LDAP + Samba PDC + PAM/NSS on Debian Lenny HOWTO

Using LDAP is one of a good solution for single user database within networking hybrid system, e.g. integrate both user login for Windows and Linux, for email services, for web logon, and so on. This HOWTO will guide you though a basic system setup, including Samba PDC and PAM/NSS with LDAP on Debian Lenny. You can further more extend the use of LDAP to other system/platform with this setup. Using LDAP is one of a good solution for single user database within networking hybrid system, e.g. integrate both user login for Windows and Linux, for email services, for web logon, and so on. This HOWTO will guide you though a basic system setup, including Samba PDC and PAM/NSS with LDAP on Debian Lenny. You can further more extend the use of LDAP to other system/platform with this setup.

Prepare Debian Lenny

Before start I will assume you have a functional Debian Lenny setup. If you have any question please refer to my mini-HOWTO for upgrade Debian as Lenny. It is also recommended to install your system with a function xorg. This can be complete with tasksel --new-install where choose both Desktop environment and Standard system. You should also click manual package selection in order to verify your installation before start. Next, install all required package. You can skip all configuration during installation, soon we will come back for it: apt-get update apt-get install apache2-suexec libapache2-mod-php5 php5 php5-cli php5-curl php5-gd php5-imap php5-ldap php5-mcrypt php5-mhash php5-sqlite php5-tidy php5-xmlrpc php-pear slapd mcrypt ldap-utils libgd-tools apache2-doc libpam-ldap libnss-ldap resolvconf samba swat smbclient smbfs smbldap-tools Moreover, if you hope to use Samba as file server, your /etc/fstab may also need update with user_xattr and acl support. It is also a good idea to replace defaults with relatime (clone from Ubuntu 9.04). For example: /dev/sda3 / ext3 relatime,user_xattr,acl,errors=remount-ro 0 1 /dev/sda1 /boot ext3 relatime,user_xattr,acl 0 2 /dev/sda2 none swap sw 0 0

Configure slapd

Run dpkg-reconfigure slapd and initialize slapd with following parameters:

• Omit OpenLDAP server configuration? No
• DNS domain name: example.com
• Organization name: example.com
• Administrator password: CHANGE
• Database backend to use: HDB
• Do you want the database to be removed when slapd is purged? No
• Allow LDAPv2 protocol? No

Backup you initialize LDAP database with following command: slapcat > ~/slapd.ldif Now, prepare the LDAP schema for Samba: zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > \ /etc/ldap/schema/samba.schema Generate your rootdn password with MD5: slappasswd -h {MD5} Now copy and replace your /etc/ldap/slapd.conf with my version, and further more customize it according to your setup: # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel none # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend ####################################################################### # Specific Directives for database #1, of type hdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database hdb # The base of your directory in database #1 suffix "dc=example,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=example,dc=com" rootpw {MD5}Qhz9FD5FDD9YFKBJVAngcw== # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indices to maintain for this database index objectClass eq,pres index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres ## required to support pdb_getsampwnam index uid pres,sub,eq ## required to support pdb_getsambapwrid() index displayName pres,sub,eq index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index uniqueMember eq index sambaGroupType eq index sambaSIDList eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none # those 2 parameters must be world readable for password aging to work correctly # (or use a priviledge account in /etc/ldap.conf to bind to the directory) access to attrs=shadowLastChange,shadowMax by self write by * read # all others attributes are readable to everybody access to * by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=example,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be hdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database # The base of your directory for database #2 #suffix "dc=debian,dc=org" Always switch off nscd for LDAP debug: /etc/init.d/nscd stop Renew your LDAP database with following command: /etc/init.d/slapd stop rm -rf /var/lib/ldap/* slapadd -l ~/slapd.ldif slapindex chown -Rf openldap:openldap /var/lib/ldap /etc/init.d/slapd start Now verify your setup with slapcat

Prepare Apache and PHP for phpLDAPadmin

Before install phpLDAPadmin we should give some basic configuration for Apache and PHP. Edit /etc/php5/apache2/php.ini and change the following lines accordingly: memory_limit = 128M; post_max_size = 32M upload_max_filesize = 32M date.timezone = "Asia/Hong_Kong" display_errors = Off Edit Apache default site setup with /etc/apache2/sites-enabled/000-default, and change the AllowOverride none with AllowOverride all as follow (note: this setup is just for non-production site): Options Indexes FollowSymLinks MultiViews AllowOverride all Order allow,deny allow from all Now you can restart your Apache: /etc/init.d/apache2 restart

Install phpLDAPadmin

I would like to assist my LDAP setup with phpLDAPadmin. First of all, download the package from sourceforge.net: http://phpldapadmin.sourceforge.net/wiki/index.php/Download Prepare your phpLDAPadmin: mv zxvf phpldapadmin-1.1.0.6.tar.gz /var/www/ cd /var/www tar zxvf phpldapadmin-1.1.0.6.tar.gz ln -s phpldapadmin-1.1.0.6 phpldapadmin cd /var/www/phpldapadmin/config/ cp config.php.example config.php Edit /var/www/phpldapadmin/config/config.php and uncomment the following line: $ldapservers->SetValue($i,'server','host','127.0.0.1'); Now access your phpLDAPadmin from http://localhost/phpldapadmin, and login with your rootdn. Verify all setup.

Prepare Samba

Copy and replace your /etc/samba/smb.conf with my version: # Samba config file created using SWAT # from UNKNOWN () # Date: 2009/06/22 21:47:29 [global] dos charset = UTF-8 display charset = UTF-8 workgroup = EXAMPLE realm = EXAMPLE.COM server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = \\%N\profiles\%U logon drive = U: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=example,dc=com ldap delete dn = Yes ldap group suffix = ou=group ldap idmap suffix = ou=idmap ldap machine suffix = ou=computer ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = ou=people panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0600 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles force user = %U read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes browseable = No csc policy = disable [public] path = /tmp read only = No guest ok = Yes Now, open SWAT from web browser with http://localhost:901, and change all required parameter for your setup accordingly, e.g. workgroup and realm. Set your LDAP password for Samba: smbpasswd -w CHANGE Create directories for netlogon and profiles: mkdir -p /var/lib/samba/netlogon /var/lib/samba/profiles chown -Rf root:root /var/lib/samba/netlogon /var/lib/samba/profiles chmod 1777 /var/lib/samba/profiles Restart Samba with following command: /etc/init.d/samba restart Test your configuration file with testparm, and check if there is any error message.

Configure smbldap-tools

Prepare smbldap-tools configure files: zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > \ /etc/smbldap-tools/smbldap.conf cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \ /etc/smbldap-tools/smbldap_bind.conf Get your Samba SID for /etc/smbldap-tools/smbldap.conf: net getlocalsid Replace your /etc/smbldap-tools/smbldap.conf with my version, and further more update according to your requirement (remember to replace the SID): # $Source: $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return SID="S-1-5-21-1169193956-4199179787-2206793627" # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" sambaDomain="EXAMPLE" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" slaveLDAP="127.0.0.1" # Slave LDAP port # If not defined, parameter is set to "389" slavePort="389" # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="127.0.0.1" # Master LDAP port # If not defined, parameter is set to "389" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "1" ldapTLS="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="dc=example,dc=com" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=people,${suffix}" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=computer,${suffix}" # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=group,${suffix}" # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=idmap,${suffix}" # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="MD5" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash" # Home directory # Ex: userHome="/home/%U" userHome="/home/%U" # Default mode used for user homeDirectory userHomeDirectoryMode="700" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="515" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="365" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" userSmbHome="" # The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" userProfile="" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" userHomeDrive="U:" # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos userScript="logon.bat" # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" mailDomain="example.com" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" # comment out the following line to get rid of the default banner # no_banner="1" Update /etc/smbldap-tools/smbldap_bind.conf as below: ############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN="cn=admin,dc=example,dc=com" slavePw="CHANGE" masterDN="cn=admin,dc=example,dc=com" masterPw="CHANGE" Change configuration with correct permisison: chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf Now you can populate your Samba LDAP schema: smbldap-populate Don't forget to backup your latest LDAP database: slapcat > ~/smbldap.ldif

Configure PAM/NSS with LDAP

Reconfigure libnss-ldap with following dpkg-reconfigure libnss-ldap:

• LDAP server Uniform Resource Identifier: ldap://127.0.0.1
• Distinguished name of the search base: dc=example,dc=com
• LDAP version to use: 3
• Does the LDAP database require login? No
• Special LDAP privileges for root? Yes
• Make the configuration file readable/writeable by its owner only? Yes
• LDAP account for root: cn=admin,dc=example,dc=com
• LDAP root account password: CHANGE

Update /etc/nsswitch.conf as below: passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap Add the following lines to /etc/ldap/ldap.conf for LDAP clients: host localhost base dc=example,dc=com binddn cn=admin,dc=example,dc=com bindpw CHANGE bind_policy soft pam_password exop timelimit 15 nss_base_passwd dc=example,dc=com?sub nss_base_shadow dc=example,dc=com?sub nss_base_group ou=group,dc=example,dc=com?one Modify the following lines to /etc/libnss-ldap.conf: bind_policy soft pam_password md5 nss_base_passwd dc=example,dc=com?sub nss_base_shadow dc=example,dc=com?sub nss_base_group ou=group,dc=example,dc=com?one Check your /etc/libnss-ldap.secret: cat /etc/libnss-ldap.secret Reconfigure libpam-ldap with following dpkg-reconfigure libpam-ldap:

• LDAP server Uniform Resource Identifier: ldap://127.0.0.1
• Distinguished name of the search base: dc=hkmadavidli,dc=edu,dc=hk
• LDAP version to use: 3
• Make local root Database admin. Yes
• Does the LDAP database require login? No
• LDAP account for root: cn=admin,dc=example,dc=com
• LDAP root account password: CHANGE
• Local crypt to use when changing passwords. MD5
• (UPDATE 2009-05-09, only available after pam 1.0.1-6) PAM profiles to enable: Unix authentication, LDAP Authentication

Modify the following lines to /etc/pam_ldap.conf: bind_policy soft pam_password md5 nss_base_passwd dc=example,dc=com?sub nss_base_shadow dc=example,dc=com?sub nss_base_group ou=group,dc=example,dc=com?one Check your /etc/pam_ldap.secret: cat /etc/pam_ldap.secret (UPDATE 2009-05-09, only available after pam 1.0.1-6) Refer to /etc/pam.d/common-account comment: # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. By default, Debian already coming with correct LDAP auth setup under /usr/share/pam-configs/ldap: Name: LDAP Authentication Default: yes Priority: 128 Auth-Type: Primary Auth-Initial: [success=end default=ignore] pam_ldap.so Auth: [success=end default=ignore] pam_ldap.so use_first_pass Account-Type: Primary Account: [success=end default=ignore] pam_ldap.so Password-Type: Primary Password-Initial: [success=end user_unknown=ignore default=die] pam_ldap.so Password: [success=end user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass Session-Type: Additional Session: optional pam_ldap.so If you follow above guideline, your libpam-ldap should already setup correctly; otherwise, run pam-auth-update manually.

Here are legacy reference setup before pam 1.0.1-6. Update your /etc/pam.d/common-account as below: # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) Update your /etc/pam.d/common-auth as below: # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so Update your /etc/pam.d/common-password as below (don't use use_authtok for pam_ldap.so, see http://ubuntuforums.org/archive/index.php/t-156071.html): # here are the per-package modules (the "Primary" block) password [success=2 default=ignore] pam_unix.so obscure md5 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) Update your /etc/pam.d/common-session as below: # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_ldap.so

During system bootup udevd will search for some non-exists users/groups from NSS and so prompt for error message (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412989). Quick fix it with create according users/groups in /etc/passwd and /etc/groups so will not check from LDAP before slapd start: addgroup --system nvram addgroup --system rdma addgroup --system fuse addgroup --system kvm adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss

bind_policy soft can speed up the pass-though of these error message, but doesn't get the above problem fixed.

Reboot your Debian and debug for any error message :D

Test your setup

Create demo user accout with smbldap-tools: smbldap-useradd -a -m postmaster smbldap-passwd postmaster Check your user and group lookup. You should find the record from LDAP accordingly: getent passwd getent group Now logout and log into your Debian with the LDAP new user account. After successful login check your home directory with pwd. It should be all fine. It is time for you to test the join domain from Windows. BTW, this is not the key point for the HOWTO so I will skip in here. After join your Windows into this Samba domain, login with your LDAP user account. Again it should be all fine :D

Extra tips

1. Can't join Windows XP into domain Check if nss_base_passwd ou=computer,dc=example,dc=com?one exists in your PAM/NSS setup (or using nss_base_passwd dc=example,dc=com?sub as above, but may come with some performance degrade). Also, someone report that /var/lib/samba/secrets.tdb may corrupted and so can't join domain correctly. Remove it and redo smbpasswd -w CHANGE, e.g.: /etc/init.d/samba stop rm -rf /var/lib/samba/secrets.tdb /var/lib/samba/schannel_store.tdb /var/cache/samba/* smbpasswd -w CHANGE /etc/init.d/samba start
2. SID must setup correctly Don't forget the net getlocalsid and replace that within /etc/smbldap-tools/smbldap.conf
3. root must be uidnumber = 0 This is documented in smbldap-tools HOWTO. If you change this during smbldap-populate your Windows XP will not able to join domain.
4. Can't use net getlocalsid after passdb backend = ldapsam Can use net rpc info instead.

Other references

As your Linux is now LDAP PAM/NSS enabled, you may also embed most Linux services, e.g. email and webmail:

• Exim4 + Courier + SSL on Debian etch mini-HOWTO
• Exim4 + ClamAV + SpamAssassin + Greylistd on Debian etch mini-HOWTO
• Exim4 + Mailman + Apache2 on Debian etch mini-HOWTO