Integrating CIFS Server with LDAP-UX

From jasonhoss.com
Jump to: navigation, search

Preparing HP-UX

  • Install CIFS-Server A.03.01 or later
  • Install LdapUXClient B.05.01 or later
  • Ensure latest version of krb5client and PAM-Kerberos
  • If server is currently configured as an LDAP-UX client, you must remove the configuration before proceeding with the CIFS implementation. The reason is due to the computer account created by the LDAP-UX “autosetup” process is incompatible with the computer account that is created by the “samba_setup” process.
  • Backup the /etc/krb5.conf, /etc/pam.conf and /etc/nsswitch.conf files because the “netleave” command will remove or modify them.
  • Backup any current smb.conf file in use.
  • To properly remove the LDAP-UX configuration execute:
# /opt/ldapux/config/netleave
  • Ensure that the computer account has been removed from the “Computers” container in Active directory.

Configure CIFS Server (Samba)

  • Run /opt/samba/bin/samba_setup to begin the server setup
* Respond Y to continue setup
* Respond Y if you wish to use this servers as a WINS server or N the environment already has WINS or does not
* Response Y if you wish to use another WINS server in the environment or N if you do not wish to use WINS.
* Assuming the LDAP server, respond N to using NDS LDAP
* Select number 4 to make this server an ADS Member Server
* Confirm Y to proceed with ADS Member Server configuration
* Enter the name of the computer you wish to add to Active Directory. Typically this will be the current hostname of the HP-UX server that CIFS-Server is being configured on.
* Enter the Kerberos realm name used by the AD implementation
* Confirm the Realm by responding with Y.
* Enter the FQDN of the ADS Domain Controller for the realm.
* Confirm the ADS Domain Controller with Y.
* Respond with Y or N depending on whether or not multiple domain controllers should be added.
* Provide the Domain Controller's Administrative username.
* If everything entered looks good, respond Y to accept.
* The samba_setup utility will attempt use an existing krb5.conf file to authenticate against the Active Directory domain.
* Provide the password for the Domain Controller's Administrative username.
* Provide the password for the Domain Controller's Administrative username again to join the HP-UX host to the Active Directory domain.
* Verify that the /etc/opt/samba/smb.conf contains the entries
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
  • Delete the computer account created in Active Directory by this process.
  • Re-create the computer account using the following command:
net ads join createupn=’host/<hostname>.<domainname>@<REALMNAME>’ -U <Administrative User>
  • Add the CIFS service principal to the keytab by running the following command:
net ads keytab add cifs -U <Administrative User>
  • Confirm that the keytab looks something like this:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:23:18 host/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:23:18 host/foo@EXAMPLE.COM
  2 04/07/11 12:23:18 host/foo@EXAMPLE.COM
  2 04/07/11 12:23:18 host/foo@EXAMPLE.COM
  2 04/07/11 12:23:17 foo$@EXAMPLE.COM
  2 04/07/11 12:23:17 foo$@EXAMPLE.COM
  2 04/07/11 12:23:17 foo$@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo.example.com@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM
  2 04/07/11 12:28:54 cifs/foo@EXAMPLE.COM

and start the CIFS server by typing:

# startsmb

Test connectivity by creating a local user but ensuring there is NO USER IN secrets.tdb of the same name (would have been created using the standard smbpasswd command).

Browsing to the server should bring up a list of shares and authentication should work by using the local user account and password authentication via Kerberos.

Now that this is complete, it is time to re-implement LDAP-UX so that the local user account itself is not necessary.

Configure LDAP-UX

Now that CIFS is integrated with Active Directory, LDAP-UX will have to use a proxy user to bind to LDAP instead of using the Kerberos HOST principal. This is due to an incompatibility between LDAP integrations.

Create the proxy user by executing:

# ldap_proxy_config -i

The first line is the distinguished name of the proxy user. The second line is the proxy user's credential.

  • Launch the setup program (DO NOT USE autosetup as this will break the previous CIFS Server implementation):
# /opt/ldapux/config/setup
  • Respond Yes to continue setup
  • Select 2 for Windows 2003 R2/2008 Active Directory
  • Follow prompts regarding the ldapux_client.conf and locate for the profile in Active Directory. If there was a previous install of LDAP-UX on the system, the setup program should detect the previous settings. If this was the case, and the configuration is still valid, respond No to "Would you like to change this configuration"
  • Respond to the multiple-domain support question based on the environment.