Samba Primary Domain Controller with Open-LDAP HowTo
Scenario:
We are going to configure a Linux based Primary Domain Controller using Samba
which will authenticate the domain users through LDAP
Domain Name : company.xy
Hostname IP-Address OPerating System
dns.company.xy 192.168.3.135 RedHat-5
ldap.company.xy 192.168.3.140 CentOS-5.3
client1.company.xy 192.168.3.145 Windows-XP-Service Pack2
client2.company.xy 192.168.3.150 Windows-XP-Service Pack2
Default Gateway os all the servers is 192.168.3.1 which is the IP of DSL router
for Internet
Required Packages: version number:
1).DNS packages»
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher
2).OpenLDAP packages»
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17
3).Samba packages»
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer
4).samba-ldap tools» Download Link for Perl Packages: http://dag.wieers.com/rpm/packages/
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a
Download Link: http://nchc.dl.sourceforge.net/project/smbldap-tools/smbldap-tools/0.9.2/smbldap-tools-0.9.2-1a.noarch.rpm
Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine
and after successful completion of our task, we will add ports tcp 53 for DNS
and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.
lets check network settings
[root@dns /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns
[root@dns /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.135
GATEWAY=192.168.3.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@dns /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@dns /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@dns /]#
DNS configuration:
[root@dns ~]# cd /var/named/chroot/etc/
[root@dns etc]# vim named.conf
options
{
directory “/var/named”; // the default
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
memstatistics-file “data/named_mem_stats.txt”;
};
zone “.” IN {
type hint;
file “named.root”;
};
zone “localhost” IN {
type master;
file “localhost.fwd”;
allow-update { none; };
};
zone “0.0.127.in-addr.arpa” IN {
type master;
file “localhost.rev”;
allow-update { none; };
};
zone “company.xy” IN {
type master;
file “company.xy.fwd”;
allow-update { none; };
};
zone “3.168.192.in-addr.arpa” IN {
type master;
file “company.xy.rev”;
allow-update { none; };
};
Now we will create the zone files
[root@dns etc]# cd /var/named/chroot/var/named/
Note: About any leading spaces in front of the lines in named.root: remove them!
Lines should start in a ;, . or character, not blanks.
[root@dns named]# vim named.root
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[root@dns named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
localhost. IN A 127.0.0.1
[root@dns named]# vim localhost.rev
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
1.0.0.127.in-addr.arpa. IN PTR localhost.
[root@dns named]# vim company.xy.fwd
$ORIGIN company.xy.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
dns.company.xy. IN A 192.168.3.135
ldap.company.xy. IN A 192.168.3.140
client1.company.xy. IN A 192.168.3.145
client2.company.xy. IN A 192.168.3.150
_ldap._tcp.company.xy. SRV 0 0 389 ldap.company.xy.
_ldap._tcp.dc._msdcs.company.xy. SRV 0 0 389 ldap.company.xy.
[root@dns named]# vim company.xy.rev
$ORIGIN 3.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
135.3.168.192.in-addr.arpa. IN PTR dns.company.xy.
140.3.168.192.in-addr.arpa. IN PTR ldap.company.xy.
145.3.168.192.in-addr.arpa. IN PTR client1.company.xy.
150.3.168.192.in-addr.arpa. IN PTR client2.company.xy.
now run the dns daemon i.e named
[root@dns named]# /etc/init.d/named start
Starting named: [ OK ]
[root@dns named]#
make it sure that named service will run automatically at startup
[root@dns named]# chkconfig –level 235 named on
now we will test our newly configured dns
[root@dns named]# nslookup
> dns
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: dns.company.xy
Address: 192.168.3.135
> ldap
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: ldap.company.xy
Address: 192.168.3.140
> 192.168.3.135
Server: 192.168.3.135
Address: 192.168.3.135#53
135.3.168.192.in-addr.arpa name = dns.company.xy.
> 192.168.3.140
Server: 192.168.3.135
Address: 192.168.3.135#53
140.3.168.192.in-addr.arpa name = ldap.company.xy.
> exit
[root@dns named]#
Everything is fine Alhamdulillah
***********************************************
Lets configure Primary Domain Controller
first of all check the network settings
[root@ldap /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.company.xy
[root@ldap /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.3.140
GATEWAY=192.168.3.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@ldap /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@ldap /]# hostname
ldap.company.xy
[root@ldap /]#
now restart the network service
[root@ldap /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@ldap /]#
Add samba.schema file to /etc/openldap/schema/ directory
[root@ldap ~]# cd /etc/openldap/schema/
[root@ldap schema]# vim samba.schema
now copy the below schema context and paste it in samba.schema file, remember to
press i from keyboard before you paste the context.
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME ‘sambaLMPassword’
DESC ‘LanManager Password’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME ‘sambaNTPassword’
DESC ‘MD4 hash of the unicode password’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME ‘sambaAcctFlags’
DESC ‘Account Flags’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME ‘sambaPwdLastSet’
DESC ‘Timestamp of the last password update’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME ‘sambaPwdCanChange’
DESC ‘Timestamp of when the user is allowed to update the password’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME ‘sambaPwdMustChange’
DESC ‘Timestamp of when the password will expire’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME ‘sambaLogonTime’
DESC ‘Timestamp of last logon’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME ‘sambaLogoffTime’
DESC ‘Timestamp of last logoff’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME ‘sambaKickoffTime’
DESC ‘Timestamp of when the user will be logged off automatically’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME ‘sambaBadPasswordCount’
DESC ‘Bad password attempt count’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME ‘sambaBadPasswordTime’
DESC ‘Time of the last bad password attempt’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME ‘sambaLogonHours’
DESC ‘Logon Hours’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME ‘sambaHomeDrive’
DESC ‘Driver letter of home directory mapping’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME ‘sambaLogonScript’
DESC ‘Logon script path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME ‘sambaProfilePath’
DESC ‘Roaming profile path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME ‘sambaUserWorkstations’
DESC ‘List of user workstations the user is allowed to logon to’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME ‘sambaHomePath’
DESC ‘Home directory UNC path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME ‘sambaDomainName’
DESC ‘Windows NT domain to which the user belongs’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME ‘sambaMungedDial’
DESC ‘Base64 encoded user parameter string’
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME ‘sambaPasswordHistory’
DESC ‘Concatenated MD5 hashes of the salted NT passwords used on this account’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME ‘sambaSID’
DESC ‘Security ID’
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME ‘sambaPrimaryGroupSID’
DESC ‘Primary Group Security ID’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME ‘sambaSIDList’
DESC ‘Security ID List’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME ‘sambaGroupType’
DESC ‘NT Group Type’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME ‘sambaNextUserRid’
DESC ‘Next NT rid to give our for users’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME ‘sambaNextGroupRid’
DESC ‘Next NT rid to give out for groups’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME ‘sambaNextRid’
DESC ‘Next NT rid to give out for anything’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME ‘sambaAlgorithmicRidBase’
DESC ‘Base at which the samba RID generation algorithm should operate’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME ‘sambaShareName’
DESC ‘Share Name’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME ‘sambaOptionName’
DESC ‘Option Name’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME ‘sambaBoolOption’
DESC ‘A boolean option’
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME ‘sambaIntegerOption’
DESC ‘An integer option’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME ‘sambaStringOption’
DESC ‘A string option’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME ‘sambaStringListOption’
DESC ‘A string list option’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME ‘sambaPrivName’
## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME ‘sambaPrivilegeList’
## DESC ‘Privileges List’
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME ‘sambaTrustFlags’
DESC ‘Trust Password Flags’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# “min password length”
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME ‘sambaMinPwdLength’
DESC ‘Minimal password length (default: 5)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “password history”
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME ‘sambaPwdHistoryLength’
DESC ‘Length of Password History Entries (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “user must logon to change password”
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME ‘sambaLogonToChgPwd’
DESC ‘Force Users to logon for password change (default: 0 => off, 2 => on)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “maximum password age”
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME ‘sambaMaxPwdAge’
DESC ‘Maximum password age, in seconds (default: -1 => never expire passwords)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “minimum password age”
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME ‘sambaMinPwdAge’
DESC ‘Minimum password age, in seconds (default: 0 => allow immediate password
change)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “lockout duration”
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME ‘sambaLockoutDuration’
DESC ‘Lockout duration in minutes (default: 30, -1 => forever)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “reset count minutes”
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME ‘sambaLockoutObservationWindow’
DESC ‘Reset time after lockout in minutes (default: 30)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “bad lockout attempt”
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME ‘sambaLockoutThreshold’
DESC ‘Lockout users after bad logon attempts (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “disconnect time”
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME ‘sambaForceLogoff’
DESC ‘Disconnect Users outside logon hours (default: -1 => off, 0 => on)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “refuse machine password change”
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME ‘sambaRefuseMachinePwdChange’
DESC ‘Allow Machine Password changes (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) –jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME ‘sambaSamAccount’ SUP top AUXILIARY
DESC ‘Samba 3.0 Auxilary SAM Account’
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME ‘sambaGroupMapping’ SUP top AUXILIARY
DESC ‘Samba Group Mapping’
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME ‘sambaTrustPassword’ SUP top
STRUCTURAL
DESC ‘Samba Trust Password’
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME ‘sambaDomain’ SUP top STRUCTURAL
DESC ‘Samba Domain Information’
MUST ( sambaDomainName $
sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME ‘sambaUnixIdPool’ SUP top AUXILIARY
DESC ‘Pool for allocating UNIX uids/gids’
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME ‘sambaIdmapEntry’ SUP top AUXILIARY
DESC ‘Mapping from a SID to an ID’
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME ‘sambaSidEntry’ SUP top STRUCTURAL
DESC ‘Structural Class for a SID’
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME ‘sambaConfig’ SUP top AUXILIARY
DESC ‘Samba Configuration Section’
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME ‘sambaShare’ SUP top STRUCTURAL
DESC ‘Samba Share Section’
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME ‘sambaConfigOption’ SUP top
STRUCTURAL
DESC ‘Samba Configuration Option’
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
now add samba.schema entry in ldap configuration file slapd.conf and also some
other attributes
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# vim slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section
# any u s e r s can a u t h e n t i c a t e and change h i s password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustC\\
hange
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by dn=”cn=nssldap,ou=DSA,dc=company, dc=xy” write
by selfwrite
by anonymous auth
# by ∗ none
# by * read
# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t
’ i d u s e r ’ can answer c o r r e c t l y
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ read
# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v
e s
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,gi\\
venname
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLog\\
offTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,dis\\
playName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,descript\\
ion,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,s\\
ambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,s\\
ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupR\\
id,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,samba\\
BoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by selfread
# by ∗ none
# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base=”dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn=”ou=Users,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s
access to dn=”ou=Groups,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn=”ou=Computers,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e
c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix “dc=company,dc=xy”
rootdn “cn=Manager,dc=company,dc=xy”
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be 640
[root@ldap openldap]# stat slapd.conf
File: `slapd.conf’
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r—–) Uid: ( 0/ root) Gid: ( 55/ ldap)
[root@ldap openldap]#
[root@ldap openldap]# vim ldap.conf
#HOST 127.0.0.1
BASE dc=company,dc=xy
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
now copy the Databse file from /etc/openldap to /var/lib/ldap
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/
rename DB file
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG
[root@ldap openldap]#
start the ldap server
[root@ldap /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap /]#
configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a
service called nscd will also be used
[root@ldap /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[root@ldap /]#
[root@ldap /]# chkconfig –level 235 nscd on
[root@ldap /]#
[root@ldap /]# setup
run Authentication Configuration
select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Press the Next button
don’t select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=company,dc=xy
Press OK and exit
[root@ldap /]# vim /etc/ldap.conf
host 127.0.0.1
base dc=company,dc=xy
rootbinddn cn=manager,dc=company,dc=xy
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in
it the ldap password defined in slapd.conf
[root@ldap /]# vim /etc/ldap.secret
secret
[root@ldap /]# chmod 600 /etc/ldap.secret
[root@ldap /]#
****************************************************
smbldap-tools configuration
[root@ldap /]# cd /etc/opt/IDEALX/smbldap-tools/
[root@ldap smbldap-tools]# vim smbldap_bind.conf
slaveDN=”cn=Manager,dc=company,dc=xy”
slavePw=”secret”
masterDN=”cn=Manager,dc=company,dc=xy”
masterPw=”secret”
[root@ldap smbldap-tools]# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
SID=”S-1-5-21-2815000769-282395026-991120840”
sambaDomain=”company.xy”
##############################################################################
#
# LDAP Configuration
#
##############################################################################
slaveLDAP=”127.0.0.1”
# Slave LDAP port
slavePort=”389”
# Master LDAP server: needed for write operations
masterLDAP=”127.0.0.1”
# Master LDAP port
masterPort=”389”
suffix=”dc=company,dc=xy”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=company.xy,${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
userLoginShell=”/bin/bash”
# Home directory
userHome=”/home/%U”
# Default mode used for user homeDirectory
userHomeDirectoryMode=”700”
# Gecos
userGecos=”System User”
# Default User (POSIX and Samba) GID
defaultUserGid=”513”
# Default Computer (Samba) GID
defaultComputerGid=”515”
# Skel dir
skeletonDir=”/etc/skel”
defaultMaxPasswordAge=”45”
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon home’
# directive and/or disable roaming profiles
# Ex: userSmbHome=”\\\\PDC-SMB3\\%U”
#userSmbHome=”\\\\192.168.3.140\\%U”
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon path’
# directive and/or disable roaming profiles
# Ex: userProfile=”\\\\PDC-SMB3\\profiles\\%U”
#userProfile=”\\\\192.168.3.140\\profiles\\%U”
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive=”H:”
#userHomeDrive=”H:”
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript=”startup.cmd” # make sure script file is edited under dos
userScript=”logon.bat”
# Domain appended to the users “mail”-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain=”idealx.com”
mailDomain=”company.com”
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
with_smbpasswd=”0”
smbpasswd=”/usr/bin/smbpasswd”
with_slappasswd=”0”
slappasswd=”/usr/sbin/slappasswd”
# comment out the following line to get rid of the default banner
# no_banner=”1”
configuring smb.conf
[root@ldap smbldap-tools]# cd /etc/samba/
[root@ldap samba]# vim smb.conf
[global]
workgroup = company.xy
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.3.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=company,dc=xy
ldap suffix = dc=company,dc=xy
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldap��’useradd ��’m “%u”
ldap delete dn = Yes
add machine script = /usr/local/sbin/smbldap��’useradd ��’w “%u”
add group script = /usr/local/sbin/smbldap��’groupadd ��’p “%g”
add user to group script = /usr/local/sbin/smbldap��’groupmod ��’m “%u” “%g”
delete user from group script = /usr/local/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/local/sbin/smbldap-usermod -g “%g” “%u”
#logon script = STARTUP.BAT
;[homes]
;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No
;[profiles]
;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @”Domain Admins”
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow
roaming profiles and home directories for domain users.
lets configure some directories referenced in /etc/samba/smb.conf
[root@ldap samba]# mkdir /home/samba
[root@ldap samba]# mkdir /home/samba/netlogon
[root@ldap samba]# mkdir /home/samba/profiles
[root@ldap samba]# chmod 1777 /home/samba/profiles [currently we
will not use profile feature]
Samba must know the ldap admin dn password so lets do it
[root@ldap samba]# smbpasswd -w secret
Setting stored password for “cn=Manager,dc=company,dc=xy” in secrets.tdb
[root@ldap samba]#
Now define the domain Secure ID (SID)
[root@ldap samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[root@ldap samba]#
Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above
mentioned SID.
make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is
defined in smb.conf
[root@ldap samba]# cd /opt/IDEALX/sbin/
[root@ldap sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel
smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/configure.pl
/usr/local/sbin/configure.pl
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupadd
/usr/local/sbin/smbldap-groupadd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupdel
/usr/local/sbin/smbldap-groupdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupmod
/usr/local/sbin/smbldap-groupmod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupshow
/usr/local/sbin/smbldap-groupshow
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-passwd
/usr/local/sbin/smbldap-passwd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-populate
/usr/local/sbin/smbldap-populate
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap_tools.pm
/usr/local/sbin/smbldap_tools.pm
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd
/usr/local/sbin/smbldap-useradd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userdel
/usr/local/sbin/smbldap-userdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userinfo
/usr/local/sbin/smbldap-userinfo
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usermod
/usr/local/sbin/smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usershow
/usr/local/sbin/smbldap-usershow
Now add the default base entries
[root@ldap /]# smbldap-populate
Populating LDAP directory for domain company.xy
(S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)
adding new entry dc=company,dc=xy
adding new entry ou=Users,dc=company,dc=xy
adding new entry ou=Groups,dc=company,dc=xy
adding new entry ou=Computers,dc=company,dc=xy
adding new entry ou=Idmap,dc=company,dc=xy
adding new entry uid=root,ou=Users,dc=company,dc=xy
adding new entry uid=nobody,ou=Users,dc=company,dc=xy
adding new entry cn=Domain Admins,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Users,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Guests,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Computers,ou=Groups,dc=company,dc=xy
adding new entry cn=Administrators,ou=Groups,dc=company,dc=xy
adding new entry cn=Account Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Print Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Backup Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Replicators,ou=Groups,dc=company,dc=xy
adding new entry sambaDomainName=company.xy,dc=company,dc=xy
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@ldap /]#
adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[root@ldap Desktop]# vim dsa.ldif
dn: ou=DSA,dc=company,dc=xy
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
[root@ldap Desktop]# ldapadd -x -h localhost -D “cn=Manager,dc=company,dc=xy” -f
dsa.ldif -W
Enter LDAP Password:
adding new entry “ou=DSA,dc=company,dc=xy”
adding new entry “cn=samba,,ou=DSA,dc=company,dc=xy”
adding new entry “cn=nssldap,ou=DSA,dc=company,dc=xy”
adding new entry “cn=smbtools,ou=DSA,dc=company,dc=xy”
[root@ldap Desktop]#
Password of each security accoutn can be changed further by the following
command
[root@ldap Desktop]# ldappasswd -x -h localhost -D “cn=Manager,dc=company,dc=xy”
-s password -W cn=samba,ou=DSA,dc=company,dc=xy
now start samba server
[root@ldap Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap Desktop]#
Now create a samba user account for UNIX and SAMBA
[root@ldap Desktop]# smbldap-useradd -a -m -c “Muhammad Farrukh Siddique”
mfarrukh
[root@ldap Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[root@ldap Desktop]# useradd mfarrukh
Now create a machine trust account
[root@ldap Desktop]# smbldap-useradd -w client1
Machine trust accoutn must also be in /etc/passwd
[root@ldap Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)
lets search a user account
[root@ldap Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSa\\
mAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[root@ldap Desktop]#
[root@ldap Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command
ldapsearch -x -b “ou=Users,dc=company,dc=xy” -LLL -D
“cn=Manager,dc=company,dc=xy” -W
Now Everything has been configured successfully.
Last step is to join domain.
Power ON xp machine
set the network settings according to this scenario these will be
IP Address: 192.168.3.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.3.1
Primary DNS: 192.168.3.135
Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.
Task completed successfully.
Shuker AlHamdullilah
\
\
\ \ \ \ \ \ \ \ \ \ \ \
Compose Addresses Folders Options Search Help Calendar Fetch
\
\ \ \ \ \ \ \ \ \ \ \ \
Viewing a text attachment - View message
\ \ \ \ \ \ \ \ \ \
\
Samba Primary Domain Controller with Open-LDAP How-TO
written by: Muhammad Farrukh Siddique (LPIC)
Scenario:
We are going to configure a Linux based Primary Domain Controller using Samba
which will authenticate the domain users through LDAP
Domain Name : company.xy
Hostname IP-Address OPerating System
dns.company.xy 192.168.3.135 RedHat-5
ldap.company.xy 192.168.3.140 CentOS-5.3
client1.company.xy 192.168.3.145 Windows-XP-Service Pack2
client2.company.xy 192.168.3.150 Windows-XP-Service Pack2
Default Gateway os all the servers is 192.168.3.1 which is the IP of DSL router
for Internet
Required Packages: version number:
1).DNS packages»
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher
2).OpenLDAP packages»
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17
3).Samba packages»
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer
4).samba-ldap tools» Download Link for Perl Packages:
http://dag.wieers.com/rpm/packages/
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a
Download Link:
http://nchc.dl.sourceforge.net/project/smbldap-tools/smbldap-tools/0.9.2/smbldap-tools-0.9.2-1a.noarch.rpm
Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine
and after successful completion of our task, we will add ports tcp 53 for DNS
and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.
lets check network settings
[root@dns /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns
[root@dns /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.135
GATEWAY=192.168.3.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@dns /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@dns /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@dns /]#
DNS configuration:
[root@dns ~]# cd /var/named/chroot/etc/
[root@dns etc]# vim named.conf
options
{
directory “/var/named”; // the default
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
memstatistics-file “data/named_mem_stats.txt”;
};
zone “.” IN {
type hint;
file “named.root”;
};
zone “localhost” IN {
type master;
file “localhost.fwd”;
allow-update { none; };
};
zone “0.0.127.in-addr.arpa” IN {
type master;
file “localhost.rev”;
allow-update { none; };
};
zone “company.xy” IN {
type master;
file “company.xy.fwd”;
allow-update { none; };
};
zone “3.168.192.in-addr.arpa” IN {
type master;
file “company.xy.rev”;
allow-update { none; };
};
Now we will create the zone files
[root@dns etc]# cd /var/named/chroot/var/named/
Note: About any leading spaces in front of the lines in named.root: remove them!
Lines should start in a ;, . or character, not blanks.
[root@dns named]# vim named.root
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[root@dns named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
localhost. IN A 127.0.0.1
[root@dns named]# vim localhost.rev
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
1.0.0.127.in-addr.arpa. IN PTR localhost.
[root@dns named]# vim company.xy.fwd
$ORIGIN company.xy.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
dns.company.xy. IN A 192.168.3.135
ldap.company.xy. IN A 192.168.3.140
client1.company.xy. IN A 192.168.3.145
client2.company.xy. IN A 192.168.3.150
_ldap._tcp.company.xy. SRV 0 0 389 ldap.company.xy.
_ldap._tcp.dc._msdcs.company.xy. SRV 0 0 389 ldap.company.xy.
[root@dns named]# vim company.xy.rev
$ORIGIN 3.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
135.3.168.192.in-addr.arpa. IN PTR dns.company.xy.
140.3.168.192.in-addr.arpa. IN PTR ldap.company.xy.
145.3.168.192.in-addr.arpa. IN PTR client1.company.xy.
150.3.168.192.in-addr.arpa. IN PTR client2.company.xy.
now run the dns daemon i.e named
[root@dns named]# /etc/init.d/named start
Starting named: [ OK ]
[root@dns named]#
make it sure that named service will run automatically at startup
[root@dns named]# chkconfig –level 235 named on
now we will test our newly configured dns
[root@dns named]# nslookup
> dns
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: dns.company.xy
Address: 192.168.3.135
> ldap
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: ldap.company.xy
Address: 192.168.3.140
> 192.168.3.135
Server: 192.168.3.135
Address: 192.168.3.135#53
135.3.168.192.in-addr.arpa name = dns.company.xy.
> 192.168.3.140
Server: 192.168.3.135
Address: 192.168.3.135#53
140.3.168.192.in-addr.arpa name = ldap.company.xy.
> exit
[root@dns named]#
Everything is fine Alhamdulillah
***********************************************
Lets configure Primary Domain Controller
first of all check the network settings
[root@ldap /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.company.xy
[root@ldap /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.3.140
GATEWAY=192.168.3.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@ldap /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@ldap /]# hostname
ldap.company.xy
[root@ldap /]#
now restart the network service
[root@ldap /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@ldap /]#
Add samba.schema file to /etc/openldap/schema/ directory
[root@ldap ~]# cd /etc/openldap/schema/
[root@ldap schema]# vim samba.schema
now copy the below schema context and paste it in samba.schema file, remember to
press i from keyboard before you paste the context.
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME ‘sambaLMPassword’
DESC ‘LanManager Password’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME ‘sambaNTPassword’
DESC ‘MD4 hash of the unicode password’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME ‘sambaAcctFlags’
DESC ‘Account Flags’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME ‘sambaPwdLastSet’
DESC ‘Timestamp of the last password update’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME ‘sambaPwdCanChange’
DESC ‘Timestamp of when the user is allowed to update the password’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME ‘sambaPwdMustChange’
DESC ‘Timestamp of when the password will expire’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME ‘sambaLogonTime’
DESC ‘Timestamp of last logon’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME ‘sambaLogoffTime’
DESC ‘Timestamp of last logoff’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME ‘sambaKickoffTime’
DESC ‘Timestamp of when the user will be logged off automatically’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME ‘sambaBadPasswordCount’
DESC ‘Bad password attempt count’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME ‘sambaBadPasswordTime’
DESC ‘Time of the last bad password attempt’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME ‘sambaLogonHours’
DESC ‘Logon Hours’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME ‘sambaHomeDrive’
DESC ‘Driver letter of home directory mapping’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME ‘sambaLogonScript’
DESC ‘Logon script path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME ‘sambaProfilePath’
DESC ‘Roaming profile path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME ‘sambaUserWorkstations’
DESC ‘List of user workstations the user is allowed to logon to’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME ‘sambaHomePath’
DESC ‘Home directory UNC path’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME ‘sambaDomainName’
DESC ‘Windows NT domain to which the user belongs’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME ‘sambaMungedDial’
DESC ‘Base64 encoded user parameter string’
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME ‘sambaPasswordHistory’
DESC ‘Concatenated MD5 hashes of the salted NT passwords used on this account’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME ‘sambaSID’
DESC ‘Security ID’
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME ‘sambaPrimaryGroupSID’
DESC ‘Primary Group Security ID’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME ‘sambaSIDList’
DESC ‘Security ID List’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME ‘sambaGroupType’
DESC ‘NT Group Type’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME ‘sambaNextUserRid’
DESC ‘Next NT rid to give our for users’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME ‘sambaNextGroupRid’
DESC ‘Next NT rid to give out for groups’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME ‘sambaNextRid’
DESC ‘Next NT rid to give out for anything’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME ‘sambaAlgorithmicRidBase’
DESC ‘Base at which the samba RID generation algorithm should operate’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME ‘sambaShareName’
DESC ‘Share Name’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME ‘sambaOptionName’
DESC ‘Option Name’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME ‘sambaBoolOption’
DESC ‘A boolean option’
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME ‘sambaIntegerOption’
DESC ‘An integer option’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME ‘sambaStringOption’
DESC ‘A string option’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME ‘sambaStringListOption’
DESC ‘A string list option’
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME ‘sambaPrivName’
## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME ‘sambaPrivilegeList’
## DESC ‘Privileges List’
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME ‘sambaTrustFlags’
DESC ‘Trust Password Flags’
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# “min password length”
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME ‘sambaMinPwdLength’
DESC ‘Minimal password length (default: 5)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “password history”
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME ‘sambaPwdHistoryLength’
DESC ‘Length of Password History Entries (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “user must logon to change password”
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME ‘sambaLogonToChgPwd’
DESC ‘Force Users to logon for password change (default: 0 => off, 2 => on)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “maximum password age”
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME ‘sambaMaxPwdAge’
DESC ‘Maximum password age, in seconds (default: -1 => never expire passwords)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “minimum password age”
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME ‘sambaMinPwdAge’
DESC ‘Minimum password age, in seconds (default: 0 => allow immediate password
change)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “lockout duration”
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME ‘sambaLockoutDuration’
DESC ‘Lockout duration in minutes (default: 30, -1 => forever)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “reset count minutes”
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME ‘sambaLockoutObservationWindow’
DESC ‘Reset time after lockout in minutes (default: 30)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “bad lockout attempt”
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME ‘sambaLockoutThreshold’
DESC ‘Lockout users after bad logon attempts (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “disconnect time”
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME ‘sambaForceLogoff’
DESC ‘Disconnect Users outside logon hours (default: -1 => off, 0 => on)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# “refuse machine password change”
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME ‘sambaRefuseMachinePwdChange’
DESC ‘Allow Machine Password changes (default: 0 => off)’
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) –jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME ‘sambaSamAccount’ SUP top AUXILIARY
DESC ‘Samba 3.0 Auxilary SAM Account’
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME ‘sambaGroupMapping’ SUP top AUXILIARY
DESC ‘Samba Group Mapping’
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME ‘sambaTrustPassword’ SUP top
STRUCTURAL
DESC ‘Samba Trust Password’
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME ‘sambaDomain’ SUP top STRUCTURAL
DESC ‘Samba Domain Information’
MUST ( sambaDomainName $
sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME ‘sambaUnixIdPool’ SUP top AUXILIARY
DESC ‘Pool for allocating UNIX uids/gids’
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME ‘sambaIdmapEntry’ SUP top AUXILIARY
DESC ‘Mapping from a SID to an ID’
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME ‘sambaSidEntry’ SUP top STRUCTURAL
DESC ‘Structural Class for a SID’
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME ‘sambaConfig’ SUP top AUXILIARY
DESC ‘Samba Configuration Section’
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME ‘sambaShare’ SUP top STRUCTURAL
DESC ‘Samba Share Section’
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME ‘sambaConfigOption’ SUP top
STRUCTURAL
DESC ‘Samba Configuration Option’
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
now add samba.schema entry in ldap configuration file slapd.conf and also some
other attributes
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# vim slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section
# any u s e r s can a u t h e n t i c a t e and change h i s password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustC\\
hange
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by dn=”cn=nssldap,ou=DSA,dc=company, dc=xy” write
by selfwrite
by anonymous auth
# by ∗ none
# by * read
# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t
’ i d u s e r ’ can answer c o r r e c t l y
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ read
# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v
e s
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,gi\\
venname
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLog\\
offTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,dis\\
playName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,descript\\
ion,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,s\\
ambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,s\\
ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupR\\
id,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,samba\\
BoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
by selfread
# by ∗ none
# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base=”dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn=”ou=Users,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s
access to dn=”ou=Groups,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn=”ou=Computers,dc=company,dc=xy”
by dn=”cn=samba,ou=DSA,dc=company,dc=xy” write
by dn=”cn=smbtools,ou=DSA,dc=company,dc=xy” write
# by ∗ none
# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e
c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix “dc=company,dc=xy”
rootdn “cn=Manager,dc=company,dc=xy”
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be 640
[root@ldap openldap]# stat slapd.conf
File: `slapd.conf’
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r—–) Uid: ( 0/ root) Gid: ( 55/ ldap)
[root@ldap openldap]#
[root@ldap openldap]# vim ldap.conf
#HOST 127.0.0.1
BASE dc=company,dc=xy
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
now copy the Databse file from /etc/openldap to /var/lib/ldap
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/
rename DB file
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG
[root@ldap openldap]#
start the ldap server
[root@ldap /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap /]#
configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a
service called nscd will also be used
[root@ldap /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[root@ldap /]#
[root@ldap /]# chkconfig –level 235 nscd on
[root@ldap /]#
[root@ldap /]# setup
run Authentication Configuration
select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Press the Next button
don’t select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=company,dc=xy
Press OK and exit
[root@ldap /]# vim /etc/ldap.conf
host 127.0.0.1
base dc=company,dc=xy
rootbinddn cn=manager,dc=company,dc=xy
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in
it the ldap password defined in slapd.conf
[root@ldap /]# vim /etc/ldap.secret
secret
[root@ldap /]# chmod 600 /etc/ldap.secret
[root@ldap /]#
****************************************************
smbldap-tools configuration
[root@ldap /]# cd /etc/opt/IDEALX/smbldap-tools/
[root@ldap smbldap-tools]# vim smbldap_bind.conf
slaveDN=”cn=Manager,dc=company,dc=xy”
slavePw=”secret”
masterDN=”cn=Manager,dc=company,dc=xy”
masterPw=”secret”
[root@ldap smbldap-tools]# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
SID=”S-1-5-21-2815000769-282395026-991120840”
sambaDomain=”company.xy”
##############################################################################
#
# LDAP Configuration
#
##############################################################################
slaveLDAP=”127.0.0.1”
# Slave LDAP port
slavePort=”389”
# Master LDAP server: needed for write operations
masterLDAP=”127.0.0.1”
# Master LDAP port
masterPort=”389”
suffix=”dc=company,dc=xy”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=company.xy,${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
userLoginShell=”/bin/bash”
# Home directory
userHome=”/home/%U”
# Default mode used for user homeDirectory
userHomeDirectoryMode=”700”
# Gecos
userGecos=”System User”
# Default User (POSIX and Samba) GID
defaultUserGid=”513”
# Default Computer (Samba) GID
defaultComputerGid=”515”
# Skel dir
skeletonDir=”/etc/skel”
defaultMaxPasswordAge=”45”
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon home’
# directive and/or disable roaming profiles
# Ex: userSmbHome=”\\\\PDC-SMB3\\%U”
#userSmbHome=”\\\\192.168.3.140\\%U”
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon path’
# directive and/or disable roaming profiles
# Ex: userProfile=”\\\\PDC-SMB3\\profiles\\%U”
#userProfile=”\\\\192.168.3.140\\profiles\\%U”
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive=”H:”
#userHomeDrive=”H:”
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript=”startup.cmd” # make sure script file is edited under dos
userScript=”logon.bat”
# Domain appended to the users “mail”-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain=”idealx.com”
mailDomain=”company.com”
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
with_smbpasswd=”0”
smbpasswd=”/usr/bin/smbpasswd”
with_slappasswd=”0”
slappasswd=”/usr/sbin/slappasswd”
# comment out the following line to get rid of the default banner
# no_banner=”1”
configuring smb.conf
[root@ldap smbldap-tools]# cd /etc/samba/
[root@ldap samba]# vim smb.conf
[global]
workgroup = company.xy
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.3.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=company,dc=xy
ldap suffix = dc=company,dc=xy
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldap−useradd −m “%u”
ldap delete dn = Yes
add machine script = /usr/local/sbin/smbldap−useradd −w “%u”
add group script = /usr/local/sbin/smbldap−groupadd −p “%g”
add user to group script = /usr/local/sbin/smbldap−groupmod −m “%u” “%g”
delete user from group script = /usr/local/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/local/sbin/smbldap-usermod -g “%g” “%u”
#logon script = STARTUP.BAT
;[homes]
;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No
;[profiles]
;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @”Domain Admins”
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow
roaming profiles and home directories for domain users.
lets configure some directories referenced in /etc/samba/smb.conf
[root@ldap samba]# mkdir /home/samba
[root@ldap samba]# mkdir /home/samba/netlogon
[root@ldap samba]# mkdir /home/samba/profiles
[root@ldap samba]# chmod 1777 /home/samba/profiles [currently we
will not use profile feature]
Samba must know the ldap admin dn password so lets do it
[root@ldap samba]# smbpasswd -w secret
Setting stored password for “cn=Manager,dc=company,dc=xy” in secrets.tdb
[root@ldap samba]#
Now define the domain Secure ID (SID)
[root@ldap samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[root@ldap samba]#
Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above
mentioned SID.
make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is
defined in smb.conf
[root@ldap samba]# cd /opt/IDEALX/sbin/
[root@ldap sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel
smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/configure.pl
/usr/local/sbin/configure.pl
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupadd
/usr/local/sbin/smbldap-groupadd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupdel
/usr/local/sbin/smbldap-groupdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupmod
/usr/local/sbin/smbldap-groupmod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupshow
/usr/local/sbin/smbldap-groupshow
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-passwd
/usr/local/sbin/smbldap-passwd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-populate
/usr/local/sbin/smbldap-populate
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap_tools.pm
/usr/local/sbin/smbldap_tools.pm
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd
/usr/local/sbin/smbldap-useradd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userdel
/usr/local/sbin/smbldap-userdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userinfo
/usr/local/sbin/smbldap-userinfo
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usermod
/usr/local/sbin/smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usershow
/usr/local/sbin/smbldap-usershow
Now add the default base entries
[root@ldap /]# smbldap-populate
Populating LDAP directory for domain company.xy
(S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)
adding new entry dc=company,dc=xy
adding new entry ou=Users,dc=company,dc=xy
adding new entry ou=Groups,dc=company,dc=xy
adding new entry ou=Computers,dc=company,dc=xy
adding new entry ou=Idmap,dc=company,dc=xy
adding new entry uid=root,ou=Users,dc=company,dc=xy
adding new entry uid=nobody,ou=Users,dc=company,dc=xy
adding new entry cn=Domain Admins,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Users,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Guests,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Computers,ou=Groups,dc=company,dc=xy
adding new entry cn=Administrators,ou=Groups,dc=company,dc=xy
adding new entry cn=Account Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Print Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Backup Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Replicators,ou=Groups,dc=company,dc=xy
adding new entry sambaDomainName=company.xy,dc=company,dc=xy
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@ldap /]#
adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[root@ldap Desktop]# vim dsa.ldif
dn: ou=DSA,dc=company,dc=xy
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
[root@ldap Desktop]# ldapadd -x -h localhost -D “cn=Manager,dc=company,dc=xy” -f
dsa.ldif -W
Enter LDAP Password:
adding new entry “ou=DSA,dc=company,dc=xy”
adding new entry “cn=samba,,ou=DSA,dc=company,dc=xy”
adding new entry “cn=nssldap,ou=DSA,dc=company,dc=xy”
adding new entry “cn=smbtools,ou=DSA,dc=company,dc=xy”
[root@ldap Desktop]#
Password of each security accoutn can be changed further by the following
command
[root@ldap Desktop]# ldappasswd -x -h localhost -D “cn=Manager,dc=company,dc=xy”
-s password -W cn=samba,ou=DSA,dc=company,dc=xy
now start samba server
[root@ldap Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap Desktop]#
Now create a samba user account for UNIX and SAMBA
[root@ldap Desktop]# smbldap-useradd -a -m -c “Muhammad Farrukh Siddique”
mfarrukh
[root@ldap Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[root@ldap Desktop]# useradd mfarrukh
Now create a machine trust account
[root@ldap Desktop]# smbldap-useradd -w client1
Machine trust accoutn must also be in /etc/passwd
[root@ldap Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)
lets search a user account
[root@ldap Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSa\\
mAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[root@ldap Desktop]#
[root@ldap Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command
ldapsearch -x -b “ou=Users,dc=company,dc=xy” -LLL -D
“cn=Manager,dc=company,dc=xy” -W
Now Everything has been configured successfully.
Last step is to join domain.
Power ON xp machine
set the network settings according to this scenario these will be
IP Address: 192.168.3.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.3.1
Primary DNS: 192.168.3.135
Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.
Task completed successfully.
Shuker AlHamdullilah
Best Regards
Muhammad Farrukh