have any correction to commit to this guide or simply if you need a clarification on installation process, I will be always glad to help you.

P.S. My next post will be about the obvious connection between ACTA and SOPA/PIPA, actually the complete title is: “Who is Manny Acta? Sopa anti-piracy soup. Pippa is bored of misspells.”

acta law 150x150 Basic domain on Wheezy.. no Kerberos, no SSL/TLS

Manny Acta, baseball manager who wants to stop piracy in Europe

sopa 150x150 Basic domain on Wheezy.. no Kerberos, no SSL/TLS

Sopa (just "soup" in Spanish). Really?

pipa 150x150 Basic domain on Wheezy.. no Kerberos, no SSL/TLS

"Stop PIPA" or "stop Pippa", what is the right spelling

  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS
  • wp socializer sprite mask 16px Basic domain on Wheezy.. no Kerberos, no SSL/TLS