Compilando e configurando o overlay smbk5pwd para Debian Etch
De Eduardo Sachs Wiki
Tabela de conteúdo |
Distribuição Linux
Usamos o Debian Etch para compilar e configurar o overlay smbk5pwd.
Introdução
The smbk5pwd module is available in the contribs directory of the OpenLDAP tarball and, when built with Samba and Kerberos support, allows for this password integration to work automatically. The module is available by default in the openldap-servers package.
This integration happens in three ways:
a) EXOP password modifications This module intercepts OpenLDAP EXOP password modifications and updates both the Kerberos key and the Samba hashes of the same entry, if they are present. This means that a ldappasswd command, for example, will also end up changing the Samba and Kerberos passwords. Samba, when using the ldap passwd sync option in smb.conf, also ends up performing an EXOP password modification and will thus update the Kerberos key without even knowing it.
b) kpasswd When Heimdal receives a password change request via kadmin or kpasswd, it will check if the target entry contains Samba password hashes. If it does, these hashes will also be updated. The userPassword attribute, used for simple binds, is not touched, but see below.
c) simple binds (userPassword) Simple binds use the userPassword attribute for password verification. If this attribute contains the special hash specified {K5KEY}, then the password verification will be performed against the kerberos key of the same entry. So, in order to make simple binds use the kerberos password, all we have to do is replace the userPassword attribute with {K5KEY}.
Note we need to change the server password hash mechanism to {K5KEY}. If we don't do it, then password changes via EXOP will overwrite the userPassword attribute with the new hash instead of leaving it at {K5KEY} and we will loose our password integration.
The smbk5pwd module accepts some configuration directives like smbk5pwd-enable and smbk5pwd-must-change, please see its README file in the openldap-servers documentation directory for details.
If Samba is being used, then the ldap passwd sync option should be set to Only. With this option, Samba will only perform the EXOP password modification and expect the OpenLDAP server to update the Samba hashes, which is exactly what smbk5pwd will do:
To the [global] section of /etc/samba/smb.conf, add:
ldap passwd sync = Only
Now, test ldappasswd, smbpasswd and kpasswd: a password change performed by any of these should change all three authentication sources.
Compilando o smbk5pwd
Estamos supondo que você já fez a integração do HOWTO (http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch) neste servidor que você está fazendo a instalação deste module.
server root# cd /usr/src
server root# apt-get install heimdal-dev libdb4.2-dev libwrap0-dev libiodbc2-dev libncurses5-dev \
libslp-dev libperl-dev libtool automake1.9 autoconf quilt
server root# apt-get source slapd
server root# cd openldap*
server root# ./configure $(cat debian/configure.options | grep -v '#' | xargs)
server root# make depend
server root# make
server root# cd contrib/slapd-modules/smbk5pwd
server root# make
server root# cp smbk5pwd.la /usr/lib/ldap
server root# cp .libs/smbk5pwd.so.0.0.0 /usr/lib/ldap/
server root# cp -a .libs/smbk5pwd.so /usr/lib/ldap/
server root# cp -a .libs/smbk5pwd.so.0 /usr/lib/ldap/
server root# chmod -x /usr/lib/ldap/smbk5pwd.so.0.0.0
server root# chmod 644 /usr/lib/ldap/smbk5pwd.la
server root# chmod 644 /usr/lib/ldap/smbk5pwd.so
server root# chmod 644 /usr/lib/ldap/smbk5pwd.so.0
server root# chmod 644 /usr/lib/ldap/smbk5pwd.so.0.0.0
Configurando o smbk5pwd
Coloque as seguintes linhas no slapd.conf:
modulepath /usr/lib/ldap
moduleload smbk5pwd
overlay smbk5pwd
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
- Verifique com cuidado para ver se já existe uma opção chamada 'modulepath' no seu slapd.conf, caso já exista, você não precisa adiciona-la novamente.
- Caso o password-hash já esteja configurado no seu slapd.conf, faça a alteração para 'password-hash {K5KEY}' conforme o exemplo.
Bibliografia
Introdução retirado do HOWTO: http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
Você também pode ler o README desse overlay no codigo fonte do OpenLDAP no diretório contrib/slapd-modules/smbk5pwd/README.
Agradecimentos
- Andreas Hasenack
