|
Samba PDC #1 - Build Primary Domain Controller
|
|
Build Primary Domain Controller with Samba + OpenLDAP.
LDAP Server is running on your LAN
and also the server you'd like to build PDC need to be a LDAP Client.
|
|
| [1] | Chane OpenLDAP settings. |
|
[root@dir ~]#
[root@dir ~]# yum -y install samba cp /usr/share/doc/samba-*/LDAP/samba.schema /etc/openldap/schema/
[root@dir ~]#
vi /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # add include /etc/openldap/schema/samba.schema # add access to attrs=userPassword, sambaLMPassword,sambaNTPassword
by self write
by dn="cn=Manager,dc=server,dc=world" write
by anonymous auth
by * none
[root@dir ~]# /etc/rc.d/init.d/ldap restart Stopping slapd: [ OK ] Checking configuration files for slapd: /etc/openldap/slapd.conf: line 119: rootdn is always granted unlimited privileges. /etc/openldap/slapd.conf: line 124: rootdn is always granted unlimited privileges. config file testing succeeded [ OK ] Starting slapd: [ OK ] |
| [2] | Install smbldap-tools and change settings of Samba |
|
[root@lan ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak [root@lan ~]# cp /usr/share/doc/smbldap-tools-*/smb.conf /etc/samba/smb.conf
[root@lan ~]#
vi /etc/samba/smb.conf # line 3: change workgroup name to any one workgroup = ServerWorld
# line 12: maike it comment # min passwd length = 3
# line 22: change ldap passwd sync = yes
# line 33,34: change Dos charset = CP932 Unix charset = UTF-8
# line 47: specify LDAP server's URI passdb backend = ldapsam: ldap://10.0.0.39/
# line 48: change LDAP admin DN (LDAP server's one) ldap admin dn = cn=Manager, dc=server,dc=world
# line 50: change LDAP suffix (LDAP server's one) ldap suffix = dc=server,dc=world ldap group suffix = ou= Group ldap user suffix = ou= People
# line 60: uncomment delete group script = /usr/sbin/smbldap-groupdel "%g" # line 64: add (specify admin user) set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' admin users = admin
mkdir /home/netlogon [root@lan ~]# /etc/rc.d/init.d/smb restart
Shutting down SMB services:
[root@lan ~]# [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ]
smbpasswd -W # add LDAP admin's password
Setting stored password for "cn=Manager,dc=server,dc=world" in secrets.tdb
[root@lan ~]# New SMB password: Retype new SMB password: perl /usr/share/doc/smbldap-tools-*/configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
# Enter The default directory in which the smbldap configuration files are stored is shown. If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
. workgroup name: name of the domain Samba acts as a PDC for# Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's start configuring the smbldap-tools scripts ... workgroup name [ServerWorld] > # Enter . netbios name: netbios name of the samba controler netbios name [PDC-SRV] > # Enter . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > # Enter . logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\\PDC-SRV\%U' logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > . # input a period . logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U' logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > . # input a period . home directory prefix (use %U as username) [/home/%U] > # Enter . default users' homeDirectory mode [700] > # Enter . default user netlogon script (use %U as username) [logon.bat] > # Enter default password validation time (time in days) [45] > # Enter . ldap suffix [dc=server,dc=world] > # Enter . ldap group suffix [ou=Group] > # Enter . ldap user suffix [ou=People] > # Enter . ldap machine suffix [ou=Computers] > # Enter . Idmap suffix [ou=Idmap] > # Enter . sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=ServerWorld] > # Enter . ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [10.0.0.39] > # Enter . ldap master port [389] > # Enter . ldap master bind dn [cn=Manager,dc=server,dc=world] > # Enter . ldap master bind password [] > # LDAP admin password . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [10.0.0.39] > # specify LDAP slave's IP (Enter with empy if none) . ldap slave port [389] > # Enter . ldap slave bind dn [cn=Manager,dc=server,dc=world] > # Enter . ldap slave bind password [] > # Input if there is, if not input the same one with master . ldap tls support (1/0) [0] > # Enter . SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV') SID for domain SERVERWORLD [S-1-5-21-3178205627-4140913089-3601047624] > # Enter . unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5 # specify MD5 . default user gidNumber [513] > # Enter . default computer gidNumber [515] > # Enter . default login shell [/bin/bash] > # Enter . default skeleton directory [/etc/skel] > # Enter . default domain name to append to mail adress [] > # Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= backup old configuration files: /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done.[root@lan ~]# smbldap-populate Populating LDAP directory for domain ServerWorld (S-1-5-21-3178205627-4140913089-3601047624) (using builtin directory structure) entry dc=server,dc=world already exist. entry ou=People,dc=server,dc=world already exist. entry ou=Group,dc=server,dc=world already exist. adding new entry: ou=Computers,dc=server,dc=world adding new entry: ou=Idmap,dc=server,dc=world adding new entry: uid=root,ou=People,dc=server,dc=world adding new entry: uid=nobody,ou=People,dc=server,dc=world adding new entry: cn=Domain Admins,ou=Group,dc=server,dc=world adding new entry: cn=Domain Users,ou=Group,dc=server,dc=world adding new entry: cn=Domain Guests,ou=Group,dc=server,dc=world adding new entry: cn=Domain Computers,ou=Group,dc=server,dc=world adding new entry: cn=Administrators,ou=Group,dc=server,dc=world adding new entry: cn=Account Operators,ou=Group,dc=server,dc=world adding new entry: cn=Print Operators,ou=Group,dc=server,dc=world adding new entry: cn=Backup Operators,ou=Group,dc=server,dc=world adding new entry: cn=Replicators,ou=Group,dc=server,dc=world entry sambaDomainName=ServerWorld,dc=server,dc=world already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root New password: # set root password Retype new password: # add admin user that is define in smb.conf [root@lan ~]# smbldap-groupadd -a admin [root@lan ~]# smbldap-useradd -am -g admin admin [root@lan ~]# smbldap-passwd admin Changing UNIX and samba passwords for admin New password: Retype new password: [root@lan ~]# su - admin # try to switch to added user [admin@lan ~]$ # done |
| Sponsored Link |