Authenticating Windows Users to eDirectory

Novell Cool Solutions: Tip
By Andy Bialock

Digg This - Slashdot This Posted: 8 Sep 2005

A reader recently asked about authenticating Windows users to eDirectory:

"We just installed eDirectory 8.7.3 on SLES 9 to replace our Windows NT domain. We have Linux, Mac, and Windows machines across our network. While I've found excellent information on how to get the Linux and Mac systems to authenticate against eDirectory, I have yet to find a definitive document that shows the best way to authenticate Windows users. I don't want to have to convert my NT domain to Active Directory, as that defeats the purpose of the migration. We're testing using the eDirectory server as a Samba PDC, but that also seems like a roundabout way. I could install the Novell Client on all the Windows boxes, but I was told at Novell that they are authenticating Windows users without the client. So, what's the best way to authenticate Windows users against eDirectory 8.7.3?"

And here's the response from Andy Bialock...

---

Generally, you must follow the Samba3 PDC howto found at:

http://samba.idealx.org/smbldap-howto.en.html

with the following modifications:

1. Use SLES9 and the samba3 that comes with it.

2. Use the samba-nds.schema file and import it with ldapmodify. Make sure any long groups of spaces are replaced by a pair of tabs. Convert it to a proper ldif - use the files in /usr/lib/nds-schema as a guide for conversion.

3. Modify the smb.conf file to have these entries:

        passdb backend = ldapsam:ldap://
        ldap admin dn = cn=admin,o=myorg
        ldap suffix = o=myorg
        ldap machine suffix = ou=Workstations
        ldap idmap suffix = ou=IDMap,o=myorg
        ldap filter = (cn=%u)
        idmap backend = ldap:ldap:///
        idmap gid = 10000-20000
        security = user
        encrypt passwords = yes
        obey pam restrictions = Yes
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d
/dev/null -g machines -c 'Machine Account for %u' -s /bin/fals
e %u
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U
        domain logons = Yes
        os level = 128
        preferred master = Yes
        domain master = Yes
        veto files = /.?*/
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

Note that the most important line is "ldap filter". Do NOT use the "&" with the sambaSamAccount, as the software already does this internally and it will only error out. Openldap allows it, but eDirectory is more strict.

4. Make sure the box can authenticate your edir users in ldap. Check these entries in /etc/ldap.conf:

host    <ip of edir server>
base    o=myorg
ldap_version    3
binddn  cn=admin,o=myorg
bindpw  secret
rootbinddn      cn=admin,o=myorg
port    389
scope   sub
pam_filter      objectclass=posixAccount
pam_login_attribute     cn
pam_member_attribute    member
pam_password    nds
nss_base_passwd o=myorg?sub
nss_base_shadow o=myorg?sub
nss_base_group  o=myorg?sub
nss_map_attribute       userPassword authPassword
nss_map_attribute       uniqueMember member

5. Go into yast and set up the LDAP Client under Network Services.

6. Modify the smbldap-tools (from Idealx) package to properly add machine accounts to the domain. Test this from the command line to be sure you can add a machine successfully. Put them in their own container, such as ou=Workstations,o=myorg.

You don't need to use the NetWare Client. This is Samba, so it needs only the Windows client.

This works great for me. I have it working in a number of places, and the clients actually join the domain successfully. Note that "root" must be able to autheinticate this way from a Windows client in order to use that account to "join" workstations to the domain.

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com