OPENBSD AS A PRIMARY DOMAIN CONTROLLER

http://www.kernel-panic.it

2. OpenLDAP
OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol. It will allow us to create a central repository for information about domain users, groups and computers, and make this information available to amba !and any other LDAP"aware services# for authentication, authori$ation and management purposes. 2.1 The LDAP protocol %he Lightweight Directory Access Protocol !LDAP# is a networking protocol for accessing &.'(("based directory services. A directory is a speciali$ed database optimi$ed for reading, browsing and searching and supports sophisticated filtering capabilities !)OLDAP*#. imilarly to the +ni, file system or the Domain -ame ystem, the structure of this database is a hierarchical inverted tree, with the root at the top. for e,ample/

As in the above picture, the topmost levels of the LDAP tree are often arranged based upon domain names, thus allowing for directory services to be located using the Domain -ame ystem. 0ach node in the LDAP tree is called an entry and is uni1uely identified by its Distinguished Name !D-#, which is made up of the name of the entry itself !called the Relative Distinguished Name, 2D-, usually

derived from some attribute in the entry#, comma"concatenated to the names of its parent entries. 3or instance, the D- of the entry highlighted in the following picture/

is made up of the se1uence 4uid=Danix4, 4ou=Users4, 4dc=kernel-panic4 and 4dc=it4, and is therefore written as 4uid=Danix,ou=Users,dc=kernelpanic,dc=it4 !see )2356'76* for a full description of the D- format#. An entry consists of a set of attributes. each attribute has a name !or type# and one or more values. %he name is typically a mnemonic string, like 4dc4 for 4Domain 5omponent4 or 4cn4 for 45ommon -ame4, and determines the synta, of the corresponding value. ObjectClasses define the attribute structure of an LDAP entry, i.e. which attributes must and which may be present in a specific LDAP entry. 8oth Ob9ect5lasses and Attributes are defined within Schemas. %hough LDAP is a binary protocol, entries can be represented in a human"readable format by using the LDI3 format. for e,ample/
dn: uid=danix,ou=Users,dc=kernel-panic,dc=it objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shado Account objectClass: sa!ba"a!Account cn: Daniele #azzocchio sn: #azzocchio gi$en%a!e: Daniele uid: Danix uid%u!ber: &''' gid%u!ber: ()* ho!eDirector+: ,ho!e,danix login"hell: ,bin,ksh gecos: Daniele #azzocchio

structuralObjectClass: inetOrgPerson - ... /

LDAP 1ueries can be represented by means of +2Ls, which allow you to specify the scope of the search and the search 1uery, and to select which attibutes to return. %he synta, of an LDAP +2L is/
ldap:,,-host-:port//,-DN-0-attributes/-0-scope/-0-filter/-0 extensions/////

:ost of the +2L components are optional/

is the name or address of the LDAP server to 1uery. port is the network port the LDAP server is listening on !default is %5P port ;<=#.
host

is the Distinguished -ame to use as the base ob9ect of the LDAP search !default is the root D-#.
D%

specifies which attributes should be returned from the entries !default is all attributes#.
attributes

is the scope of the search to perform. Available scopes are 4base4 !default# for a base ob9ect search, 4one4 for a one"level search, or 4sub4 for a subtree search.
scope

is the search filter to apply to entries within the specified scope during the search !default is 4!ob9ect5lass>?#4#.
1ilter

are e,tensions to the LDAP +2L format !default is no e,tensions#.

extensions

3or e,ample, the following +2L/

ldap:,,ldap.kernel-panic.it,uid=Danix,ou=Users,dc=kernel-panic,dc=it

refers to all attributes in a specific user entry, and an +2L like/

ldap:,,,dc=kernel-panic,dc=it0sn0sub02gi$en%a!e=Daniele3

refers to the sn !surname# attribute of all entries with a gi$en%a!e of 4Daniele4. 3or further details, please refer to )2356'7@*. 2.2 Installation an con!i"#ration 0nough with the theory for now, and on to practiceA OpenLDAP is available through Open8 DBs packages and ports system !note/ unfortunately, the bdb flavor, providing support for the bdb and hdb backends, is marked as broken since Open8 D 6.;#. the following is the list of packages to be installed/

cyrus"sasl" . . .tg$ openldap"client" . . .tg$ openldap"server" . . .tg$

And the installation is overA OpenLDAP configuration files are stored in ,etc,openldap. 5lient"side configuration is contained in the ldap.con12(3 file. below is a sample configuration file/ CetcCopenldapCldap.conf
# URI of the LDAP server to which the LDAP library should connect U45 ldap:,,ldap.kernel-panic.it # The default base DN to use when perfor in! LDAP operations 6A"7 dc=kernel-panic,dc=it # "i#e li it to use when perfor in! searches "58795#5: )& # Ti e li it to use when perfor in! searches :5#795#5: )( # Never derefernce aliases D747; ne$er

%he slapd.con12(3 file provides configuration information for the tandalone LDAP Daemon, slapd2<C3/ CetcCopenldapCslapd.conf
# Include the necessary sche a files$ core$sche a is re%uired by default& the # other ones are needed for sa ba"a Account$ The sa ba$sche a file can be found # here and ust be copied in 'etc'openldap'sche a'$ include ,etc,openldap,sche!a,core.sche!a include ,etc,openldap,sche!a,cosine.sche!a include ,etc,openldap,sche!a,inetorgperson.sche!a include ,etc,openldap,sche!a,nis.sche!a include ,etc,openldap,sche!a,sa!ba.sche!a # Absolute path to the PID file pid1ile ,$ar,run,openldap,slapd.pid # Absolute path to the file that will hold slapd(s co options args1ile ,$ar,run,openldap,slapd.args

and line

# Type of database bac)end database ldb! # DN suffix of %ueries that will be passed to this bac)end database su11ix =dc=kernel-panic,dc=it= # Database directory director+ ,$ar,openldap-data # The Distin!uished Na e of the ad inistrator of this database rootdn =cn=#anager,dc=kernel-panic,dc=it= # Password *or password hash+ for the rootdn$ ,lear-text passwords are allowed

# but stron!ly discoura!ed. the password hash can be !enerated usin! the # slappasswd*/,+ co and. e$!$0 # # slappasswd # New password0 1password2 # Re-enter new password0 1password2 # 3""4A5d6b789:A;<N=>NL?!;/@7aNv'ABDCDfE rootp >""?A@d)bjA87AB*%;C%9DgB<Eja%$,FGDH'1I # Faintain indices on the ost useful attributes to speed up searches ade on # the sa ba"a Account& posixAccount and posixCroup ob7ect,lasses index objectClass eJ index cn pres,sub,eJ index sn pres,sub,eJ index uid pres,sub,eJ index displa+%a!e pres,sub,eJ index uid%u!ber eJ index gid%u!ber eJ index !e!berUid eJ index sa!ba"5D eJ index sa!baPri!ar+Hroup"5D eJ index sa!baDo!ain%a!e eJ index de1ault sub # Access control confi!uration$ The rootdn can always read and write everythin! access to attrs=userpass ord,sa!ba9#Pass ord,sa!ba%:Pass ord b+ anon+!ous auth b+ sel1 rite b+ K none access to K b+ sel1 rite b+ K read

De can use the slaptest2<C3 command to check the validity of our slapd.con12(3 file/
L install -d -o _openldap /var/run/openldap L slaptest -u con1ig 1ile testing succeeded L

%he slapd.con12(3 file, containing the rootp password, should have restrictive permissions/
L chgrp _openldap /etc/openldap/slapd.conf L chmod 640 /etc/openldap/slapd.conf

Ok, now everything should be ready for starting slapd2<C3. %he first time you may want to invoke it with the 4-d4 option to turn on debugging and keep the daemon in the foreground, to immediately notice any error/
L /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap - ... /

slapd starting

Eou can check that everything is running correctly by issuing the ldapsearch2)3 command/
L L L L L L L L ldapsearch -x -b '' -s base ' ob!ectclass"#$' naming%ontexts extended 9D5; 9DAP$* base MN ith scope baseObject 1ilter: 2objectclass=K3 reJuesting: na!ingContexts

L dn: na!ingContexts: dc=kernel-panic,dc=it L search result search: & result: ' "uccess L nu!4esponses: & L nu!7ntries: ) L

If everything is working fine, we can configure the system to start slapd2<C3 on boot, by adding the following line !containing the command line arguments# to ,etc,rc.con1.local2<3/ CetcCrc.conf.local
slapdO1lags==-B -u Oopenldap -g Oopenldap=

and the following commands to ,etc,rc.local2<3/ CetcCrc.local

i1 - =PslapdO1lags= Q= =%O= -a -x ,usr,local,libexec,slapd /R then echo -n S slapdS install -d -o Oopenldap ,$ar,run,openldap ,usr,local,libexec,slapd PslapdO1lags 1i

2.$ LDAP o%er TLS&SSL OpenLDAP comes with built"in support for the %L C L protocols to provide integrity and confidentiality to LDAP connections by means of public"key cryptography. 0nabling %L C L will prevent traffic from traveling in the clear over the network, thus protecting usersB passwords from eavesdroppers.

2.$.1 Settin" #p the P'I %L relies on public key certificates for authentication and therefore re1uires that you first set up a basic Public Fey Infrastructure !PFI# for managing digital certificates. As a preliminary step, we will create the directories where certificates will be stored/
L install -m &00 -d /etc/openldap/ssl/private

%he first step in setting up the PFI is the creation of the root 5A certificate !,etc,openldap,ssl,ca.crt# and private key !,etc,ssl,pri$ate,ca.ke+# using openssl2)3/
L openssl re' -da(s )650 -nodes -ne* -x50+ -,e(out /etc/ssl/private/ca.,e( N -out /etc/openldap/ssl/ca.crt - ... / Countr+ %a!e 2& letter code3 -/: IT "tate or Pro$ince %a!e 21ull na!e3 -/: Italy 9ocalit+ %a!e 2eg, cit+3 -/: Milan Organization %a!e 2eg, co!pan+3 -/: Kernel Panic Inc. Organizational Unit %a!e 2eg, section3 -/: LDAP CA Co!!on %a!e 2eg, 1ull+ Juali1ied host na!e3 -/: ca.lan.kernel-panic.it 7!ail Address -/: .enter/ L

%he ne,t step is the creation of the private key !,etc,openldap,ssl,pri$ate,ser$er.ke+# and 5ertificate igning 2e1uest !,etc,openldap,ssl,pri$ate,ser$er.csr# for the server/
L openssl re' -da(s )650 -nodes -ne* -,e(out /etc/openldap/ssl/private/server.,e( N -out /etc/openldap/ssl/private/server.csr - ... / Countr+ %a!e 2& letter code3 -/: IT "tate or Pro$ince %a!e 21ull na!e3 -/: Italy 9ocalit+ %a!e 2eg, cit+3 -/: Milan Organization %a!e 2eg, co!pan+3 -/: KP Inc. Organizational Unit %a!e 2eg, section3 -/: LDAP Server Co!!on %a!e 2eg, 1ull+ Juali1ied host na!e3 -/: ldap.kernel-panic.it 7!ail Address -/: .enter/ Please enter the 1ollo ing SextraS attributes to be sent ith +our certi1icate reJuest A challenge pass ord -/: .enter/ An optional co!pan+ na!e -/: .enter/ L

3inally, the 5A will generate the signed certificate out of the certificate re1uest/
L openssl x50+ -re' -da(s )650 -in /etc/openldap/ssl/private/server.csr N -out /etc/openldap/ssl/server.crt -%0 /etc/openldap/ssl/ca.crt -

N -%0,e( /etc/ssl/private/ca.,e( -%0createserial "ignature ok subject=,C=5:,":=5tal+,9=#ilan,O=Cernel Panic 5nc.,OU=9DAP "er$er,C%=ldap.kernel-panic.it Hetting CA Pri$ate Ce+ L

Eou can generate the client certificate by repeating the last two steps/
L openssl re' -da(s )650 -nodes -ne* -,e(out /etc/openldap/ssl/private/client.,e( N -out /etc/openldap/ssl/private/client.csr - ... / Countr+ %a!e 2& letter code3 -/: IT "tate or Pro$ince %a!e 21ull na!e3 -/: Italy 9ocalit+ %a!e 2eg, cit+3 -/: Milan Organization %a!e 2eg, co!pan+3 -/: KP Inc. Organizational Unit %a!e 2eg, section3 -/: LDAP Client Co!!on %a!e 2eg, 1ull+ Juali1ied host na!e3 -/: ldap.kernel-panic.it 7!ail Address -/: .enter/ Please enter the 1ollo ing SextraS attributes to be sent ith +our certi1icate reJuest A challenge pass ord -/: .enter/ An optional co!pan+ na!e -/: .enter/ L openssl x50+ -re' -da(s )650 -in /etc/openldap/ssl/private/client.csr N -out /etc/openldap/ssl/client.crt -%0 /etc/openldap/ssl/ca.crt N -%0,e( /etc/ssl/private/ca.,e( "ignature ok subject=,C=5:,":=5tal+,9=#ilan,O=Cernel Panic 5nc.,OU=9DAP Client,C%=ldap.kernel-panic.it Hetting CA Pri$ate Ce+ L

As a finishing touch, we need to assign restrictive permissions to the private keys, in order to prevent unauthori$ed access/
L cho*n -1 _openldap2_openldap /etc/openldap/ssl/private L chmod 600 /etc/openldap/ssl/private/#

2.$.2 OpenLDAP con!i"#ration 5onfiguring the slapd2<C3 daemon for %L operation simply re1uires that you add a few lines to slapd.con12(3, right after the rootp parameter, containing the cipher suites to accept and the paths to the certificates/ CetcCopenldapCslapd.conf
# TL" confi!uration :9"Cipher"uite :9"CACerti1icate;ile :9"Certi1icate;ile :9"Certi1icateCe+;ile ?5H?:#7D5U#:T""9$* ,etc,openldap,ssl,ca.crt ,etc,openldap,ssl,ser$er.crt ,etc,openldap,ssl,pri$ate,ser$er.ke+

In the client configuration file, ldap.con12(3, you have to change the +2I scheme to 4ldaps4 and specify the path to the 5A certificate and the acceptable cipher suites/ CetcCopenldapCldap.conf
- ... / U45 ldaps:,,ldap.kernel-panic.it

# TL" confi!uration :9"OCAC74: ,etc,openldap,ssl,ca.crt :9"OC5P?74O"U5:7 ?5H?:#7D5U#:T""9$*

As a final step, add the 4-h ldaps:,,,4 option to the slapd2<C3 command line arguments to make the daemon listen only for LDAP over %L on %5P port @;@/ CetcCrc.conf.local
# Gnly listen for LDAP over TL" *port B<B+ slapdO1lags==-B -u Oopenldap -g Oopenldap -h ldaps:,,,=

and restart slapd2<C3.

3. A bit of Samba
Samba is an Open Source software suite that, since 1992, has provided secure, stable and fast file and print services for all clients using the SMB/C !S protocol, such as all versions of "OS and #indows, OS/2, $inu% and man& others' t will allow us to turn our OpenBS" server into a (rimar& "omain Controller and file server, able to interoperate with #indows)based client machines'

3.1 Installation and configuration

#e can install most of the re*uired software from the pre)compiled pac+ages,

libiconv-x.x.x.tgz popt-x.x.tgz gettext-x.x.tgz pcre-x.x.tgz glib2-x.x.x.tgz desktop-file-utils-x.x.tgz xdg-utils-x.x.x.tgz jpeg-x.tgz png-x.x.x.tgz tiff-x.x.x.tgz

gdbm-x.x.x.tgz libdaemon-x.x.tgz lzo-x.x.tgz libgpg-error-x.x.tgz libgcrypt-x.x.x.tgz libtasn1-x.x.tgz gnutls-x.x.x.tgz dbus-x.x.x.tgz avahi-x.x.x.tgz cups-x.x.x.tgz libutf -x.x.tgz

but we will compile Samba from the ports, because the antivirus module re*uires the Samba source code to successfull& compile -of course feel free to install the pre) compiled pac+age, samba)x'x'x)cups)ldap'tg., if &ou don/t need antivirus support0'
L cd /usr/ports/net/samba L env 340561"7cups ldap7 ma,e install - ... /

Most of Samba configuration ta+es place in the ,etc,sa!ba,s!b.con12(3 file' t is an 1 )formatted file, made up of multiple sections, each beginning with the name of a shared resource -e%cept for the 2-global/2 section0 and containing a variable number of parameters, in the form 2na!e = $alue2' 3ach parameter has a default value which will be retained if the parameter is omitted' 4here are three special sections,
-global/

defines!global!parameters!and!default!values!for!the!other!sections"
-ho!es/

allows!on-the-fly!creation!of!home!directories!for!users!connecting!to! the!server"
-printers/

allows!users!to!connect!to!any!printer!specified!in!the!local! host#s!,etc,printcap2(3!file.

$ines beginning with a semicolon -2R20 or hash -2L20 character are treated as comments5 parameters ma& span across multiple lines using a bac+)slash -2U20' Below is a sample configuration file,
/etc/samba/smb.conf

###################################################################### ########## # Para eters in the H!lobalI section apply to the server as a whole& or are # # defaults for sections that do not specifically define certain ite s # ###################################################################### ########## -global/ # Do ain na e to use orkgroup = C74%79-PA%5C # "trin! that will appear in browse lists next to the achine na e ser$er string = "a!ba "er$er # "et the "a ba server to user-level security * ore details on security odes # can be found here+ securit+ = user # List of hosts per itted to access "a ba services hosts allo = )D&.)G.'. )&D. # Ne!otiate encrypted passwords with the clients encr+pt pass ords = +es # Use a separate lo! file for each achine that connects log 1ile = ,$ar,log,sa!ba,s!bd.V! # Faxi u si#e& in >J& of the lo! files !ax log size = )'&B # "elect the bac)end*s+ to retrieve and store passwords with$ The LDAP URL is # optional and defaults to (ldap0''localhost( *set the URI sche e to (ldaps( if # you(re usin! LDAP over TL"'""L+ passdb backend = ldapsa!:ldap:,,ldap.kernel-panic.it # Avoid substitutin! K- acros in the passdb fields passdb expand explicit = no # =ile containin! the appin! of "a ba users to local Unix users userna!e !ap = ,etc,sa!ba,s!busers # This soc)et option should !ive better perfor ance socket options = :CPO%OD79AI # Allow n bd*/+ to try to beco e the local aster browser local !aster = +es # Tell "a ba to be the Do ain Faster Jrowser for its wor)!roup do!ain !aster = +es # A do ain controller ust have the (os level( set at or above a value of <L os le$el = ** # Fa)e n bd*/+ force a local browser election on startup& also !ivin! it a # sli!htly hi!her chance of winnin! the election pre1erred !aster = +es # A do ain controller ust provide the networ) lo!on service do!ain logons = +es # Unco ent the followin! para eter to disable roa in! profiles # lo!on path M # Na e of an *optional+ lo!on script *you can a)e it user-specific with (KU(+$ # The script ust be in DG" for at logon script = netlogon.bat

# Fa)e n bd*/+ act as a AIN" server ins support = +es # Try to resolve NetJIG" na es via DN" loo)ups dns prox+ = +es # LDAP options ldap su11ix = dc=kernel-panic,dc=it ldap !achine su11ix = ou=Co!puters ldap user su11ix = ou=Users ldap group su11ix = ou=Hroups ldap id!ap su11ix = ou=5d!ap ldap ad!in dn = cn=#anager,dc=kernel-panic,dc=it ldap ssl = no ldap pass d s+nc = Ies # Ran!e of user and !roup ids allocated for user "IDs id!ap uid = &'''-B''' id!ap gid = &'''-B''' appin! UNI@ users to NT

# "cripts to run when ana!in! users with re ote RP, *NT+ tools add user script = ,usr,local,sbin,s!bldap-useradd -a -g ()& -! Vu add group script = ,usr,local,sbin,s!bldap-groupadd Vg add !achine script = ,usr,local,sbin,s!bldap-useradd - -g ()( Vu delete user script = ,usr,local,sbin,s!bldap-userdel -r Vu delete user 1ro! group script = ,usr,local,sbin,s!bldap-group!od -x Vu Vg delete group script = ,usr,local,sbin,s!bldap-groupdel -r Vg ###################################################################### ########## # Users( ho e directories$ If no path is specified& the path is set to the # # *Unix+ user(s ho e directory *tipically ('ho e'1userna e2(+ # ###################################################################### ########## -ho!es/ co!!ent = ?o!e Directories bro seable = no ritable = +es ###################################################################### ########## # The netlo!on service allows you to specify the path to the lo!on scripts # ###################################################################### ########## -netlogon/ co!!ent = "hare 1or logon scripts path = ,$ar,netlogon read onl+ = +es rite list = W=Do!ain Ad!ins= bro seable = no ###################################################################### ##########

# "hares definitions$ The na e of a section corresponds to the na e of the # # shared resource$ The followin! are 7ust so e exa ples& feel free to odify # # the accordin! to your needs$ # ###################################################################### ########## # A te porary directory for people to share files -t!p/ co!!ent = :e!porar+ 1ile space path = ,t!p read onl+ = no public = +es # A publicly accessible directory& but read only& except for people in the # NstaffN !roup -public/ co!!ent = Public "tu11 path = ,ho!e,sa!ba public = +es ritable = +es rite list = Wsta11 # Define a share accessible only to a selected !roup of users$ This directory # should be writable by both users and should have the stic)y bit set on it to # prevent abuse -!+share/ co!!ent = #ar+Ss and ;redSs stu11 path = ,usr,so!e here,shared $alid users = !ar+ 1red public = no ritable = +es create !ask = 'GG' director+ !ask = )DD' # A service pointin! to a different directory for each user that connects$ # KU !ets replaced with the user na e *in lower case+ that is connectin! -pri$ate/ co!!ent = User data path = ,$ar,data,VU $alid users = VU public = no ritable = +es

1ow we need to create the file containing the mapping of Samba users to local 6ni% users, ,etc,sa!ba,s!busers' n particular, we need to map the "omain 7dministrator user to root, in order to grant it the privileges it will need to manage the domain'
/etc/samba/smbusers
root = ad!inistrator

#e can test our configuration b& running the testpar!2)3 command,

L testparm 9oad s!b con1ig 1iles 1ro! ,etc,sa!ba,s!b.con1 Processing section =-ho!es/= Processing section =-t!p/= Processing section =-public/= Processing section =-!+share/= Processing section =-pri$ate/= 9oaded ser$ices 1ile OC. "er$er role: 4O97ODO#A5%OPDC Press enter to see a du!p o1 +our ser$ice de1initions -.../

4he last step is telling Samba the password to use to bind to the $"7( server -i'e' the -unencr&pted0 value of the rootp parameter in slapd.con12(30' Samba will store that password in,etc,sa!ba,secrets.tdb,
L smbpass*d -* <password> "etting stored pass ord 1or =cn=#anager,dc=kernel-panic,dc=it= in secrets.tdb

1ow we can configure the s&stem to start Samba on boot b& adding a couple of variables to the ,etc,rc.con1.local2<3 file,
/etc/rc.conf.local
s!bdO1lags==-D= n!bdO1lags==-D=

and the appropriate startup commands to ,etc,rc.local2<3,

/etc/rc.local
i1 - =Ps!bdO1lags= Q= =%O= -a -x ,usr,local,libexec,s!bd /R then echo -n S s!bdS ,usr,local,libexec,s!bd Ps!bdO1lags 1i i1 - =Pn!bdO1lags= Q= =%O= -a -x ,usr,local,libexec,n!bd /R then echo -n S n!bdS ,usr,local,libexec,n!bd Pn!bdO1lags 1i

!inall&, we are read& to start Samba, though it will be prett& useless until the $"7( database has been populated5 so that/s what we/re going to do in the ne%t chapter'
L m,dir /var/log/samba L /usr/local/libexec/smbd -8 L /usr/local/libexec/nmbd -8

4. The IDX-smbldap-tools
mbldap"tools is a set of perl scripts designed to manage user and group accounts stored in an LDAP directory. %hese scripts will make our lives much easier by providing a set of simple commands for carrying out the most common user administration tasks, thus saving

us from dealing with the internals of LDAP and making managing amba users almost as easy as managing normal system users. Please note that, though amba account information will be stored in LDAP, s!bd2<3 will still obtain the userBs +-I& account information via the standard 5 library calls, such as getpwnam!#!see documentation#, which donBt natively support LDAP. %his means weBll also need to configure the +pldap2<3 daemon, which will act as an interface between LDAP and Open8 DBs authentication routines. (.1 Con!i"#ration %he smbldap"tools re1uire the installation of 1uite a few perl modules/

p'"Gcode" . .tg$ p'"+nicode" tring" . .tg$ p'"+nicode":ap<" . .tg$ p'"+nicode":ap" . .tg$ p'"+nicode":ap+%3<" . .tg$ p'"5onvert"A -7" . .tg$ p'"Digest" HA7" . .tg$ p'"Digest"H:A5" . .tg$ p'"I p'"-et" API" . .tg$ Leay" . .tg$ L" . .tg$ p'"Authen" A L" . .tg$ p'"IO" ocket"

p'"&:L"Parser" . .tg$ p'"&:L" A&"Driter" . .tg$ p'"&:L" A&" . .tg$ p'"&:L"-amespace upport" . p'"%e,t"Iconv" . p'"&:L"3ilter"8uffer%e,t" . p'"+2I" . .tg$ p'"ldap" . .tg$ p'"5rypt" mbHash" . .tg$

smbldap"tools" . . .tg$

%he ,etc,s!bldap-tools,s!bldapObind.con1 file contains the parameters to connect to the LDAP server. they should match the rootdn and rootp parameters in ,etc,openldap,slapd.con1. :ake sure this file has restrictive permissions !G''# to protect the passwords from unauthori$ed access. CetcCsmbldap"toolsCsmbldapJbind.conf
sla$eD%==cn=#anager,dc=kernel-panic,dc=it= sla$eP ==pass ord= !asterD%==cn=#anager,dc=kernel-panic,dc=it= !asterP ==pass ord=

8efore editing the ne,t configuration file, we need to retrieve the ID for the domain/
L net getlocalsid "5D 1or do!ain "AFJA is: "-)-(-&)-&<((BBDG'(-*&B<(<'()&-&)(D&<<X**

%he ,etc,s!bldap-tools,s!bldap.con1 file allows you to set global parameters that will be readable by everybody. CetcCsmbldap"toolsCsmbldap.conf
# "ID and do ain na e "5D=="-)-(-&)-&<((BBDG'(-*&B<(<'()&-&)(D&<<X**= sa!baDo!ain==C74%79-PA%5C= # LDAP servers and ports *if you(re usin! LDAP over TL"'""L& set the URI sche es # to (ldaps( and the ports to (B<B(+ sla$e9DAP==ldap:,,ldap.kernel-panic.it= sla$ePort==*<X= !aster9DAP==ldap:,,ldap.kernel-panic.it= !asterPort==*<X= # TL" confi!uration *set ldapTL" to (6( to enable TL"+ ldap:9"=='= $eri1+==none= ca1ile==,etc,openldap,ssl,ca.crt= clientcert==,etc,openldap,ssl,client.crt= clientke+==,etc,openldap,ssl,pri$ate,client.ke+= # LDAP confi!uration su11ix==dc=kernel-panic,dc=it= usersdn==ou=Users,P>su11ix@= co!putersdn==ou=Co!puters,P>su11ix@= groupsdn==ou=Hroups,P>su11ix@= id!apdn==ou=5d!ap,P>su11ix@= sa!baUnix5dPooldn==sa!baDo!ain%a!e=C74%79-PA%5C,P>su11ix@= scope==sub= hashOencr+pt==""?A= cr+ptOsaltO1or!at==Vs=

# Unix accounts confi!uration user9ogin"hell==,bin,ksh= user?o!e==,ho!e,VU= user?o!eDirector+#ode==D''= userHecos=="+ste! User= de1aultUserHid==()*= de1aultCo!puterHid==()(= skeletonDir==,etc,skel= de1ault#axPass ordAge==B(= # "a ba confi!uration user"!b?o!e=== userPro1ile=== user?o!eDri$e==?:= user"cript==logon.bat= !ailDo!ain==kernel-panic.it= # s bldap-tools confi!uration ithOs!bpass d=='= s!bpass d==,usr,local,bin,s!bpass d= ithOslappass d=='= slappass d==,usr,local,sbin,slappass d=

(.2 Pop#latin" the LDAP ata)ase -ow we can create the structure of the LDAP tree by inserting the base entries in the database. the s!bldap-populate script will take care of everything for us/
L /usr/local/sbin/smbldap-populate Populating 9DAP director+ 1or do!ain C74%79-PA%5C 2"-)-(-&)&<((BBDG'(-*&B<(<'()&-&)(D&<<X**3 2using builtin director+ structure3 adding adding adding adding adding adding adding adding adding adding adding adding adding adding adding adding adding ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: entr+: dc=kernel-panic,dc=it ou=Users,dc=kernel-panic,dc=it ou=Hroups,dc=kernel-panic,dc=it ou=Co!puters,dc=kernel-panic,dc=it ou=5d!ap,dc=kernel-panic,dc=it uid=root,ou=Users,dc=kernel-panic,dc=it uid=nobod+,ou=Users,dc=kernel-panic,dc=it cn=Do!ain Ad!ins,ou=Hroups,dc=kernel-panic,dc=it cn=Do!ain Users,ou=Hroups,dc=kernel-panic,dc=it cn=Do!ain Huests,ou=Hroups,dc=kernel-panic,dc=it cn=Do!ain Co!puters,ou=Hroups,dc=kernel-panic,dc=it cn=Ad!inistrators,ou=Hroups,dc=kernel-panic,dc=it cn=Account Operators,ou=Hroups,dc=kernel-panic,dc=it cn=Print Operators,ou=Hroups,dc=kernel-panic,dc=it cn=6ackup Operators,ou=Hroups,dc=kernel-panic,dc=it cn=4eplicators,ou=Hroups,dc=kernel-panic,dc=it sa!baDo!ain%a!e=C74%79-PA%5C,dc=kernel-panic,dc=it

Please pro$ide a pass ord 1or the do!ain root: Changing U%5E and sa!ba pass ords 1or root %e pass ord: <ad in!passwd> 4et+pe ne pass ord: <ad in!passwd> L

%he last step of the above command doesnBt actually change the +-I& password for the root account/ it only sets the password for the domain administrator !in LDAP#. Eou can test that the database now contains the base entries by running the ldapsearch2)3 command. you can get an LDI3 dump of the users defined in the LDAP database by running/
L ldapsearch -x -44 -b 'ou"9sers:dc",ernel-panic:dc"it' -s sub $ersion: ) dn: ou=Users,dc=kernel-panic,dc=it objectClass: top objectClass: organizationalUnit ou: Users - ... /

In addition to the default groups created by s!bldap-populate, you may also want to define some additional groups, e.g./
L smbldap-groupadd -g ;500 0ccounting - ... /

-ow we need to create the appropriate user for every computer that will need to connect to amba !the 4P4 sign at the end of each name is mandatory#/
L smbldap-useradd -* -u )000 computer;< L smbldap-useradd -* -u )00; computer2< - ... /

3inally, we can create the actual amba users. each user will have a home directory that will be automatically connected as drive 4?:4 at logon/
L smbldap-useradd -a -u 2000 -g 5;2 -= 5;) -> 8aniele -? @aAAocchio N -c 78aniele @aAAocchio7 danix L smbpass*d -a danix %e "#6 pass ord: password 4et+pe ne "#6 pass ord: password L

-ow we can !re#start the amba processes/

L p,ill .mbd L /usr/local/libexec/smbd -8 L /usr/local/libexec/nmbd -8

DonBt forget to assign the correct permissions and ownerships to the amba shares. (.$ Con!i"#rin" *pl ap+,-

is a directory service originally developed by un :icrosystems which, long before LDAP, allowed network management of password, group and hosts file entries. tarting with release 6.', Open8 D provides an additional EP daemon, +pldap2<3, which uses LDAP as a backend in place of the traditional db2*3 database.
IP2<3

ince EP is the only directory service that can be accessed directly using standard 5"library functions like getp ent2*3, getgrent2*3, gethostb+na!e2*3 and so on )3AK7(*, it will act as an interface between the systemBs authentication routines !used by s!bd2<3# and the LDAP directory. As a first step in configuring the EP subsystem, we will set the !P domain of the host, which is an arbitrary string identifying the hosts that share !part of# their system configuration data through EP !and has nothing to do with amba or D- domains#. the EP domain for a host is set with do!ainna!e2)3 and can be made permanent across reboots by putting it into the file,etc,de1aultdo!ain2(3/
L domainname kernel-panic.it L echo 7kernel-panic.it7 / /etc/defaultdomain

8efore initiali$ing the EP server, you may want to edit ,$ar,+p,#ake1ile.+p in order to create only the necessary EP maps, by modifying the 4all4 target/ CvarCypC:akefile.yp
all: pass d group netid

-ow we are ready to initiali$e the EP server as a master by issuing the +pinit2<3 command/
L (pinit -m "er$er :+pe: #A":74 Do!ain: kernel-panic.it Creating an IP ser$er ill reJuire that +ou ans er a 1e Juestions. Auestions ill all be asked at the beginning o1 the procedure. Do +ou ant this procedure to Juit on non-1atal errors0 -+,n: n/ <"nter> Ok, please re!e!ber to go back and redo !anuall+ 51 +ou donSt, so!ething !ight not ork. hate$er 1ails.

At this point, e ha$e to construct a list o1 this do!ainSs IP ser$ers. s!b.kernel-panic.it is alread+ kno n as !aster ser$er. Please continue to add an+ sla$e ser$ers, one per line. Fhen +ou are done ith the list, t+pe a Mcontrol DN. !aster ser$er : s!b.kernel-panic.it

next host to add: #D :he current list o1 %5" ser$ers looks like this: s!b.kernel-panic.it 5s this correct0 -+,n: +/ <"nter> 6uilding ,$ar,+p,kernel-panic.it,+pser$ers... s!b.kernel-panic.it has been setup as an IP !aster ser$er. 7dit ,$ar,+p,kernel-panic.it,#ake1ile to suit +our needs. A1ter that, run S!akeS in ,$ar,+p. L

%he default configuration file for +pldap2<3 is ,etc,+pldap.con12(3, which is made up of three sections/ macros, global configuration settings and the declaration of one or more directories. 8elow is a sample configuration file/ CetcCypldap.conf
# Facros # Gptional acros !o here$$$

# Clobal settin!s do!ain =kernel-panic.it= inter$al *G'' # "pecify the aps that ypldap should provide pro$ide !ap =pass d.b+na!e= pro$ide !ap =pass d.b+uid= pro$ide !ap =group.b+na!e= pro$ide !ap =group.b+gid= # Directory declaration director+ =ldap.kernel-panic.it= > binddn =cn=#anager,dc=kernel-panic,dc=it= bindcred =pass ord= basedn =ou=Users,dc=kernel-panic,dc=it= # passwd aps confi!uration pass d 1ilter =2objectClass=posixAccount3= attribute na!e !aps to =uid= 1ixed attribute pass d =K= attribute uid !aps to =uid%u!ber= attribute gid !aps to =gid%u!ber= attribute gecos !aps to =gecos= attribute ho!e !aps to =ho!eDirector+= # LDAP users are not interactive syste 1ixed attribute shell =,sbin,nologin= 1ixed attribute change ='= 1ixed attribute expire ='= 1ixed attribute class =de1ault= # !roup aps confi!uration group 1ilter =2objectClass=posixHroup3= attribute groupna!e !aps to =cn= 1ixed attribute grouppass d =K= attribute groupgid !aps to =gid%u!ber= list group!e!bers !aps to =!e!berUid=

users

ince it contains sensitive information, the +pldap.con12(3 file should have restrictive permissions !G''#. the 4-n4 flag of +pldap2<3 allows you to check the configuration file for validity/
L chmod 600 /etc/(pldap.conf L (pldap -n con1iguration OC

%o actually tell the system to include user and group accounts from the EP domain, we need to add the default EP markers to the pass d2(3 and group2(3 files/
L echo 7B2#222222227 // /etc/master.pass*d L p*d_m,db -p /etc/master.pass*d L echo 7B2#227 // /etc/group

Dell, now weBre ready to start all the re1uired daemonsA EP uses 2P5!;# to communicate with clients, so it re1uires that the port!ap2<3 daemon be enabled. Also the +pbind2<3 daemon is re1uired for the server to use its own maps.
L portmap L (pldap L (pbind 7nabling +p client subs+ste!. :o disable: kill +pbind and re!o$e ,$ar,+p,binding L

Eou can test that the system is correctly retrieving user information from the EP directory by using the getent2)3 command/
L getent pass*d - ... / danix:K:&''':()&:Daniele #azzocchio:,ho!e,danix:,sbin,nologin L

%o automatically start the daemons on boot, add the following lines to the ,etc,rc.con1.local2<3 file/ CetcCrc.conf.local
port!ap=I7" +pldapO1lags===

comment out the following lines in ,etc,rc2<3 !which would start +pser$2<3 instead of +pldap2<3#/ CetcCrc
# if H -d 'var'yp'Odo ainna eO I. then

# # 3ypservQfla!s5 # # fi # # # #

# EP server capabilities needed$$$ echo -n ( ypserv(. ypserv P #echo -n ( ypxfrd(. ypxfrd

if H -d 'var'yp'bindin! I. then # EP client capabilities needed$$$ echo -n ( ypbind(. ypbind fi

and add the following commands to ,etc,rc.local2<3, right after the startup of slapd2<C3/ CetcCrc.local
i1 - -d ,$ar,+p,P2do!ainna!e3 /R then echo -n S +pldapS +pldap P>+pldapO1lags@ # Aait R seconds to fully initiali#e ypldap before startin! ypbind sleep ( 1i i1 - -d ,$ar,+p,binding /R then echo -n S +pbindS +pbind 1i

Dell, now we have a fully functional Primary Domain 5ontroller/ then we can start 9oining computers to our fresh new domain and perform all the necessary testsA %he ne,t chapters will discuss a couple of additional features you may find very useful/ antivirus support and printer shares.

5. Keeping vir ses a!a" !ith #amba-vs$an

o we have a fully functional file server and primary domain controller now. However, you may want to add some nice additional features to it, such as antivirus support to detect and 1uarantine viruses in real time. amba"vscan is a proof"of"concept module for amba, which uses the L3 !virtual file system# features of amba M.M.,C;.( to provide an on" access amba anti"virus. amba"vscan currently supports several antivirus softwares, including 5lamAL, which we will use as the backend antivirus engine. De already discussed 5lamAL installation and configuration in a previous document, so we wonBt dwell upon it now and I assume you already have a cla!d daemon up and running on the file server itself or on another machine.

5ompiling amba"vscan re1uires the prior installation of the following packages/

autoconf"M.@7p;.tg$ libmagic" . .tg$ gmake" . .tg$ b$ipM" . . .tg$

As a preliminary step, we will also need to 4!ake proto4 the amba port. therefore, go to the ,usr,ports,obj,sa!ba, -sa!ba-x.x.x-cups-ldap,sa!bax.x.x,source, directory and edit theautogen.sh file, by replacing the first lines after the initial comments with/ CusrCportsCob9CsambaCw"samba" . . "cups"ldapCsamba" . . CsourceCautogen.sh
:7":AU:O?7AD74==autoheader-&.G)= :7":AU:OCO%;==autocon1-&.G)=

%hen, still from within that directory, run/

L L L ./autogen.sh ... / ./configure ... / ma,e proto ... /

-ow we are ready to download, e,tract and compile amba"vscan/

L tar -Axvf samba-vscan-$.$.$.tar.gA - ... / L cd samba-vscan-$.$.$/ L env 48340=?"-4/usr/local/lib/ %CC340=?"-D/usr/local/include/ ./configure / --*ith-samba-source"/usr/ports/ob!/samba/*-samba-$.$.$-cupsldap/samba-$.$.$/source/ - ... / L gma,e clamav - ... / L cp vscan-clamav.so /usr/local/lib/samba/vfs/ L cp clamav/vscan-clamav.conf /etc/samba/

%he configuration file for amba"vscan !with 5lamAL support# is named ,etc,sa!ba,$scan-cla!a$.con1/ CetcCsambaCvscan"clamav.conf
-sa!ba-$scan/ !ax 1ile size = )'B<(DG' $erbose 1ile logging = no

scan on open = +es scan on close = +es den+ access on error = no den+ access on !inor error = no send arning !essage = +es in1ected 1ile action = nothing Juarantine director+ = ,$ar,cla!a$,Juarantine, Juarantine pre1ix = $ir!ax lru 1iles entries = )'' lru 1ile entr+ li1eti!e = ( exclude 1ile t+pes = scan archi$es = +es cla!d socket na!e = ,$ar,cla!a$,cla!d.sock libcla!a$ !ax 1iles in archi$e = )''' libcla!a$ !ax archi$ed 1ile size = )'B<(DG' libcla!a$ !ax recursion le$el = (

%he last step is updating amba configuration to include antivirus support by adding the following lines in each section corresponding to a share you want to protect against viruses, or in the-global/ section if you want to protect all of your shares. CetcCsambaCsmb.conf
$1s object = $scan-cla!a$ $scan-cla!a$: con1ig-1ile = ,etc,sa!ba,$scan-cla!a$.con1

and reload amba configuration/

L p,ill -E9C smbd

%. #haring printers !ith &'P#

%he 5ommon +-I& Printing ystem !5+P # is a software providing a portable printing layer for +-I&"based operating systems. It will allow us to turn the system into a printer server and share printers with amba. though this is not a particularly difficult task, please be sure to closely follow this procedure to successfully e,port the printer!s# to amba through the cupsadds!b2<3command. Eou should already have installed 5+P as a dependency when adding the amba package. 5+P configuration goes beyond the scope of this document, so please refer to the documentationfor a detailed description of its features and options. %he following configuration will refer to my own printer !a Dell 7@((n Laser printer#, so make sure to correctly configure your own printer!s# before proceeding to amba configuration. %he printers are defined in the ,etc,cups,printers.con12(3 configuration file/

CetcCcupsCprinters.conf
MDe1aultPrinter dp)G''nN 5n1o Dell 9aser Printer )G''n 9ocation 4oo! )&* De$iceU45 ipp:,,prn).lan.kernel-panic.it, "tate 5dle "tate#essage Printer is idle Accepting Ies M,PrinterN

..1 /ettin" the ri%er !iles -ow we have to retrieve the correct driver files. 3irst, we need the +niversal Post cript printer drivers for Dindows from the Adobe website. Eou can download them here/ select the installer for your language and install the drivers on a Dindows machine. At the end of the installation, you should find the following files in the C:UF5%DOF"Us+ste!*&UspoolUdri$ersU *&x<GU* folder/

P '+I.DLL P 52IP%.HLP P 52IP%.-%3 P 52IP%'.DLL

-ow create the ,usr,local,share,cups,dri$ers directory on the file server/

L m,dir /usr/local/share/cups/drivers/

and copy the above files into it !warning/ on the file server, driver file names must be lowercaseA#. -e,t, we need to download the Dindows 5+P drivers and e,tract and copy them to the drivers directory/
L L L tar -Axvf cups-*indo*s-6.0-source.tar.gA ... / cd cups-*indo*s-6.0/i)F6 cp cups6.ini cupsui6.dll cupsps6.dll /usr/local/share/cups/drivers/

%he last file you need to retrieve is the PPD file appropriate to your printer. 3ortunately, if you canBt find the file on the printer driver 5D, 0asy oftware Products provides a huge collection of PPD files which includes support for the most common printers. Download the Linu, file !portable format#, e,tract it, look for the PPD file appopriate to your printer and copy it to ,etc,cups,ppd,. for e,ample/
L tar -Axvf printpro-4.5.;2-linux-intel.tar.gA

- ... / L tar -Axvf printpro-dell.ss - ... / L gunAip -o /etc/cups/ppd/dp;600n.ppd usr/share/cups/model/en/dp;600n.ppd.gA

Please note that the PPD file has e,actly the same name !4dp)G''n4# as the printer defined in ,etc,cups,printers.con12(3 !plus the 4.ppd4 e,tension#. If the two names differ, you may encounter problems when running the cupsadds!b2<3 command later. ..2 E0portin" printers to Sa1)a -ow we can proceed to update amba configuration by adding a few options to the -global/ section and by defining a couple of additional sections/ CetcCsambaCsmb.conf
-global/ - ... / load printers = +es printing = cups printcap na!e = cups sho add printer izard = Ies use client dri$er = %o -dp)G''n/ co!!ent = Dell 9aser #;P )G''n # Users ust have write access to the spool directory $alid users = root WDo!ainUsers path = ,$ar,spool,sa!ba,printing printer = dp)G''n public = no ritable = no printable = +es -printP/ co!!ent = Printer Dri$ers path = ,etc,sa!ba,dri$ers bro seable = no guest ok = no read onl+ = +es rite list = root

%he spool directory must be writeable by the users authori$ed to print and have the sticky"bit set. for e,ample/
L chgrp 5;) /var/spool/samba/printing L chmod ;&&0 /var/spool/samba/printing

-ow we can start the cupsd2<3 daemon and reload amba configuration/

L /usr/local/sbin/cupsd L p,ill -E9C smbd

Dell, so weBre finally ready to issue the cupsadds!b2<3 command, which will actually e,port printers to samba/
L m,dir /etc/samba/drivers L cupsaddsmb -E localhost -9 root -v -a - ... / Printer Dri$er dp)G''n success1ull+ installed. - ... / "ucces1ull+ set dp)G''n to dri$er dp)G''n. L

If everything went fine, now you should find the Post cript drivers and the PPD file!s# in the fresh new ,etc,sa!ba,dri$ers,F*&E<G,* directory/
L ls -l /etc/samba/drivers/G)2HF6/)/ total &<<B -r xr--r-- ) root heel &(D&X ;eb -r xr--r-- ) root heel )&X'&B ;eb -r xr--r-- ) root heel &G'*< ;eb -r xr--r-- ) root heel DX&GBB ;eb -r xr--r-- ) root heel B(()G< ;eb L

&< &< &< &< &<

'):(( '):BX '):(( '):(( '):BX

dp)G''n.ppd ps(ui.dll pscript.hlp pscript.nt1 pscript(.dll

%he last step is configuring the system to run cupsd2<3 on boot, by adding the following lines to the ,etc,rc.local file, be"ore the start of amba/ CetcCrc.local
i1 - -x ,usr,local,sbin,cupsd /R then echo -n S cupsdS ,usr,local,sbin,cupsd 1i