Saturday, February 28, 2009

Samba 3 as PDC

  1. Set up the Samba 3 server to authenticate against OpenLDAP as shown in a previous post
  2. Set the following in smb.conf (roaming profile disabled)
    domain logons = yes
    domain master = yes
    logon home =
    logon path =
  3. Create the following well-known groups under Ou=Group. This can be done in phpLDAPadmin by creating a child entry using the template Samba3 Group Mapping. It may also be done with the command net groupmap add. Their values for the attritubes cn, displayName and sambaSID are shown below (first three are essential domain groups):
    admin,Domain Admins, (sambaSID of sambaDomainName)-512
    guest,Domain Users, (sambaSID of sambaDomainName)-513
    host,Domain Guests, (sambaSID of sambaDomainName)-514
    user,Domain Computers, (sambaSID of sambaDomainName)-515
    The result can be checked by net groupmap list
  4. Add at least a user from Ou=people to the memberUid attribute of the group cn=admin,ou=Group. Its credential will be needed later when joining workstations to the domain.
  5. Create machine trust accounts under Ou=Hosts for the workstations before joining them to the domain. This can be done in phpLDAPadmin by creating a child entry using the template Samba 3 machine. Its Machine Name attribute must be in the format of machine_name$ and I choose to set its gid attritube to that of host group. The attribute sambaNTPassword will later automatically show up upon successful joining of the workstation to the domain.
  6. When prompted for username and password to join the domain, enter the uid and sambaNTPassword of the user who is a member of Domain Admins.
  7. Add the group Domain Users to the local Administrators group on a domain workstation (XP pro) to enable remote desktop access on it for the domain users. The group Domain Admins (RID 512) is already added upon joining of the domain.

Great Ref: The Official Samba 3.2.x HOWTO and Reference Guide
1. Chapter 27. Desktop Profile Management: contains instructions on how to
  • Disable roaming profiles
  • Convert Local Profile to Domain Profile
2. Chapter 12. Group Mapping: MS Windows and UNIX: contains important information about essential domain groups and their default RID.

Monday, February 16, 2009

Replcate openLDAP directory

I have the follwoing lines in /etc/openldap/slapd.conf after all the authz clauses to to replcate the LDAP directory from master once a day
syncrepl rid=123
provider=ldap://master:389/
type=refreshOnly
interval=01:00:00:00
searchbase="dc=examples,dc=com"
schemachecking=off
bindmethod=simple
binddn="uid=Replicator,ou=System Accounts,dc=examples,dc=com"
credentials=mysecret

Sunday, February 15, 2009

Setup replication of MySQL database

Creating a Data Snapshot Using mysqldump

Steps to set up the replication master server:
  1. Add an replication_user with REPLICATION SLAVE as the only enabled global privilege and accessible with password from the slave server.
  2. Edit the file /etc/my.cnf to include the following
    #skip-networking
    # binary logging is required for replication
    log-bin=mysql-bin
    expire_logs_days = 7
    server-id = 1
  3. Shut down both master and slave mysqld and copy raw data files from master to slave (excluding the master's binary log files)
  4. Start mysqld and obtain the position of binary log after making the master read-only by running following command in the mysql client: FLUSH TABLES WITH READ LOCK;
    SET GLOBAL read_only = ON;
    SHOW MASTER STATUS;
    +------------------+----------+--------------+------------------+
    | File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
    +------------------+----------+--------------+------------------+
    | mysql-bin.000002 | 98 | | |
    +------------------+----------+--------------+------------------+

    Leave this mysql instance running during the rest of the replication setup

Steps to set up the slave server running on Windows:
  1. Edit the file e:\Program Files\MySQL\MySQL Server 5.1\my.ini to include the following
    #skip-networking
    bind-address=127.0.0.1
    server-id = 2
    relay-log=e:\Program Files\MySQL\MySQL Server 5.1\Data\mysqld-relay-bin
    relay-log-index=e:\Program Files\MySQL\MySQL Server 5.1\Data\mysqld-relay-bin.index
    #Check the size of the files ib_logfile? in your master data folder
    innodb_log_file_size = 5M
  2. Start mysqld and connect to the slave with a mysql client. Run the following commands:
    STOP SLAVE;
    CHANGE MASTER TO MASTER_HOST='master_host_name', MASTER_PORT=3306, MASTER_USER='replication_user', MASTER_PASSWORD='replication_user_password', MASTER_LOG_FILE='mysql-bin.000002',MASTER_LOG_POS=98;
    START SLAVE;
    SHOW SLAVE STATUS\G;
    The slave status can also be checked by examining the content of file master.info in the slave data folder without using a mysql client. Note the item Seconds_Behind_Master may give you some idea whether the master and slave are in sync.

Finally dont' forget to make the replication master server writable:
SET GLOBAL read_only = OFF;
UNLOCK TABLES;

Tuesday, February 10, 2009

System authentication using LDAP in Mandriva

The necessary packages are pam_ldap and nss_ldap. I enabled PAM authentication in /etc/ssh/sshd_config
UsePAM yes

Then updated the file /etc/pam.d/sshd to the following (/etc/ssh/denyusers is empty):
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers
auth include system-auth

account sufficient pam_ldap.so
account required pam_nologin.so
account include system-auth

password required pam_ldap.so
password include system-auth

session sufficient pam_ldap.so
session include system-auth


I also updated the file /etc/pam.d/proftpd to enable LDAP authentication for proftpd:
#%PAM-1.0

auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth include system-auth

account sufficient pam_ldap.so
account include system-auth

session sufficient pam_ldap.so
session include system-auth


The following are included in the file /etc/nsswitch.conf:
passwd: ldap files
shadow: files ldap
group: ldap files

Note: If a user with uid entry in both ldap and /etc/password, there should be two entries returned by the command getent passwd | grep username. Use command id username to return the corresponding user entry including the group membership.

The following items are changed in the file /etc/ldap.conf:
host
base
binddn
bindpw
scope sub
pam_filter objectClass=posixAccount
pam_login_attribute uid
ssl off
#default objectclass posixAccount and attribute uid
nss_base_passwd
nss_base_shadow
#default objectclass posixGroup and attribute cn
nss_base_group
nss_base_hosts


The above two files can also be modified by running the command drakauth

The nss_updatedb utility maintains a local cache of network directory user and group information. Used in conjunction with the pam_ccreds module, it provides a mechanism for disconnected use of network directories. I have the follwoing lines in file /etc/sysconfig/nss_updatedb
NSS_SERVICE=ldap
ONLY_LOGGED_USERS=yes

Ref: LDAP Authentication HOWTO