CentOS 6
Sponsored Link

Samba PDC - Configure Server
2014/08/21
 
Configure Samba Primary Domain Controller with Samba + OpenLDAP.
[1]
Configure LDAP Server in your LAN first.
[2]
Configure the PDC Server as a LDAP Client, see here.
[3] Configure LDAP Server like follows.
[root@dlp ~]#
yum -y install yum-utils
[root@dlp ~]#
mkdir ./tmp

[root@dlp ~]#
cd ./tmp

[root@dlp tmp]#
yumdownloader samba

[root@dlp tmp]#
rpm2cpio samba-*.rpm | cpio -id

[root@dlp tmp]#
cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/

[root@dlp tmp]#
vi schema_convert.conf
# create new

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
[root@dlp tmp]#
mkdir ldif_output

[root@dlp tmp]#
slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif

[root@dlp tmp]#
vi ./cn=samba.ldif
# line 1,3: chane ( remove "{12}" )

dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
# remove these lines below ( placed at the end of the file )

structuralObjectClass: olcSchemaConfig
entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec
creatorsName: cn=config
createTimestamp: 20110320184149Z
entryCSN: 20110320184149.954974Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110320184149Z
[root@dlp tmp]#
ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"

[root@dlp tmp]#
vi samba_indexes.ldif
# create new

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
[root@dlp tmp]#
ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
[root@dlp tmp]#
[root@dlp ~]#
rm -rf ./tmp

[root@dlp ~]#
/etc/rc.d/init.d/slapd restart

Stopping slapd:                [  OK  ]
Starting slapd:                [  OK  ]
[4] Configure Samba PDC Server.
# install from EPEL.

[root@lan ~]#
yum --enablerepo=epel -y install samba smbldap-tools
[root@lan ~]#
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

[root@lan ~]#
cp /usr/share/doc/smbldap-tools-*/smb.conf /etc/samba/smb.conf

[root@lan ~]#
vi /etc/samba/smb.conf
# line 3: change workgroup name to any one

workgroup =
SERVER-WORLD
# line 12: comment out

#
min passwd length = 3
# line 22: change

ldap passwd sync =
yes
# line 33,34: change

Dos charset =
CP932

Unix charset =
UTF-8
# line 47: specify LDAP server

passdb backend = ldapsam:
ldap://10.0.0.30/
# line 48: change LDAP admin DN (LDAP server's one)

ldap admin dn =
cn=admin,dc=srv,dc=world
# line 50: change LDAP suffix (LDAP server's one)

ldap suffix =
dc=srv,dc=world

ldap group suffix = ou=
groups

ldap user suffix = ou=
people
# line 60: uncomment

delete group script = /usr/sbin/smbldap-groupdel "%g"
# near line 64: add (specify admin user, no SSL)

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
admin users = domainadmin
ldap ssl = no
[root@lan ~]#
mkdir /home/netlogon

[root@lan ~]#
/etc/rc.d/init.d/smb start

Starting SMB services:                     [  OK  ]
[root@lan ~]#
/etc/rc.d/init.d/nmb start

Starting NMB services:                     [  OK  ]
[root@lan ~]#
chkconfig smb on

[root@lan ~]#
chkconfig nmb on

[root@lan ~]#
# add LDAP admin password to Samba

Setting stored password for "cn=admin,dc=srv,dc=world" in secrets.tdb
New SMB password:
# LDAP admin password

Retype new SMB password:
[root@lan ~]#
perl /usr/share/doc/smbldap-tools-*/configure.pl

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       smbldap-tools script configuration
       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
 . if your samba controller is up and running.
 . if the domain SID is defined (you can get it with the 'net getlocalsid')

 . you can leave the configuration using the Ctrl-c key combination
 . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...

Samba Configuration File Path [/etc/samba/smb.conf] >
# Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >  
# Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [SERVER-WORLD] >
# Enter

. netbios name: netbios name of the samba controler
netbios name [PDC-SRV] >
# Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] >
# Enter

. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\\PDC-SRV\%U'
logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] >
.
 
# input a period

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'
logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] >
.
 
# input a period

. home directory prefix (use %U as username) [/home/%U] >
# Enter

. default users' homeDirectory mode [700] >
# Enter

. default user netlogon script (use %U as username) [logon.bat] >  
# Enter

default password validation time (time in days) [45] >
# Enter

. ldap suffix [dc=srv,dc=world] >
# Enter

. ldap group suffix [ou=groups] >
# Enter

. ldap user suffix [ou=people] >
# Enter

. ldap machine suffix [ou=Computers] >
# Enter

. Idmap suffix [ou=Idmap] >
# Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SERVER-WORLD] >  
# Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [10.0.0.30] >
# confirm LDAP server's IP and Enter

. ldap master port [389] >
# Enter

. ldap master bind dn [cn=admin,dc=srv,dc=world] >
# Enter

. ldap master bind password [] >
# LDAP admin password

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [10.0.0.30] >
# specify LDAP slave's IP (Enter with empy if none)

. ldap slave port [389] >
# Enter

. ldap slave bind dn [cn=admin,dc=srv,dc=world] >
# Enter

. ldap slave bind password [] >
# Input if there is Slaves, if not input the same one with master

. ldap tls support (1/0) [0] >
# Enter

. SID for domain SERVER-WORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')
SID for domain SERVER-WORLD [S-1-5-21-647443440-3639858122-3827560290] >  
# Enter

. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA]  
# Enter

. default user gidNumber [513] >
# Enter

. default computer gidNumber [515] >
# Enter

. default login shell [/bin/bash] >
# Enter

. default skeleton directory [/etc/skel] >
# Enter

. default domain name to append to mail adress [] >
# Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33.
backup old configuration files:
  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
  /etc/smbldap-tools/smbldap.conf done.
  /etc/smbldap-tools/smbldap_bind.conf done.
[root@lan ~]#
smbldap-populate

Populating LDAP directory for domain SERVER-WORLD (S-1-5-21-647443440-3639858122-3827560290)
(using builtin directory structure)

entry dc=srv,dc=world already exist.
entry ou=people,dc=srv,dc=world already exist.
entry ou=groups,dc=srv,dc=world already exist.
adding new entry: ou=Computers,dc=srv,dc=world
adding new entry: ou=Idmap,dc=srv,dc=world
adding new entry: uid=root,ou=people,dc=srv,dc=world
adding new entry: uid=nobody,ou=people,dc=srv,dc=world
adding new entry: cn=Domain Admins,ou=groups,dc=srv,dc=world
adding new entry: cn=Domain Users,ou=groups,dc=srv,dc=world
adding new entry: cn=Domain Guests,ou=groups,dc=srv,dc=world
adding new entry: cn=Domain Computers,ou=groups,dc=srv,dc=world
adding new entry: cn=Administrators,ou=groups,dc=srv,dc=world
adding new entry: cn=Account Operators,ou=groups,dc=srv,dc=world
adding new entry: cn=Print Operators,ou=groups,dc=srv,dc=world
adding new entry: cn=Backup Operators,ou=groups,dc=srv,dc=world
adding new entry: cn=Replicators,ou=groups,dc=srv,dc=world
entry sambaDomainName=SERVER-WORLD,dc=srv,dc=world already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
# set root password

Retype new password:
# add admin user that is define in smb.conf

[root@lan ~]#
smbldap-groupadd -a domainadmin

[root@lan ~]#
smbldap-useradd -am -g domainadmin domainadmin

[root@lan ~]#
smbldap-passwd domainadmin

Changing UNIX and samba passwords for domainadmin
New password:
Retype new password:
[root@lan ~]#
su - domainadmin
# try to switch to added user

[domainadmin@lan ~]$
# done
Matched Content