Scribd Logo
Upload

Welcome to Scribd!

  • Samba LDAP PDC Complete Tutorial

    Uploaded by

    Budi Darma
    77 views11 pages
    1. The document describes configuring a LDAP SAMBA server as the primary domain controller (PDC) in two main steps. 2. The first step is to install and configure DNS using Bind to provide name resolution for the hbn.local domain. 3. The second step is to install OpenLDAP and configure it to integrate with Samba as the PDC, allowing user and machine authentication against the LDAP directory. Access controls and the smbldap-tools configuration are also defined.

    Original Description:

    Original Title

    Samba-LDAP-PDC-Complete-Tutorial.txt

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1. The document describes configuring a LDAP SAMBA server as the primary domain controller (PDC) in two main steps. 2. The first step is to install and configure DNS using Bind to provide name resolution for the hbn.local domain. 3. The second step is to install OpenLDAP and configure it to integrate with Samba as the PDC, allowing user and machine authentication against the LDAP directory. Access controls and the smbldap-tools configuration are also defined.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    77 views11 pages

    Samba LDAP PDC Complete Tutorial

    Uploaded by

    Budi Darma
    1. The document describes configuring a LDAP SAMBA server as the primary domain controller (PDC) in two main steps. 2. The first step is to install and configure DNS using Bind to provide name resolution for the hbn.local domain. 3. The second step is to install OpenLDAP and configure it to integrate with Samba as the PDC, allowing user and machine authentication against the LDAP directory. Access controls and the smbldap-tools configuration are also defined.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 11

    LDAP SAMBA to Primary Domain Controller (PDC)

    ################################################################################
    ################################
    Step 1: DNS Service
    a. Install
    #cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    192.168.44.150 server.hbn.local
    server
    127.0.0.1
    localhost.localdomain localhost
    ::1
    localhost6.localdomain6 localhost6
    #yum install -y bind-chroot
    #chmod 755 -R /var/named/
    #cp /usr/share/doc/bind-*/sample/var/named/named.local /var/named/chroot/var/nam
    ed/
    #cp /usr/share/doc/bind-*/sample/var/named/named.root /var/named/chroot/var/name
    d/
    #cp /usr/share/doc/bind-*/sample/var/named/localhost.zone /var/named/chroot/var/
    named/
    #touch /var/named/chroot/etc/named.conf
    #chkconfig --level 35 named on
    #service named start
    b.Configuration:
    #vim /var/named/chroot/etc/named.conf
    options {
    directory "/var/named";
    forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208
    .67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};
    };
    zone "." IN {
    type hint;
    file "named.root";
    };
    zone "localhost" IN {
    type master;
    file "localhost.zone";
    };
    zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "named.local";
    };
    zone "44.168.192.in-addr.arpa" IN {
    type master;
    file "192.168.44.0.db";
    };
    zone "hbn.local" {
    type master;
    file "hbn.local";
    };
    save and quit

    # cd /var/named/chroot/var/named/
    #vim 192.168.44.0.db
    $TTL
    86400
    @
    IN
    SOA
    hbn.local. root.hbn.local.
    1997022700 ;
    28800
    ;
    14400
    ;
    3600000
    ;
    86400 )
    ;
    IN
    NS
    ns1.hbn.local.
    100
    IN
    PTR
    dns.hbn.local.
    250
    IN
    PTR
    #vim hbn.local
    $TTL 14400
    @
    IN
    SOA

    IN
    IN

    root.hbn.local.

    NS
    NS

    ftp
    hbn.local.
    localhost
    mail
    pop
    smtp
    www
    dns
    ldap
    winxp
    hbn.local.

    IN
    IN
    IN
    IN
    IN
    IN
    IN
    IN
    IN
    IN
    IN

    hbn.local.

    14400

    (
    Serial
    Refresh
    Retry
    Expire
    Minimum
    winxp.hbn.local.

    hostmaster.hbn.local. (
    2009102800
    14400
    3600
    1209600
    86400 )

    hbn.local.
    hbn.local.
    A
    A
    A
    A
    A
    A
    A
    A
    A
    A
    MX

    IN

    192.168.44.150
    192.168.44.150
    127.0.0.1
    192.168.44.150
    192.168.44.150
    192.168.44.150
    192.168.44.150
    192.168.44.150
    192.168.44.150
    192.168.44.250
    10 mail

    TXT

    # vim /etc/resolv.conf
    search hbn.local
    nameserver 192.168.44.150
    nameserver 192.168.44.2
    c.Test:
    # nslookup
    > hbn.local
    Server:
    192.168.44.150
    Address:
    192.168.44.150#53
    Name: hbn.local
    Address: 192.168.44.150
    > dns.hbn.local
    Server:
    192.168.44.150
    Address:
    192.168.44.150#53
    Name: dns.hbn.local
    Address: 192.168.44.150
    > winxp.hbn.local

    "v=spf1 a mx ip4:192.168.44.150 ~all"

    Server:
    Address:

    192.168.44.150
    192.168.44.150#53

    Name: winxp.hbn.local
    Address: 192.168.44.250
    > ldap.hbn.local
    Server:
    192.168.44.150
    Address:
    192.168.44.150#53
    Name: ldap.hbn.local
    Address: 192.168.44.150
    > exit
    ################################################################################
    ################################
    Step 2: PDC with LDAP - Samba
    a.Install
    Add Dag repository
    #wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
    #rpm --import RPM-GPG-KEY.dag.txt
    #rm -f RPM-GPG-KEY.dag.txt
    #vim /etc/yum.repos.d/dag.repo
    [dag]
    name=Dag RPM Repository for Red Hat Enterprise Linux
    baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
    gpgcheck=1
    enabled=0
    #yum --enablerepo=dag install -y openldap openldap-clients openldap-devel openld
    ap-servers openldap-clients compat-openldap python-ldap ldapjdk php-ldap nss_lda
    p samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode
    perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smb
    ldap-tools
    #cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
    # cd /etc/openldap/
    # vim slapd.conf
    include
    include
    include
    include
    include

    /etc/openldap/schema/core.schema
    /etc/openldap/schema/cosine.schema
    /etc/openldap/schema/inetorgperson.schema
    /etc/openldap/schema/nis.schema
    /etc/openldap/schema/samba.schema

    # Allow LDAPv2 client connections. This is NOT the default.


    allow bind_v2
    loglevel -1
    pidfile
    argsfile

    /var/run/openldap/slapd.pid
    /var/run/openldap/slapd.args

    #######################################################################
    # ldbm and/or bdb database definitions
    #######################################################################
    # Indices to maintain for this database

    index
    index
    index
    index
    index
    index

    objectClass
    eq,pres
    ou,cn,mail,surname,givenname
    eq,pres,sub
    uidNumber,gidNumber,loginShell
    eq,pres
    uid,memberUid
    eq,pres,sub
    nisMapName,nisMapEntry
    eq,pres,sub
    sambaSID,sambaPrimaryGroupSID,sambaDomainName

    database
    suffix
    rootdn

    bdb
    "dc=hbn,dc=local"
    "cn=Manager,dc=hbn,dc=local"

    rootpw
    # rootpw

    123456

    directory

    /var/lib/ldap

    eq

    {crypt}ijFYNcSNctBYg

    #Access control List information


    access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
    by selfwrite
    by anonymous auth
    # users can authenticate and change their password
    access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sa
    mbaPwdMustChange"
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=nssldap,ou=DSA,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by anonymous auth
    by self write
    by * none
    # some attributes need to be readable anonymously so that 'id user' can answer c
    orrectly
    access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUi
    d
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by * read
    # somme attributes can be writable by users themselves
    access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,geco
    s,cn,sn,givenname
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by self write
    by * read
    # some attributes need to be writable for samba
    access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTim
    e,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcc
    tFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePat
    h,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMu
    ngedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLo
    gonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,samba
    NextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOption
    Name,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write

    by
    by
    by
    by

    dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    dn="uid=root,ou=People,dc=hbn,dc=local" write
    self read
    * none

    # samba need to be able to create the samba domain account


    access to dn.base="dc=hbn,dc=local"
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by * none
    # samba need to be able to create new users account
    access to dn="ou=Users,dc=hbn,dc=local"
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by * none
    # samba need to be able to create new groups account
    access to dn="ou=Groups,dc=hbn,dc=local"
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by * none
    # samba need to be able to create new computers account
    access to dn="ou=Computers,dc=hbn,dc=local"
    by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
    by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
    by dn="uid=root,ou=People,dc=hbn,dc=local" write
    by * none
    access to *
    by self read
    by * none
    save and quit
    ---------------------------------------------------------------------------------#chmod 640 slapd.conf
    # vim ldap.conf
    BASE
    dc=hbn, dc=local
    URI ldap://127.0.0.1/
    TLS_CACERTDIR /etc/openldap/cacerts
    #cp DB_CONFIG.example /var/lib/ldap/
    #cd /var/lib/ldap/
    #mv DB_CONFIG.example DB_CONFIG
    # /etc/init.d/ldap start
    Checking configuration files for slapd: config file testing succeeded
    [ OK ]
    Starting slapd: [ OK ]
    # /etc/init.d/nscd start
    Starting nscd: [ OK ]
    # chkconfig --level 35 nscd on
    # setup

    run Authentication Configuration


    select Cache Information
    Use LDAP
    Use MD5 Passwords
    Use Shadow Passwords
    Use LDAP Authentication
    Press the Next button
    don't select Use TLS option
    Server: ldap://127.0.0.1/
    Base DN: dc=hbn,dc=local
    Press OK and exit
    # vim /etc/ldap.conf
    host 127.0.0.1
    base dc=hbn,dc=local
    rootbinddn cn=manager,dc=hbn,dc=local
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,rad
    iusd,news,mailman,nscd,gdm
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5
    #net getlocalsid
    SID for domain SERVER is: S-1-5-21-3926925045-1584093657-3115473201
    # vim /etc/ldap.secret
    123456
    # chmod 600 /etc/ldap.secret
    ################################################################################
    ##########
    smbldap-tools configuration
    #cd /etc/smbldap-tools/
    # vim smbldap_bind.conf
    slaveDN="cn=Manager,dc=hbn,dc=local"
    slavePw="123456"
    masterDN="cn=Manager,dc=hbn,dc=local"
    masterPw="123456"
    # vim smbldap.conf
    ##############################################################################
    #

    # General Configuration
    #
    ##############################################################################
    SID="S-1-5-21-3926925045-1584093657-3115473201"
    sambaDomain="hbn.local"
    ##############################################################################
    #
    # LDAP Configuration
    #
    ##############################################################################
    slaveLDAP="127.0.0.1"
    # Slave LDAP port
    slavePort="389"
    # Master LDAP server: needed for write operations
    masterLDAP="127.0.0.1"
    # Master LDAP port
    masterPort="389"
    suffix="dc=hbn,dc=local"
    usersdn="ou=Users,${suffix}"
    computersdn="ou=Computers,${suffix}"
    groupsdn="ou=Groups,${suffix}"
    idmapdn="ou=Idmap,${suffix}"
    sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"
    scope="sub"
    hash_encrypt="SSHA"
    crypt_salt_format="%s"
    ldapTLS="0"
    and
    userSmbHome="\\PDC-SRV\%U"
    userProfile="\\PDC-SRV\profiles\%U"
    ----------------------------------------------------------------------------------Samba config:
    #vim /etc/samba/smb.conf
    [global]
    workgroup = hbn.local
    netbios name = HBN
    enable privileges = yes
    #interfaces = 192.168.1.131
    username map = /etc/samba/smbusers
    server string = samba-ldap-pdc
    security = user

    encrypt passwords = Yes


    admin users = root
    #min passwd length = 3
    obey pam restrictions = No
    ldap passwd sync = Yes
    log level = 0
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 100000
    #time server = Yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    mangling method = hash2
    Dos charset = 850
    Unix charset = ISO8859-1
    #guest account = root
    logon
    logon
    logon
    logon

    script = logon.bat
    drive =
    home =
    path =

    domain logons = Yes


    os level = 65
    preferred master = Yes
    domain master = Yes
    wins support = Yes
    passdb backend = ldapsam:ldap://127.0.0.1
    ldap admin dn = cn=Manager,dc=hbn,dc=local
    ldap suffix = dc=hbn,dc=local
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Users
    idmap backend = ldap://127.0.0.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    #ldap ssl = start_tls
    add user script = /usr/sbin/smbldap-useradd -a '%u'
    delete user script = /usr/sbin/smbldap-userdel '%u'
    add group script = /usr/sbin/smbldap-groupadd -p '%g'
    delete group script = /usr/sbin/smbldap-groupdel '%g'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
    add machine script = /usr/sbin/smbldap-useradd -w '%u'
    #logon script = STARTUP.BAT
    [homes]
    comment = Home Directories
    valid users = %U
    read only = No
    create mask = 0664

    directory mask = 0775


    browseable = No
    [profiles]
    path = /home/samba/profiles
    read only = No
    create mask = 0600
    directory mask = 0700
    browseable = No
    guest ok = Yes
    profile acls = Yes
    csc policy = disable
    force user = %U
    valid users = %U @"Domain Admins"
    [netlogon]
    path = /home/samba/netlogon/
    browseable = No
    read only = yes
    save and quit
    -----------------------------------------------------------------------------# mkdir /home/samba
    # mkdir /home/samba/netlogon
    # mkdir /home/samba/profiles
    # chmod 1777 /home/samba/profiles
    #smbpasswd -w 123456
    Setting stored password for "cn=Manager,dc=hbn,dc=local" in secrets.tdb
    # smbldap-populate
    Populating LDAP directory for domain hbn.local (S-1-5-21-3926925045-1584093657-3
    115473201)
    (using builtin directory structure)
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding
    adding

    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new
    new

    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:
    entry:

    dc=hbn,dc=local
    ou=Users,dc=hbn,dc=local
    ou=Groups,dc=hbn,dc=local
    ou=Computers,dc=hbn,dc=local
    ou=Idmap,dc=hbn,dc=local
    uid=root,ou=Users,dc=hbn,dc=local
    uid=nobody,ou=Users,dc=hbn,dc=local
    cn=Domain Admins,ou=Groups,dc=hbn,dc=local
    cn=Domain Users,ou=Groups,dc=hbn,dc=local
    cn=Domain Guests,ou=Groups,dc=hbn,dc=local
    cn=Domain Computers,ou=Groups,dc=hbn,dc=local
    cn=Administrators,ou=Groups,dc=hbn,dc=local
    cn=Account Operators,ou=Groups,dc=hbn,dc=local
    cn=Print Operators,ou=Groups,dc=hbn,dc=local
    cn=Backup Operators,ou=Groups,dc=hbn,dc=local
    cn=Replicators,ou=Groups,dc=hbn,dc=local
    sambaDomainName=hbn.local,dc=hbn,dc=local

    Please provide a password for the domain root:


    Changing UNIX and samba passwords for root
    New password:
    Retype new password:

    # vim dsa.ldif
    dn: ou=DSA,dc=hbn,dc=local
    objectClass: top
    objectClass: organizationalUnit
    ou: DSA
    description: security accounts for LDAP clients
    dn: cn=samba,ou=DSA,dc=hbn,dc=local
    objectclass: organizationalRole
    objectClass: top
    objectClass: simpleSecurityObject
    userPassword: sambasecretpwd
    cn: samba
    dn: cn=nssldap,ou=DSA,dc=hbn,dc=local
    objectclass: organizationalRole
    objectClass: top
    objectClass: simpleSecurityObject
    userPassword: nssldapsecretpwd
    cn: nssldap

    dn: cn=smbtools,ou=DSA,dc=hbn,dc=local
    objectclass: organizationalRole
    objectClass: top
    objectClass: simpleSecurityObject
    userPassword: smbtoolssecretpwd
    cn: smbtools
    # ldapadd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -f dsa.ldif -W
    Enter LDAP Password:
    adding new entry "ou=DSA,dc=hbn,dc=local"
    adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"
    adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"
    adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"
    #ldappasswd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -s password -W cn=sa
    mba,ou=DSA,dc=hbn,dc=local
    # /etc/init.d/smb start
    Starting SMB services: [ OK ]
    Starting NMB services: [ OK ]
    Now create a samba user account for UNIX and SAMBA
    # smbldap-useradd -a -m namhb
    # smbldap-passwd namhb
    Changing UNIX and samba passwords for namhb
    New password:
    Retype new password:
    Now create a machine trust account
    # smbldap-useradd -w winxp

    Finish
    Thanks

    You might also like