Windows fileserver and LDAP authentication

Steelerz37

Senior member
Feb 15, 2003
693
0
0
I am working on a project for school. We have to make a Windows fileserver and authenticate users through an Ubuntu LDAP server. I have the fileserver setup and the LDAP server. Does anyone know how I would redirect the Windows 2003 fileserver to look to the LDAP server for user authentication?
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
The Windows server will query DNS for:
1. An LDAP server in it's site.
2. Any LDAP server.
 

Steelerz37

Senior member
Feb 15, 2003
693
0
0
well, when i go to add user permissions to a shared folder I am unable to change the location I am looking in. I can only add users that are on my fileserver.
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
Sorry, dunno how LDAP on Linux works.

Normally a Windows server will be a member of a domain, will query DNS for an LDAP SRV record in its site (via the _msdcs zone) then go LDAP query (Kerberos ticket in hand) the DC that is returned.

 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
So something/someone would have to add the SRV records, normally the DCs do that AFAIK because it's not an automatic thing.
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
I don't think it is quite that simple. I think you would need to either setup a SAMBA domain controller or possibly install a different GINA on the Windows boxes.

SAMBA is probably the easiest way.
 

Smilin

Diamond Member
Mar 4, 2002
7,357
0
0
yea Nothin, the netlogon service registers all the SRV records when it starts. PDC, GC, LDAP, Kerberos. system32\config\netlogon.dns lists em all. IP stack does the A and PTRs. Major PITA to do it by hand. I would have to check the netlogon.dns on another box just to remember them all.



Steelerz, What are you using for kerberos? Are you allowing anonymous LDAP queries?
 

Steelerz37

Senior member
Feb 15, 2003
693
0
0
stash: i have pgina installed to allow me to login to the ldap server, I couldnt find anything (didnt know what i was looking for) in pgina to allow it to look to the ldap server

Smilin: for kerberos probably nothing?, this is for a class and we were given absolutely no instruction so I dont know what I may need.
 

drag

Elite Member
Jul 4, 2002
8,708
0
0
It's possible to use ACLs and SSL/TLS to setup LDAP authentication stuff without kerberos or whatnot and have it secure.

I've setup a Debian-based that used the standard MIT kerberos and used ldaps:// with the standard OpenLDAP and OpenSSL stuff. Not paticularly easy, made me understand why people like AD.

But I don't know the first thing about using that with Windows clients. It wouldn't be pretty. Probably be easiest to use samba to translate. But I haven't much of a clue on that.

Standard practice is just to have a CNAME record to point to your ldap server. That way you can do easy load balancing, failover, and migration from server to server and such with messing with the dns records rather then having to reconfigure all the clients. So my first guess would be that if you don't know what the servers are then the obvious thing to look for would be ldap.your.domain.

(or kerberos.your.domain (or kdc.your.domain and kadmin.your.domain if you have kerberos setup intellegently so that the they are seperate machines for security))

Or if the clients are setup correctly you should be able to find it by just going 'ping ldap'. That would be the most correct setup. But you would still want to use the fqdn for your records as proper reverse dns lookup needs to be working correctly and all that and that is what you also would base your cacerts and such off of if you want to have ecrypted ldap.

It's common to just use ldap by itself for user accounts and such. You have to depend on ACLs for protecting sensitive information (which you need to do anyways). That way you can also integrate it into address books and such easily and other personal records.

So I figure point pgina at ldap.your.domain.name.com or maybe just ldap and see if you find it.
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: Steelerz37

this is for a class and we were given absolutely no instruction so I dont know what I may need.

My guess your instructor meant for you to set up a Samba PDC with an OpenLDAP backend for storing user accounts. Google for Samba PDC or maybe Ubuntu PDC and you should find some information to get your started.
 

Steelerz37

Senior member
Feb 15, 2003
693
0
0
well he gave us 2 ways to do it, a linux fileserver using Active Directory for users, or Windows file server using Ubuntu LDAP users. I found the samba pdc way but the lab is offline so I cant get all the packages installed because of dependencies. Is it possible to use apt to download all the packages required then burn them to a disc and setup the sources.list to grab them from there? But that was why I decided to go the windows fileserver route.

If there is a way to get all the packages and place on a cd and treat that as a repo i may just go that route as it seems much easier to go from samba to active directory.
 

drag

Elite Member
Jul 4, 2002
8,708
0
0
Ya sure.

If you have installed the packages at home or something Apt keeps a copy of all the files you installed in /var/cache/apt/something or other. I forget the actual directory, but a 'find|grep deb' should locate it quickly.

If not all the packages are aviable on Debian's website. They'll have the names and all the dependancies and such. Then you have to download them as you need them.

The sort of thing your doing is pretty common. I bet if you search around for it you can probably find a detailed step-by-step howto on it.
 

Steelerz37

Senior member
Feb 15, 2003
693
0
0
OK I gave in and did a samba file server to active directory. I worked though most of my issues and now I am at the end where it should work. Everything seems right, I do wbinfo -u and I get users from AD, getent passwd and I see AD users. But when I try to browse to the samba fileserver it just keeps asking for a username and password and nothing works. I even did chown -R 'domain\user' /home/data and it worked, atleast at 1 point but I just can not get access to may shares.

Now that I have went that far I should be able to start over a try again and see what happens pretty quickly. Any ideas what my problem may be? I've edited the nsswitch.conf, the common-* pam files. Also all the kerberos stuff seems to work just fine kinit, klist, and I got Samba to join the domain with net ads join.

These are the instructions I was following
http://www.ubuntuforums.org/showthread....80702&highlight=samba+security+%3D+ads

see anywhere I may have made a mistake?