LDAP SAMBA to Primary Domain Controller (PDC)
################################################################################
################################
Step 1: DNS Service
a. Install
#cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.44.150 server.hbn.local
server
127.0.0.1
localhost.localdomain localhost
::1
localhost6.localdomain6 localhost6
#yum install -y bind-chroot
#chmod 755 -R /var/named/
#cp /usr/share/doc/bind-*/sample/var/named/named.local /var/named/chroot/var/nam
ed/
#cp /usr/share/doc/bind-*/sample/var/named/named.root /var/named/chroot/var/name
d/
#cp /usr/share/doc/bind-*/sample/var/named/localhost.zone /var/named/chroot/var/
named/
#touch /var/named/chroot/etc/named.conf
#chkconfig --level 35 named on
#service named start
b.Configuration:
#vim /var/named/chroot/etc/named.conf
options {
directory "/var/named";
forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208
.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
};
zone "44.168.192.in-addr.arpa" IN {
type master;
file "192.168.44.0.db";
};
zone "hbn.local" {
type master;
file "hbn.local";
};
save and quit
# cd /var/named/chroot/var/named/
#vim 192.168.44.0.db
$TTL
86400
@
IN
SOA
hbn.local. root.hbn.local.
1997022700 ;
28800
;
14400
;
3600000
;
86400 )
;
IN
NS
ns1.hbn.local.
100
IN
PTR
dns.hbn.local.
250
IN
PTR
#vim hbn.local
$TTL 14400
@
IN
SOA
IN
IN
root.hbn.local.
NS
NS
ftp
hbn.local.
localhost
mail
pop
smtp
www
dns
ldap
winxp
hbn.local.
IN
IN
IN
IN
IN
IN
IN
IN
IN
IN
IN
hbn.local.
14400
(
Serial
Refresh
Retry
Expire
Minimum
winxp.hbn.local.
hostmaster.hbn.local. (
2009102800
14400
3600
1209600
86400 )
hbn.local.
hbn.local.
A
A
A
A
A
A
A
A
A
A
MX
IN
192.168.44.150
192.168.44.150
127.0.0.1
192.168.44.150
192.168.44.150
192.168.44.150
192.168.44.150
192.168.44.150
192.168.44.150
192.168.44.250
10 mail
TXT
# vim /etc/resolv.conf
search hbn.local
nameserver 192.168.44.150
nameserver 192.168.44.2
c.Test:
# nslookup
> hbn.local
Server:
192.168.44.150
Address:
192.168.44.150#53
Name: hbn.local
Address: 192.168.44.150
> dns.hbn.local
Server:
192.168.44.150
Address:
192.168.44.150#53
Name: dns.hbn.local
Address: 192.168.44.150
> winxp.hbn.local
"v=spf1 a mx ip4:192.168.44.150 ~all"
Server:
Address:
192.168.44.150
192.168.44.150#53
Name: winxp.hbn.local
Address: 192.168.44.250
> ldap.hbn.local
Server:
192.168.44.150
Address:
192.168.44.150#53
Name: ldap.hbn.local
Address: 192.168.44.150
> exit
################################################################################
################################
Step 2: PDC with LDAP - Samba
a.Install
Add Dag repository
#wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
#rpm --import RPM-GPG-KEY.dag.txt
#rm -f RPM-GPG-KEY.dag.txt
#vim /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
gpgcheck=1
enabled=0
#yum --enablerepo=dag install -y openldap openldap-clients openldap-devel openld
ap-servers openldap-clients compat-openldap python-ldap ldapjdk php-ldap nss_lda
p samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode
perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smb
ldap-tools
#cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
# cd /etc/openldap/
# vim slapd.conf
include
include
include
include
include
/etc/openldap/schema/core.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/inetorgperson.schema
/etc/openldap/schema/nis.schema
/etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile
argsfile
/var/run/openldap/slapd.pid
/var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
# Indices to maintain for this database
index
index
index
index
index
index
objectClass
eq,pres
ou,cn,mail,surname,givenname
eq,pres,sub
uidNumber,gidNumber,loginShell
eq,pres
uid,memberUid
eq,pres,sub
nisMapName,nisMapEntry
eq,pres,sub
sambaSID,sambaPrimaryGroupSID,sambaDomainName
database
suffix
rootdn
bdb
"dc=hbn,dc=local"
"cn=Manager,dc=hbn,dc=local"
rootpw
# rootpw
123456
directory
/var/lib/ldap
eq
{crypt}ijFYNcSNctBYg
#Access control List information
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
# users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sa
mbaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by anonymous auth
by self write
by * none
# some attributes need to be readable anonymously so that 'id user' can answer c
orrectly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUi
d
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,geco
s,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTim
e,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcc
tFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePat
h,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMu
ngedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLo
gonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,samba
NextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOption
Name,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by
by
by
by
dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
dn="uid=root,ou=People,dc=hbn,dc=local" write
self read
* none
# samba need to be able to create the samba domain account
access to dn.base="dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
access to *
by self read
by * none
save and quit
---------------------------------------------------------------------------------#chmod 640 slapd.conf
# vim ldap.conf
BASE
dc=hbn, dc=local
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
#cp DB_CONFIG.example /var/lib/ldap/
#cd /var/lib/ldap/
#mv DB_CONFIG.example DB_CONFIG
# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
# /etc/init.d/nscd start
Starting nscd: [ OK ]
# chkconfig --level 35 nscd on
# setup
run Authentication Configuration
select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Press the Next button
don't select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=hbn,dc=local
Press OK and exit
# vim /etc/ldap.conf
host 127.0.0.1
base dc=hbn,dc=local
rootbinddn cn=manager,dc=hbn,dc=local
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,rad
iusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#net getlocalsid
SID for domain SERVER is: S-1-5-21-3926925045-1584093657-3115473201
# vim /etc/ldap.secret
123456
# chmod 600 /etc/ldap.secret
################################################################################
##########
smbldap-tools configuration
#cd /etc/smbldap-tools/
# vim smbldap_bind.conf
slaveDN="cn=Manager,dc=hbn,dc=local"
slavePw="123456"
masterDN="cn=Manager,dc=hbn,dc=local"
masterPw="123456"
# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
SID="S-1-5-21-3926925045-1584093657-3115473201"
sambaDomain="hbn.local"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
slaveLDAP="127.0.0.1"
# Slave LDAP port
slavePort="389"
# Master LDAP server: needed for write operations
masterLDAP="127.0.0.1"
# Master LDAP port
masterPort="389"
suffix="dc=hbn,dc=local"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
ldapTLS="0"
and
userSmbHome="\\PDC-SRV\%U"
userProfile="\\PDC-SRV\profiles\%U"
----------------------------------------------------------------------------------Samba config:
#vim /etc/samba/smb.conf
[global]
workgroup = hbn.local
netbios name = HBN
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon
logon
logon
logon
script = logon.bat
drive =
home =
path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=hbn,dc=local
ldap suffix = dc=hbn,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
#logon script = STARTUP.BAT
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
save and quit
-----------------------------------------------------------------------------# mkdir /home/samba
# mkdir /home/samba/netlogon
# mkdir /home/samba/profiles
# chmod 1777 /home/samba/profiles
#smbpasswd -w 123456
Setting stored password for "cn=Manager,dc=hbn,dc=local" in secrets.tdb
# smbldap-populate
Populating LDAP directory for domain hbn.local (S-1-5-21-3926925045-1584093657-3
115473201)
(using builtin directory structure)
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
adding
new
new
new
new
new
new
new
new
new
new
new
new
new
new
new
new
new
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
entry:
dc=hbn,dc=local
ou=Users,dc=hbn,dc=local
ou=Groups,dc=hbn,dc=local
ou=Computers,dc=hbn,dc=local
ou=Idmap,dc=hbn,dc=local
uid=root,ou=Users,dc=hbn,dc=local
uid=nobody,ou=Users,dc=hbn,dc=local
cn=Domain Admins,ou=Groups,dc=hbn,dc=local
cn=Domain Users,ou=Groups,dc=hbn,dc=local
cn=Domain Guests,ou=Groups,dc=hbn,dc=local
cn=Domain Computers,ou=Groups,dc=hbn,dc=local
cn=Administrators,ou=Groups,dc=hbn,dc=local
cn=Account Operators,ou=Groups,dc=hbn,dc=local
cn=Print Operators,ou=Groups,dc=hbn,dc=local
cn=Backup Operators,ou=Groups,dc=hbn,dc=local
cn=Replicators,ou=Groups,dc=hbn,dc=local
sambaDomainName=hbn.local,dc=hbn,dc=local
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
# vim dsa.ldif
dn: ou=DSA,dc=hbn,dc=local
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
# ldapadd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -f dsa.ldif -W
Enter LDAP Password:
adding new entry "ou=DSA,dc=hbn,dc=local"
adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"
#ldappasswd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -s password -W cn=sa
mba,ou=DSA,dc=hbn,dc=local
# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Now create a samba user account for UNIX and SAMBA
# smbldap-useradd -a -m namhb
# smbldap-passwd namhb
Changing UNIX and samba passwords for namhb
New password:
Retype new password:
Now create a machine trust account
# smbldap-useradd -w winxp
Finish
Thanks