Setting a Ldap + Samba PDC –
Throughout all my posts, I wrote too much about Ldap Authentication, therefore, Samba won’t stay out of this party.
Remember, this party is by invitation only :)
You could check out my post about Ldap whether you feel confortable or not, whatever, just follow this post and at the end
you’ll be able to set up a Samba as PDC authenticated by Ldap. This example shown here is based on a minimal installation over Centos 5.3.
Firstly, we need to install all required packages by this example, but there are other things to be done like customizing theboot process.
[root@server ~]# for i in acpid auditd anacron autofs atd avahi-daemon apmd bluetooth cups crond kudzu firstboot iptables ip6tables gpm haldaemon hidd pcscd sendmail yum-updatesd ; do chkconfig $i off ; done
[root@server ~]#
Configure /etc/hosts
[root@server ~]# vi /etc/hosts
192.168.1.3 server server.queiroz.com
Turn selinux off.
[root@server ~]# vi /etc/sysconfig/selinux
SELINUX=disabled
Reboot your system.
Install those following packages below.
[root@server ~]# yum install samba samba-client openldap openldap-clients open-ldap-servers nss_ldap perl-LDAP
Get all of those packages in your CD Media except smbldap-tools. Get it here.
perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm
perl-Digest-SHA1-2.11-1.2.1.i386.rpm
perl-Jcode-2.06-1.el5.rf.i386.rpm
perl-LDAP-0.33-3.fc6.noarch.rpm
perl-Unicode-Map-0.112-1.el5.rf.i386.rpm
perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm
perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm
perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm
phpldapadmin-1.1.0.7.tar.gz
smbldap-tools-0.9.5-1.noarch.rpm
[root@server smbldap]# rpm -ivh perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm
warning: perl-Crypt-SmbHash-0.12-1.2.el5.rf.noarch.rpm: Header V3 DSA signature:
NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Crypt-SmbHash ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Digest-SHA1-2.11-1.2.1.i386.rpm
Preparing… ########################################### [100%]
1:perl-Digest-SHA1 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Jcode-2.06-1.el5.rf.i386.rpm
warning: perl-Jcode-2.06-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key
ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Jcode ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-Map-0.112-1.el5.rf.i386.rpm
warning: perl-Unicode-Map-0.112-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKE
Y, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-Map ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm
warning: perl-Unicode-String-2.09-1.2.el5.rf.i386.rpm: Header V3 DSA signature:
NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-String ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm
warning: perl-Unicode-Map8-0.12-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKE
Y, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-Map8 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm
warning: perl-Unicode-MapUTF8-1.11-1.2.el5.rf.noarch.rpm: Header V3 DSA signatur
e: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:perl-Unicode-MapUTF8 ########################################### [100%]
[root@server smbldap]#
[root@server smbldap]# rpm -ivh smbldap-tools-0.9.5-1.noarch.rpm
warning: smbldap-tools-0.9.5-1.noarch.rpm: Header V3 DSA signature: NOKEY, key I
D 75fe0a51
Preparing… ########################################### [100%]
1:smbldap-tools ########################################### [100%]
[root@server smbldap]#
Edit slap.conf
[root@server ~]# vi /etc/openldap/slapd.conf
Add this line at the end of schema category.
include /etc/openldap/schema/samba.schema
database bdb
suffix “dc=queiroz,dc=com”
rootdn “cn=root,dc=queiroz,dc=com”
rootpw {SSHA}ernicO/fWeCi5g2GFqaB/JGqZXj7Hmj3 ## You can obtain this running slappaswd, copy and paste.
Get the SID and copy it.
[root@server ~]# net getlocalsid
SID for domain SERVER is: S-1-5-21-1082253588-3757474382-3995049807
[root@server ~]#
Edit smbldap.conf
[root@server ~]# vi /etc/smbldap-tools/smbldap.conf
SID=”S-1-5-21-1082253588-3757474382-3995049807″
sambaDomain=”QUEIROZ”
#slaveLDAP=”ldap.iallanis.info” #### Comment this line
#slavePort=”389″ #### Comment this line too.masterLDAP=”server.queiroz.com”
masterPort=”389″ldapTLS=”0″ # Switch this line from 1 to 0
suffix=”dc=queiroz,dc=com”
userSmbHome=”\\SERVER\%U”
userProfile=”\\SERVER\profiles\%U”
mailDomain=”queiroz.com”
Edit smbldap_bind.conf and this file has to be looked like this.
[root@server ~]# vi /etc/smbldap-tools/smbldap_bind.conf
#slaveDN=”cn=Manager,dc=iallanis,dc=info”
#slavePw=”secret”
masterDN=”cn=root,dc=queiroz,dc=com”
masterPw=”root123″ #### That’s the same of rootpw entry into slap.conf
[root@server ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~]# chown ldap.ldap /var/lib/ldap/[root@server ~]# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/
schema/
[root@server ~]# chmod 600 /etc/smbldap-tools/smbldap_bind.conf
[root@server ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@server ~]#[root@server ~]# chkconfig ldap on
[root@server openldap]# vi base.ldif
dn: dc=queiroz,dc=com
objectclass: dcObject
objectclass: organization
dc: queiroz
o: PDCdn: cn=root,dc=queiroz,dc=com
objectclass: organizationalRole
cn: root
Apply this configuration so-creating these rules above through this following commnand.
[root@server openldap]# ldapadd -x -W -D ‘cn=root,dc=queiroz,dc=com’ -f base.ldif
Enter LDAP Password:
adding new entry “dc=queiroz,dc=com”adding new entry “cn=root,dc=queiroz,dc=com”
[root@server openldap]#
The next step is very interesting. You either copy a smb.conf template and modify and you want or create a new from scratch.
[root@server ~]# cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf
or
[root@server ~]# cd /etc/samba/
[root@server samba]# mv smb.conf smb.conf.OLD
[root@server samba]# vi smb.conf
[global]
workgroup = QUEIROZ
netbios name = SERVER
security=user
domain master = yes
domain logons = yes
ldap suffix = dc=queiroz,dc=com
ldap admin dn = cn=root,dc=queiroz,dc=com
passdb backend = ldapsam:ldap://server.queiroz.com/
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
passwd program = /usr/sbin/smbldap-useradd %u
unix password sync = yes
add user script = /usr/sbin/smbldap-useradd -m “%u”
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
[netlogon]
path=/home/samba/netlogon
read only=yes
browseable=no[profiles]
path=/home/samba/profiles
read only=no
writeable=yes
guest ok=yes
create mask = 0600
create directory = 0700[homes]
browseable=no
writeable=yes
guest ok=no
[root@server samba]# smbpasswd -W root123
Setting stored password for “cn=root,dc=queiroz,dc=com” in secrets.tdb
New SMB password:
Retype new SMB password:
[root@server samba]#
Creating the directories for profiles and netlogon.
[root@server samba]# mkdir /home/samba/{profiles,netlogon} -p
Launch smbldap-populate
[root@server samba]# smbldap-populate
Populating LDAP directory for domain QUEIROZ (S-1-5-21-1082253588-3757474382-399
5049807)
(using builtin directory structure)entry dc=queiroz,dc=com already exist.
adding new entry: ou=Users,dc=queiroz,dc=com
adding new entry: ou=Groups,dc=queiroz,dc=com
adding new entry: ou=Computers,dc=queiroz,dc=com
adding new entry: ou=Idmap,dc=queiroz,dc=com
adding new entry: uid=root,ou=Users,dc=queiroz,dc=com
adding new entry: uid=nobody,ou=Users,dc=queiroz,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=queiroz,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=queiroz,dc=com
adding new entry: sambaDomainName=QUEIROZ,dc=queiroz,dc=comPlease provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@server samba]#
[root@server samba]# net groupmap list
Domain Admins (S-1-5-21-1082253588-3757474382-3995049807-512) -> 512
Domain Users (S-1-5-21-1082253588-3757474382-3995049807-513) -> 513
Domain Guests (S-1-5-21-1082253588-3757474382-3995049807-514) -> 514
Domain Computers (S-1-5-21-1082253588-3757474382-3995049807-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
[root@server samba]#
Start smb service and make sure if it will be startedup on the boot.
[root@server samba]# service smb start
[root@server samba]# chkconfig smb on
Configuring /etc/ldap.conf and /etc/openldap/ldap.conf or you can get it running:
[root@server samba]# authconfig –enable-ldap –enable-ldapauth –ldapserver=server.queiroz.com –ldapbasedn=dc=queiroz,dc=com –update
Add a user into the system
[root@server samba]# smbldap-useradd -a -m usuario -G “Domain Users”
[root@server samba]# smbldap-passwd usuario
Changing UNIX and samba passwords for usuario
New password:
Retype new password:
Now, configure your windows into the Domain. That’s all.
Cheers!
Carlos Queiroz's blog. 
hey thank you for your post.Can you please tell me how we can configure samba BDC using LDAP.