Samba PDC - Configure Server2014/08/21 |
Configure Samba Primary Domain Controller with Samba + OpenLDAP.
|
|
[1] |
Configure LDAP Server in your LAN first.
|
[2] |
Configure the PDC Server as a LDAP Client, see here.
|
[3] | Configure LDAP Server like follows. |
[root@dlp ~]#
[root@dlp ~]# yum -y install yum-utils mkdir ./tmp [root@dlp ~]# cd ./tmp [root@dlp tmp]# yumdownloader samba [root@dlp tmp]# rpm2cpio samba-*.rpm | cpio -id [root@dlp tmp]# cp ./etc/openldap/schema/samba.schema /etc/openldap/schema/
[root@dlp tmp]#
vi schema_convert.conf # create new
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/samba.schema mkdir ldif_output [root@dlp tmp]# slapcat -f schema_convert.conf -F ./ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./cn=samba.ldif
[root@dlp tmp]#
vi ./cn=samba.ldif # line 1,3: chane ( remove "{12}" ) dn: cn=samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: samba # remove these lines below ( placed at the end of the file ) structuralObjectClass: olcSchemaConfig entryUUID: 761ed782-e76d-102f-94de-7784c8a781ec creatorsName: cn=config createTimestamp: 20110320184149Z entryCSN: 20110320184149.954974Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110320184149Z ldapadd -Y EXTERNAL -H ldapi:/// -f cn=samba.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=samba,cn=schema,cn=config"
[root@dlp tmp]#
vi samba_indexes.ldif # create new
dn: olcDatabase={1}hdb,cn=config
changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
SASL/EXTERNAL authentication started
[root@dlp tmp]# SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config" [root@dlp ~]# rm -rf ./tmp [root@dlp ~]# /etc/rc.d/init.d/slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] |
[4] | Configure Samba PDC Server. |
[root@lan ~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak [root@lan ~]# cp /usr/share/doc/smbldap-tools-*/smb.conf /etc/samba/smb.conf
[root@lan ~]#
vi /etc/samba/smb.conf # line 3: change workgroup name to any one workgroup = SERVER-WORLD
# line 12: comment out # min passwd length = 3
# line 22: change ldap passwd sync = yes
# line 33,34: change Dos charset = CP932 Unix charset = UTF-8
# line 47: specify LDAP server passdb backend = ldapsam: ldap://10.0.0.30/
# line 48: change LDAP admin DN (LDAP server's one) ldap admin dn = cn=admin,dc=srv,dc=world
# line 50: change LDAP suffix (LDAP server's one) ldap suffix = dc=srv,dc=world ldap group suffix = ou= groups ldap user suffix = ou= people
# line 60: uncomment delete group script = /usr/sbin/smbldap-groupdel "%g" # near line 64: add (specify admin user, no SSL) set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' admin users = domainadmin
ldap ssl = no mkdir /home/netlogon
[root@lan ~]#
[root@lan ~]# /etc/rc.d/init.d/smb start Starting SMB services: [ OK ][root@lan ~]# /etc/rc.d/init.d/nmb start Starting NMB services: [ OK ][root@lan ~]# chkconfig smb on [root@lan ~]# chkconfig nmb on smbpasswd -W # add LDAP admin password to Samba
Setting stored password for "cn=admin,dc=srv,dc=world" in secrets.tdb
[root@lan ~]# New SMB password: # LDAP admin password Retype new SMB password: perl /usr/share/doc/smbldap-tools-*/configure.pl -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- smbldap-tools script configuration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before starting, check . if your samba controller is up and running. . if the domain SID is defined (you can get it with the 'net getlocalsid') . you can leave the configuration using the Ctrl-c key combination . empty value can be set with the "." character -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] >
The default directory in which the smbldap configuration files are stored is shown.# Enter If you need to change this, enter the full directory path, then press enter to continue. Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] > # Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDCworkgroup name [SERVER-WORLD] > # Enter . netbios name: netbios name of the samba controler netbios name [PDC-SRV] > # Enter . logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > # Enter . logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\\PDC-SRV\%U' logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > . # input a period . logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U' logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > . # input a period . home directory prefix (use %U as username) [/home/%U] > # Enter . default users' homeDirectory mode [700] > # Enter . default user netlogon script (use %U as username) [logon.bat] > # Enter default password validation time (time in days) [45] > # Enter . ldap suffix [dc=srv,dc=world] > # Enter . ldap group suffix [ou=groups] > # Enter . ldap user suffix [ou=people] > # Enter . ldap machine suffix [ou=Computers] > # Enter . Idmap suffix [ou=Idmap] > # Enter . sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SERVER-WORLD] > # Enter . ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [10.0.0.30] > # confirm LDAP server's IP and Enter . ldap master port [389] > # Enter . ldap master bind dn [cn=admin,dc=srv,dc=world] > # Enter . ldap master bind password [] > # LDAP admin password . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [10.0.0.30] > # specify LDAP slave's IP (Enter with empy if none) . ldap slave port [389] > # Enter . ldap slave bind dn [cn=admin,dc=srv,dc=world] > # Enter . ldap slave bind password [] > # Input if there is Slaves, if not input the same one with master . ldap tls support (1/0) [0] > # Enter . SID for domain SERVER-WORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV') SID for domain SERVER-WORLD [S-1-5-21-647443440-3639858122-3827560290] > # Enter . unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] # Enter . default user gidNumber [513] > # Enter . default computer gidNumber [515] > # Enter . default login shell [/bin/bash] > # Enter . default skeleton directory [/etc/skel] > # Enter . default domain name to append to mail adress [] > # Enter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33. backup old configuration files: /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old writing new configuration file: /etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
[root@lan ~]# smbldap-populate Populating LDAP directory for domain SERVER-WORLD (S-1-5-21-647443440-3639858122-3827560290) (using builtin directory structure) entry dc=srv,dc=world already exist. entry ou=people,dc=srv,dc=world already exist. entry ou=groups,dc=srv,dc=world already exist. adding new entry: ou=Computers,dc=srv,dc=world adding new entry: ou=Idmap,dc=srv,dc=world adding new entry: uid=root,ou=people,dc=srv,dc=world adding new entry: uid=nobody,ou=people,dc=srv,dc=world adding new entry: cn=Domain Admins,ou=groups,dc=srv,dc=world adding new entry: cn=Domain Users,ou=groups,dc=srv,dc=world adding new entry: cn=Domain Guests,ou=groups,dc=srv,dc=world adding new entry: cn=Domain Computers,ou=groups,dc=srv,dc=world adding new entry: cn=Administrators,ou=groups,dc=srv,dc=world adding new entry: cn=Account Operators,ou=groups,dc=srv,dc=world adding new entry: cn=Print Operators,ou=groups,dc=srv,dc=world adding new entry: cn=Backup Operators,ou=groups,dc=srv,dc=world adding new entry: cn=Replicators,ou=groups,dc=srv,dc=world entry sambaDomainName=SERVER-WORLD,dc=srv,dc=world already exist. Updating it... Please provide a password for the domain root: Changing UNIX and samba passwords for rootNew password: # set root password
Retype new password:
# add admin user that is define in smb.conf [root@lan ~]# smbldap-groupadd -a domainadmin [root@lan ~]# smbldap-useradd -am -g domainadmin domainadmin [root@lan ~]# smbldap-passwd domainadmin Changing UNIX and samba passwords for domainadmin New password: Retype new password: [root@lan ~]# su - domainadmin # try to switch to added user [domainadmin@lan ~]$ # done |
Sponsored Link |
|