LDAP + Samba PDC + PAM/NSS on Debian Lenny HOWTO

LDAP + Samba PDC + PAM/NSS on Debian Lenny HOWTO

Submitted by hswong3i on Mon, 2009/02/09 – 18:19

Using LDAP is one of a good solution for single user database within networking hybrid system, e.g. integrate both user login for Windows and Linux, for email services, for web logon, and so on. This HOWTO will guide you though a basic system setup, including Samba PDC and PAM/NSS with LDAP on Debian Lenny. You can further more extend the use of LDAP to other system/platform with this setup.

Prepare Debian Lenny

Before start I will assume you have a functional Debian Lenny setup. If you have any question please refer to my mini-HOWTO for upgrade Debian as Lenny.

It is also recommended to install your system with a function xorg. This can be complete with tasksel --new-install where choose both Desktop environment and Standard system. You should also click manual package selection in order to verify your installation before start.

Next, install all required package. You can skip all configuration during installation, soon we will come back for it:

apt-get update
apt-get install apache2-suexec libapache2-mod-php5 php5 php5-cli php5-curl php5-gd php5-imap php5-ldap php5-mcrypt php5-mhash php5-sqlite php5-tidy php5-xmlrpc php-pear slapd mcrypt ldap-utils libgd-tools apache2-doc libpam-ldap libnss-ldap resolvconf samba swat smbclient smbfs smbldap-tools

Moreover, if you hope to use Samba as file server, your /etc/fstab may also need update with user_xattr and acl support. It is also a good idea to replace defaults with relatime (clone from Ubuntu 9.04). For example:

/dev/sda3       /               ext3    relatime,user_xattr,acl,errors=remount-ro 0       1
/dev/sda1       /boot           ext3    relatime,user_xattr,acl 0       2
/dev/sda2       none            swap    sw              0       0

Configure slapd

Run dpkg-reconfigure slapd and initialize slapd with following parameters:

  • Omit OpenLDAP server configuration? No
  • DNS domain name: example.com
  • Organization name: example.com
  • Administrator password: CHANGE
  • Database backend to use: HDB
  • Do you want the database to be removed when slapd is purged? No
  • Allow LDAPv2 protocol? No

Backup you initialize LDAP database with following command:

slapcat > ~/slapd.ldif

Now, prepare the LDAP schema for Samba:

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz >
/etc/ldap/schema/samba.schema

Generate your rootdn password with MD5:

slappasswd -h {MD5}

Now copy and replace your /etc/ldap/slapd.conf with my version, and further more customize it according to your setup:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        none

# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>

#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        hdb

# The base of your directory in database #1
suffix          "dc=example,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {MD5}Qhz9FD5FDD9YFKBJVAngcw==

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,sn,mail,givenname           eq,pres,sub
index uidNumber,gidNumber,memberUid     eq,pres
index loginShell                        eq,pres
## required to support pdb_getsampwnam
index uid                               pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName                       pres,sub,eq
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID                          eq
index sambaPrimaryGroupSID              eq
index sambaDomainName                   eq
index default                           sub
index uniqueMember                      eq
index sambaGroupType                    eq
index sambaSIDList                      eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog

# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
by self write
by anonymous auth
by * none

# those 2 parameters must be world readable for password aging to work correctly
# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
access to attrs=shadowLastChange,shadowMax
by self write
by * read

# all others attributes are readable to everybody
access to *
by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=example,dc=com" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix "dc=debian,dc=org"

Always switch off nscd for LDAP debug:

/etc/init.d/nscd stop

Renew your LDAP database with following command:

/etc/init.d/slapd stop
rm -rf /var/lib/ldap/*
slapadd -l ~/slapd.ldif
slapindex
chown -Rf openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Now verify your setup with slapcat

Prepare Apache and PHP for phpLDAPadmin

Before install phpLDAPadmin we should give some basic configuration for Apache and PHP.

Edit /etc/php5/apache2/php.ini and change the following lines accordingly:

memory_limit = 128M;
post_max_size = 32M
upload_max_filesize = 32M
date.timezone = "Asia/Hong_Kong"
display_errors = Off

Edit Apache default site setup with /etc/apache2/sites-enabled/000-default, and change the AllowOverride none with AllowOverride all as follow (note: this setup is just for non-production site):

<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>

Now you can restart your Apache:

/etc/init.d/apache2 restart

Install phpLDAPadmin

I would like to assist my LDAP setup with phpLDAPadmin. First of all, download the package from sourceforge.net:
http://phpldapadmin.sourceforge.net/wiki/index.php/Download

Prepare your phpLDAPadmin:

mv zxvf phpldapadmin-1.1.0.6.tar.gz /var/www/
cd /var/www
tar zxvf phpldapadmin-1.1.0.6.tar.gz
ln -s phpldapadmin-1.1.0.6 phpldapadmin
cd /var/www/phpldapadmin/config/
cp config.php.example config.php

Edit /var/www/phpldapadmin/config/config.php and uncomment the following line:

$ldapservers->SetValue($i,'server','host','127.0.0.1');

Now access your phpLDAPadmin from http://localhost/phpldapadmin, and login with your rootdn. Verify all setup.

Prepare Samba

Copy and replace your /etc/samba/smb.conf with my version:

# Samba config file created using SWAT
# from UNKNOWN ()
# Date: 2009/06/22 21:47:29

[global]
dos charset = UTF-8
display charset = UTF-8
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated*
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
logon path = %Nprofiles%U
logon drive = U:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=com
ldap delete dn = Yes
ldap group suffix = ou=group
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computer
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = ou=people
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers

[netlogon]
path = /var/lib/samba/netlogon
browseable = No

[profiles]
path = /var/lib/samba/profiles
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable

[public]
path = /tmp
read only = No
guest ok = Yes

Now, open SWAT from web browser with http://localhost:901, and change all required parameter for your setup accordingly, e.g. workgroup and realm.

Set your LDAP password for Samba:

smbpasswd -w CHANGE

Create directories for netlogon and profiles:

mkdir -p /var/lib/samba/netlogon /var/lib/samba/profiles
chown -Rf root:root /var/lib/samba/netlogon /var/lib/samba/profiles
chmod 1777 /var/lib/samba/profiles

Restart Samba with following command:

/etc/init.d/samba restart

Test your configuration file with testparm, and check if there is any error message.

Configure smbldap-tools

Prepare smbldap-tools configure files:

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz >
/etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf
/etc/smbldap-tools/smbldap_bind.conf

Get your Samba SID for /etc/smbldap-tools/smbldap.conf:

net getlocalsid

Replace your /etc/smbldap-tools/smbldap.conf with my version, and further more update according to your requirement (remember to replace the SID):

# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-1169193956-4199179787-2206793627"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="EXAMPLE"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=example,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=people,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=computer,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=group,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="365"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="PDC-SMB3%U"
userSmbHome=""

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="PDC-SMB3profiles%U"
userProfile=""

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="U:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="example.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

Update /etc/smbldap-tools/smbldap_bind.conf as below:

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=admin,dc=example,dc=com"
slavePw="CHANGE"
masterDN="cn=admin,dc=example,dc=com"
masterPw="CHANGE"

Change configuration with correct permisison:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now you can populate your Samba LDAP schema:

smbldap-populate

Don’t forget to backup your latest LDAP database:

slapcat > ~/smbldap.ldif

Configure PAM/NSS with LDAP

Reconfigure libnss-ldap with following dpkg-reconfigure libnss-ldap:

  • LDAP server Uniform Resource Identifier: ldap://127.0.0.1
  • Distinguished name of the search base: dc=example,dc=com
  • LDAP version to use: 3
  • Does the LDAP database require login? No
  • Special LDAP privileges for root? Yes
  • Make the configuration file readable/writeable by its owner only? Yes
  • LDAP account for root: cn=admin,dc=example,dc=com
  • LDAP root account password: CHANGE

Update /etc/nsswitch.conf as below:

passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap

Add the following lines to /etc/ldap/ldap.conf for LDAP clients:

host localhost
base dc=example,dc=com
binddn cn=admin,dc=example,dc=com
bindpw CHANGE

bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group ou=group,dc=example,dc=com?one

Modify the following lines to /etc/libnss-ldap.conf:

bind_policy soft
pam_password md5
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group ou=group,dc=example,dc=com?one

Check your /etc/libnss-ldap.secret:

cat /etc/libnss-ldap.secret

Reconfigure libpam-ldap with following dpkg-reconfigure libpam-ldap:

  • LDAP server Uniform Resource Identifier: ldap://127.0.0.1
  • Distinguished name of the search base: dc=hkmadavidli,dc=edu,dc=hk
  • LDAP version to use: 3
  • Make local root Database admin. Yes
  • Does the LDAP database require login? No
  • LDAP account for root: cn=admin,dc=example,dc=com
  • LDAP root account password: CHANGE
  • Local crypt to use when changing passwords. MD5
  • (UPDATE 2009-05-09, only available after pam 1.0.1-6) PAM profiles to enable: Unix authentication, LDAP Authentication

Modify the following lines to /etc/pam_ldap.conf:

bind_policy soft
pam_password md5
nss_base_passwd dc=example,dc=com?sub
nss_base_shadow dc=example,dc=com?sub
nss_base_group ou=group,dc=example,dc=com?one

Check your /etc/pam_ldap.secret:

cat /etc/pam_ldap.secret

(UPDATE 2009-05-09, only available after pam 1.0.1-6) Refer to /etc/pam.d/common-account comment:

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

By default, Debian already coming with correct LDAP auth setup under /usr/share/pam-configs/ldap:

Name: LDAP Authentication
Default: yes
Priority: 128
Auth-Type: Primary
Auth-Initial:
[success=end default=ignore]    pam_ldap.so
Auth:
[success=end default=ignore]    pam_ldap.so use_first_pass
Account-Type: Primary
Account:
[success=end default=ignore]    pam_ldap.so
Password-Type: Primary
Password-Initial:
[success=end user_unknown=ignore default=die]   pam_ldap.so
Password:
[success=end user_unknown=ignore default=die]   pam_ldap.so use_authtok try_first_pass
Session-Type: Additional
Session:
optional                        pam_ldap.so

If you follow above guideline, your libpam-ldap should already setup correctly; otherwise, run pam-auth-update manually.

Here are legacy reference setup before pam 1.0.1-6.

Update your /etc/pam.d/common-account as below:

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)

Update your /etc/pam.d/common-auth as below:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

Update your /etc/pam.d/common-password as below (don’t use use_authtok for pam_ldap.so, see http://ubuntuforums.org/archive/index.php/t-156071.html):

# here are the per-package modules (the "Primary" block)
password        [success=2 default=ignore]      pam_unix.so obscure md5
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)

Update your /etc/pam.d/common-session as below:

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required                        pam_unix.so
session optional                        pam_ldap.so

During system bootup udevd will search for some non-exists users/groups from NSS and so prompt for error message (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412989). Quick fix it with create according users/groups in /etc/passwd and /etc/groups so will not check from LDAP before slapd start:

addgroup --system nvram
addgroup --system rdma
addgroup --system fuse
addgroup --system kvm
adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss

bind_policy soft can speed up the pass-though of these error message, but doesn’t get the above problem fixed.

Reboot your Debian and debug for any error message 😀

Test your setup

Create demo user accout with smbldap-tools:

smbldap-useradd -a -m postmaster
smbldap-passwd postmaster

Check your user and group lookup. You should find the record from LDAP accordingly:

getent passwd
getent group

Now logout and log into your Debian with the LDAP new user account. After successful login check your home directory with pwd. It should be all fine.

It is time for you to test the join domain from Windows. BTW, this is not the key point for the HOWTO so I will skip in here.

After join your Windows into this Samba domain, login with your LDAP user account. Again it should be all fine 😀

Extra tips

  1. Can’t join Windows XP into domain
    Check if nss_base_passwd ou=computer,dc=example,dc=com?one exists in your PAM/NSS setup (or using nss_base_passwd dc=example,dc=com?sub as above, but may come with some performance degrade).Also, someone report that /var/lib/samba/secrets.tdb may corrupted and so can’t join domain correctly. Remove it and redo smbpasswd -w CHANGE, e.g.:

    /etc/init.d/samba stop
    rm -rf /var/lib/samba/secrets.tdb /var/lib/samba/schannel_store.tdb /var/cache/samba/*
    smbpasswd -w CHANGE
    /etc/init.d/samba start
  2. SID must setup correctly
    Don’t forget the net getlocalsid and replace that within /etc/smbldap-tools/smbldap.conf
  3. root must be uidnumber = 0
    This is documented in smbldap-tools HOWTO. If you change this during smbldap-populate your Windows XP will not able to join domain.
  4. Can’t use net getlocalsid after passdb backend = ldapsam
    Can use net rpc info instead.

Other references

As your Linux is now LDAP PAM/NSS enabled, you may also embed most Linux services, e.g. email and webmail:

aterm – rxvt tuning.

Pesquisando na web a respeito de problemas com a codificação UTF-8 no aterm achei um material interessante para resolver esses problemas .  Sendo que o aterm é incompatível com essa codificação, a melhor saída é usar o rxvt como terminal, pois tem suporte nativo e todas as outras opções do aterm, como o modo transparente por exemplo.

Então segue uma lista de parêmetros para o .Xdefaults :

aterm:

aterm*loginShell:true
aterm*transparent:true
aterm*shading:40
aterm*background:Black
aterm*foreground:White
aterm*scrollBar:true
aterm*scrollBar_right:true
aterm*transpscrollbar:true
aterm*saveLines:32767
aterm*font:*-*-fixed-medium-r-normal--*-110-*-*-*-*-iso8859-1
aterm*boldFont:*-*-fixed-bold-r-normal--*-*-110-*-*-*-*-iso8859-1

ou para o rxvr ( use o binário rxvt-unicode para codificações utf-8):

rxvt*loginShell:true
rxvt*transparent:true
rxvt*shading:40
rxvt*background:Black
rxvt*foreground:White
rxvt*scrollBar:true
rxvt*scrollBar_right:true
rxvt*transpscrollbar:true
rxvt*saveLines:32767
rxvt*font:*-*-fixed-medium-r-normal--*-110-*-*-*-*-iso8859-1
rxvt*boldFont:*-*-fixed-bold-r-normal--*-*-110-*-*-*-*-iso8859-1

então recarregue as configurações e inicie o aterm (ou rxvt)

$ xrdb -load .Xdefaults
$ rxvt
$ aterm

Aqui vc já deve ter aterm ou rxvt com suporte a transparência com shading, scrollbuffer, unicode (apenas rxvt) etc.