• View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
OpenLDAP and Samba PDC Print E-mail
Articles and Blogs - Linux Apache MySQL PHP
Written by Joel Gacosta   
Tuesday, 16 June 2009 17:26

This article describes how to set up a Windows domain using Samba with OpenLDAP as the primary domain controller that stores Windows account information in Ubuntu 8.04 Server LTS. This provides a central authentication point for Windows users on the network, thus avoiding the need to manage local user accounts on every Windows PC. It can also allow the use of roaming profiles, where a user can log onto any Windows PC on the network and have the same personal settings in each session.

 1. Install OpenLDAP


Install the software:

  apt-get install slapd ldap-utils db4.2-util migrationtools 


Assign a password to LDAP admin:

  Admin password: joel
  Confirm password: joel 

Initially configure OpenLDAP:

 dpkg-reconfigure slapd 


Answers the on-screen prompts with the ff:

  No
  DNS domain name: gacosta-net
  Name of your organization: gacosta-net 
  Admin password: joel
  Confirm password: joel
  OK
  BDB
  No
  Yes
  No 


Restart OpenLDAP

 /etc/init.d/slapd restart 

 

2. Install SAMBA


Install the softwares

 apt-get install samba smbldap-tools smbclient samba-doc 

 

3. Configure OpenLDAP for SAMBA use


 Copy the samba.schema file to OpenLDAP directory and Unzip

 cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ 

 gzip -d /etc/ldap/schema/samba.schema.gz

 

Edit the '/etc/ldap/slapd.conf' and add the following lines where the other 'includes' line are

 include         /etc/ldap/schema/samba.schema  
 include         /etc/ldap/schema/misc.schema 


Under slapd.conf change the ff line to:

 access to attrs=userPassword,sambaNTPassword,sambaLMPassword  


Restart openldap

 /etc/init.d/slapd restart 

 

4. Configure SAMBA


Edit the SAMBA config file '/etc/samba/smb.conf' and make the ff changes throughout the file

 [global]
    # Domain name ..
    workgroup = GACOSTA-NET
    # Server name - as seen by Windows PCs ..
    netbios name = GACOSTA-PDC
    security = user
    # Be a PDC ..
    domain logons = Yes
    domain master = Yes
    # Be a WINS server ..
    wins support = true
    smb ports = 139

    obey pam restrictions = No
    dns proxy = No
    os level = 35
    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 3
    panic action = /usr/share/samba/panic-action %d
    pam password change = Yes

    # Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
    unix password sync = no
    ldap passwd sync = yes

    passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*

    # Printing from PCs will go via CUPS ..
    load printers = yes
    printing = cups
    printcap name = cups

    # Use LDAP for Samba user accounts and groups ..
    passdb backend = ldapsam:ldap://localhost

    # This must match init.ldif ..
    ldap suffix = dc=gacosta-net
    # The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
    # This is done by running 'sudo smbpasswd -w'.
    ldap admin dn = cn=admin,dc=gacosta-net

    # 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
    # (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    # Samba and LDAP server are on the same server in this example.
    ldap ssl = no

    # Scripts for Samba to use if it creates users, groups, etc.
    add user script = /usr/sbin/smbldap-useradd -m '%u'
    delete user script = /usr/sbin/smbldap-userdel %u
    add group script = /usr/sbin/smbldap-groupadd -p '%g'
    delete group script = /usr/sbin/smbldap-groupdel '%g'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

    ldap delete dn = Yes

    # Script that Samba users when a PC joins the domain ..
    # (when changing 'Computer Properties' on the PC)
    add machine script = /usr/sbin/smbldap-useradd -w '%u'

    # Values used when a new user is created ..
    # (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
    logon drive = H:
    logon home = \\gacosta-pdc\%U
    logon path = \\gacosta-pdc\Profiles\%U
    logon script = logon.bat

    # This is required for Windows XP client ..
    server signing = auto
    server schannel = Auto

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        create mask = 0600
        directory mask = 0700

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        admin users = root
        guest ok = Yes
        browseable = No

[Profiles]
        comment = Roaming Profile Share
        # would probably change this to elsewhere in a production system ..
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes
        browsable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        use client driver = Yes
        create mask = 0600
        guest ok = Yes
        printable = Yes
        browseable = No
        public = yes
        writable = yes
        admin users = root
        write list = root

[print$]
        comment = Printer Drivers Share
        path = /var/lib/samba/printers
        write list = root
        create mask = 0664
        directory mask = 0775
        admin users = root


Restart SAMBA

  /etc/init.d/samba restart  

Give SAMBA the admin password to the LDAP tree

   smbpasswd -w joel 

 

5. Configure the SMBLDAP -TOOLS Package


We will be using the smbldap-tools package to populate our directory. Open up the example files and copy then Unzip the sample config

 

  cd /usr/share/doc/smbldap-tools/examples/ 

  cp smbldap_bind.conf /etc/smbldap-tools/
  cp smbldap.conf.gz /etc/smbldap-tools/

  gzip -d /etc/smbldap-tools/smbldap.conf.gz  

 

Get the SID for SAMBA domain

  net getlocalsid 


Now, configure smbldap-tools. The script prompts you to confirm many attribute values that are used when creating new accounts. Simply accept all the values, except with the 2 prompts for passwords, enter the LDAP admin password.

   /usr/share/doc/smbldap-tools/configure.pl 


You can change any of these values later by editing '/etc/smbldap-tools/smbldap.conf'. This should what it looks like:

  ## This line must have the same SID as when you ran "net getlocalsid"  
  SID="S-1-5-21-949328747-3404738746-3052206637"  
  sambaDomain="GACOSTA-NET"
  ldapTLS="0"
  suffix="dc=gacosta-net"
  usersdn="ou=Users,${suffix}"
  computersdn="ou=Computers,${suffix}"
  groupsdn="ou=Groups,${suffix}"
  idmapdn="ou=Idmap,${suffix}"
  sambaUnixIdPooldn="sambaDomainName=Gacosta-net,${suffix}"

  ##SAMBA Configuration##
  userSmbHome="\\Gacosta-PDC\%U"
  userProfile="\\Gacosta-PDC\profiles\%U"
  userHomeDrive="H:"
  userScript="logon.bat"
  mailDomain="gacosta.net"

 

Edit the file '/etc/smbldap-tools/smbldap_bind.conf' so that the ff information is correct

  slaveDN="cn=admin,dc=gacosta-net"
  slavePw="joel"
  masterDN="cn=admin,dc=gacosta-net" 
  masterPw="joel"


Set the correct permissions of the above files

  chmod 0644 /etc/smbldap-tools/smbldap.conf
  chmod 0600 /etc/smbldap-tools/smbldap_bind.conf  


7. Populate LDAP Using SMBLDAP-Tools


Populate the LDAP with the essential Samba entries

 

  smbldap-populate -u 30000 -g 30000  


At the password propmpt, just type your root password.


Verify that the directory has an information in it by running the ff command

   ldapsearch -x -b dc=gacosta-net | less  

 

8. Index the LDAP Database for Speed


Although, the LDAP system will function without indexes defined in '/etc/ldap/slapd.conf', performance will decrease as the number of users increases and warnings will be reported to '/var/log/syslog' like shown below.

Sep  9 19:34:24 Thich slapd[4929]: <= bdb_equality_candidates: (uidNumber) not indexed
Sep  9 19:34:24 Thich slapd[4929]: <= bdb_equality_candidates: (uniqueMember) not indexed
Sep  9 19:34:25 Thich slapd[4929]: <= bdb_equality_candidates: (gidNumber) not indexed
Sep  9 19:34:25 Thich slapd[4929]: <= bdb_equality_candidates: (memberUid) not indexed
Sep  9 19:34:25 Thich slapd[4929]: <= bdb_equality_candidates: (uid) not indexed
Sep  9 17:39:12 Thich slapd[4929]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Sep  9 17:39:12 Thich slapd[4929]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Sep  9 17:39:12 Thich slapd[4929]: <= bdb_equality_candidates: (sambaSID) not indexed  


The following index definitions have been copied from '/usr/share/doc/smbldap-tools/examples/slapd.conf.gz', but I have removed indexes to attributes that don't exist in my database (eg. nisMapName). This text should be pasted into '/etc/ldap/slapd.conf' in the database definitions section (ie. after the first database directive).

  # Indices to maintain for this database
  index objectClass                       eq,pres
  index ou,cn,sn,mail,givenname           eq,pres,sub
  index uidNumber,gidNumber,memberUid     eq,pres
  index loginShell                        eq,pres
  # I also added this line to stop warning in syslog ..  
  index uniqueMember                      eq,pres
  ## required to support pdb_getsampwnam
  index uid                               pres,sub,eq
  ## required to support pdb_getsambapwrid()
  index displayName                       pres,sub,eq
  # These attributes don't exist in this database ..
  #index nisMapName,nisMapEntry            eq,pres,sub
  index sambaSID                          eq
  index sambaPrimaryGroupSID              eq
  index sambaDomainName                   eq
  index default                           sub 


Following this, stop the LDAP server, run slapindex, and restart the LDAP server.

  /etc/init.d/slapd stop
    Stopping OpenLDAP: slapd.
  slapindex
    WARNING!
    Runnig as root!
    There's a fair chance slapd will fail to start.
    Check file permissions!
    /etc/ldap/slapd.conf: line 128: rootdn is always granted unlimited privileges.
    /etc/ldap/slapd.conf: line 145: rootdn is always granted unlimited privileges.
  # Correct the ownership of the index files ..
  chown openldap:openldap /var/lib/ldap/*
  /etc/init.d/slapd start
    Starting OpenLDAP: slapd


9. Add an LDAP User to the System
 

Use the 'smbldap-useradd' tool to add a new Samba account in our LDAP. Example of adding user 'joel'

   smbldap-useradd -a -m -P joel 

Here is an explanation of the command switches that we used.

-a  allows Windows as well as Linux login
-m  makes a home directory, leave this off if you do not need local access
-P  prompt for new password


You can also add root and our newly created user account to Windows Administrators group using the ff command

  /usr/sbin/smbldap-groupmod -m 'root' 'Administrators'
  /usr/sbin/smbldap-groupmod -m 'joel' 'Administrators'  
  smbldap-groupshow Administrators 


10. Configure the Server to Use LDAP Authentication


Install the necessary packages

   apt-get install auth-client-config libpam-ldap libnss-ldap  


Edit '/etc/ldap.conf' and configure the ff according to your setup

  host 127.0.0.1
  base dc=gacosta-net
  uri ldap://127.0.0.1/
  rootbinddn cn=admin,dc=gacosta-net    
  bind_policy soft


Copy the 'etc/ldap.conf' to '/etc/ldap/ldap.conf'

  cp /etc/ldap.conf /etc/ldap/ldap.conf  


Create a new file in '/etc/auth-client-config/profile.d/open_ldap:'

  nano /etc/auth-client-config/profile.d/open_ldap  


And insert the following contents

[open_ldap]
   nss_passwd=passwd: compat ldap
   nss_group=group: compat ldap
   nss_shadow=shadow: compat ldap
   pam_auth=auth       required     pam_env.so
   auth       sufficient   pam_unix.so likeauth nullok
   auth       sufficient   pam_ldap.so use_first_pass
   auth       required     pam_deny.so
   pam_account=account    sufficient   pam_unix.so
   account    sufficient   pam_ldap.so
   account    required     pam_deny.so
   pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok 
   password   sufficient   pam_ldap.so use_first_pass
   password   required     pam_deny.so
   pam_session=session    required     pam_limits.so
   session    required     pam_mkhomedir.so skel=/etc/skel/
   session    required     pam_unix.so
   session    optional     pam_ldap.so


Backup '/etc/nsswitch.conf' and '/etc/pam.d/' files

  cp /etc/nsswitch.conf /etc/nsswitch.conf.original 

  cd /etc/pam.d/
  mkdir bkup
  cp * bkup/ 


Enable the new LDAP Authentication Profile by executing the following command at /etc/auth-client-config/profile.d/:

  auth-client-config -a -p open_ldap 


Restart the server and try to add a Windows XP (Professional edition) computer to your new domain.

Comments (0)
 
AddThis Social Bookmark Button

SpotLight

Upcoming Release

Facebook FanBox

Search Websites

Web
Gacosta.Net
Intelletrace
MyEvents-Online