How to Build LDAP SAMBA to Primary Domain Controller (PDC)
A. Install
#cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
192.168.44.150 server.hbn.local server
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
# that require network functionality will fail.
192.168.44.150 server.hbn.local server
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
#yum install -y bind-chroot
#chmod 755 -R /var/named/
#cp /usr/share/doc/bind-*/sample/var/named/named.local /var/named/chroot/var/named/
#cp /usr/share/doc/bind-*/sample/var/named/named.root /var/named/chroot/var/named/
#cp /usr/share/doc/bind-*/sample/var/named/localhost.zone /var/named/chroot/var/named/
#touch /var/named/chroot/etc/named.conf
#chkconfig --level 35 named on
#service named start
B. Configuration
#vim /var/named/chroot/etc/named.conf
options {
directory "/var/named";
forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
};
zone "44.168.192.in-addr.arpa" IN {
type master;
file "192.168.44.0.db";
};
zone "hbn.local" {
type master;
file "hbn.local";
};
directory "/var/named";
forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
};
zone "44.168.192.in-addr.arpa" IN {
type master;
file "192.168.44.0.db";
};
zone "hbn.local" {
type master;
file "hbn.local";
};
» save and quit
# cd /var/named/chroot/var/named/
#vim 192.168.44.0.db
$TTL 86400
@ IN SOA hbn.local. root.hbn.local. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.hbn.local.
100 IN PTR dns.hbn.local.
250 IN PTR winxp.hbn.local.
#vim hbn.local
$TTL 14400
@ IN SOA root.hbn.local. hostmaster.hbn.local. (
2009102800
14400
3600
1209600
86400 )
IN NS hbn.local.
IN NS hbn.local.
ftp IN A 192.168.44.150
hbn.local. IN A 192.168.44.150
localhost IN A 127.0.0.1
mail IN A 192.168.44.150
pop IN A 192.168.44.150
smtp IN A 192.168.44.150
www IN A 192.168.44.150
dns IN A 192.168.44.150
ldap IN A 192.168.44.150
winxp IN A 192.168.44.250
hbn.local. IN MX 10 mail
hbn.local. 14400 IN TXT "v=spf1 a mx ip4:192.168.44.150 ~all"
# vim /etc/resolv.conf
search hbn.local
nameserver 192.168.44.150
nameserver 192.168.44.2
nameserver 192.168.44.150
nameserver 192.168.44.2
C. Test
# nslookup
> hbn.local
Server: 192.168.44.150
Address: 192.168.44.150#53
Name: hbn.local
Address: 192.168.44.150
> dns.hbn.local
Server: 192.168.44.150
Address: 192.168.44.150#53
Name: dns.hbn.local
Address: 192.168.44.150
> winxp.hbn.local
Server: 192.168.44.150
Address: 192.168.44.150#53
Name: winxp.hbn.local
Address: 192.168.44.250
> ldap.hbn.local
Server: 192.168.44.150
Address: 192.168.44.150#53
Name: ldap.hbn.local
Address: 192.168.44.150
> exit
Step 2: PDC with LDAP - Samba
A. Install
Add Dag repository
#wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
#rpm --import RPM-GPG-KEY.dag.txt
#rm -f RPM-GPG-KEY.dag.txt
#vim /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
gpgcheck=1
enabled=0
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
gpgcheck=1
enabled=0
#yum --enablerepo=dag install -y openldap openldap-clients openldap-devel openldap-servers openldap-clients compat-openldap python-ldap ldapjdk php-ldap nss_ldap samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools
#cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
# cd /etc/openldap/
# vim slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
» Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions #
#######################################################################
» Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database bdb
suffix "dc=hbn,dc=local"
rootdn "cn=Manager,dc=hbn,dc=local"
rootpw 123456
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database bdb
suffix "dc=hbn,dc=local"
rootdn "cn=Manager,dc=hbn,dc=local"
rootpw 123456
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
» Access control List information
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
» users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,
sambaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by anonymous auth
by self write
by * none
» some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * read
» somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by self write
by * read
» some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,
sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,
sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,
sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,
sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,
sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,
sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by self read
by * none
» samba need to be able to create the samba domain account
access to dn.base="dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
» samba need to be able to create new users account
access to dn="ou=Users,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
» samba need to be able to create new groups account
access to dn="ou=Groups,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
» samba need to be able to create new computers account
access to dn="ou=Computers,dc=hbn,dc=local"
by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
by dn="uid=root,ou=People,dc=hbn,dc=local" write
by * none
access to *
by self read
by * none
» save and quit
#chmod 640 slapd.conf
# vim ldap.conf
BASE dc=hbn, dc=local
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
#cp DB_CONFIG.example /var/lib/ldap/
#cd /var/lib/ldap/
#mv DB_CONFIG.example DB_CONFIG
# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
# /etc/init.d/nscd start
Starting nscd: [ OK ]
# chkconfig --level 35 nscd on
# setup
» run Authentication Configuration
» select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
» Press the Next button
don't select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=hbn,dc=local
» Press OK and exit
# vim /etc/ldap.conf
host 127.0.0.1
base dc=hbn,dc=local
rootbinddn cn=manager,dc=hbn,dc=local
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
base dc=hbn,dc=local
rootbinddn cn=manager,dc=hbn,dc=local
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#net getlocalsid
SID for domain SERVER is: S-1-5-21-3926925045-1584093657-3115473201
# vim /etc/ldap.secret
123456
# chmod 600 /etc/ldap.secret
smbldap-tools configuration
# cd /etc/smbldap-tools/
# vim smbldap_bind.conf
slaveDN="cn=Manager,dc=hbn,dc=local"
slavePw="123456"
masterDN="cn=Manager,dc=hbn,dc=local"
masterPw="123456"
slavePw="123456"
masterDN="cn=Manager,dc=hbn,dc=local"
masterPw="123456"
# vim smbldap.conf
######################
# General Configuration #
######################
SID="S-1-5-21-3926925045-1584093657-3115473201"
sambaDomain="hbn.local"
####################
# LDAP Configuration #
####################
# LDAP Configuration #
####################
slaveLDAP="127.0.0.1"
# Slave LDAP port
slavePort="389"
# Master LDAP server: needed for write operations
masterLDAP="127.0.0.1"
# Master LDAP port
masterPort="389"
suffix="dc=hbn,dc=local"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
ldapTLS="0"
and
userSmbHome="\\PDC-SRV\%U"
userProfile="\\PDC-SRV\profiles\%U"
suffix="dc=hbn,dc=local"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
ldapTLS="0"
and
userSmbHome="\\PDC-SRV\%U"
userProfile="\\PDC-SRV\profiles\%U"
####################
# Samba config #
####################
#vim /etc/samba/smb.conf
[global]
workgroup = hbn.local
netbios name = HBN
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
workgroup = hbn.local
netbios name = HBN
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=hbn,dc=local
ldap suffix = dc=hbn,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
#logon script = STARTUP.BAT
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
» save and quit
# mkdir /home/samba
# mkdir /home/samba/netlogon
# mkdir /home/samba/profiles
# chmod 1777 /home/samba/profiles
#smbpasswd -w 123456
» Setting stored password for "cn=Manager,dc=hbn,dc=local" in secrets.tdb
# smbldap-populate
Populating LDAP directory for domain hbn.local (S-1-5-21-3926925045-1584093657-3115473201)
(using builtin directory structure)
adding new entry: dc=hbn,dc=local
adding new entry: ou=Users,dc=hbn,dc=local
adding new entry: ou=Groups,dc=hbn,dc=local
adding new entry: ou=Computers,dc=hbn,dc=local
adding new entry: ou=Idmap,dc=hbn,dc=local
adding new entry: uid=root,ou=Users,dc=hbn,dc=local
adding new entry: uid=nobody,ou=Users,dc=hbn,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=hbn,dc=local
adding new entry: sambaDomainName=hbn.local,dc=hbn,dc=local
(using builtin directory structure)
adding new entry: dc=hbn,dc=local
adding new entry: ou=Users,dc=hbn,dc=local
adding new entry: ou=Groups,dc=hbn,dc=local
adding new entry: ou=Computers,dc=hbn,dc=local
adding new entry: ou=Idmap,dc=hbn,dc=local
adding new entry: uid=root,ou=Users,dc=hbn,dc=local
adding new entry: uid=nobody,ou=Users,dc=hbn,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=hbn,dc=local
adding new entry: sambaDomainName=hbn.local,dc=hbn,dc=local
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
# vim dsa.ldif
dn: ou=DSA,dc=hbn,dc=local
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
# ldapadd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -f dsa.ldif -W
Enter LDAP Password:
adding new entry "ou=DSA,dc=hbn,dc=local"
adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"
adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"
#ldappasswd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -s password -W
cn=samba,ou=DSA,dc=hbn,dc=local
# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
Now create a samba user account for UNIX and SAMBA
# smbldap-useradd -a -m namhb
# smbldap-passwd namhb
Changing UNIX and samba passwords for namhb
New password:
Retype new password:
Now create a machine trust account
# smbldap-useradd -w winxp
No comments:
Post a Comment