Samba PDC with Centos Directory Server backend

hostname = ketoprak
domain = sidoel.com
ipaddres = 192.168.1.100

edit hosts
# vim /etc/hosts/
192.168.1.100 ketoprak.sidoel.com ketoprak


install directory server
# setup-ds-admin.pl

setup nss
edit ldap.conf

# vim /etc/ldap.conf

host 127.0.0.1

base dc=sidoel,dc=com
binddn uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
bindpw admin
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_lookup_policy yes
nss_base_passwd         ou=People,dc=sidoel,dc=com?one
nss_base_passwd         ou=Machines,dc=sidoel,dc=com?one
nss_base_group          ou=Groups,dc=sidoel,dc=com?one
nss_initgroups_ignoreusers  root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm


# vim /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus



install samba

# yum install samba3x samba3x-client

libtalloc-2.0.1-11.el5.x86_64.rpm
libtdb-1.2.1-5.el5.x86_64.rpm
samba3x-winbind-3.5.4-0.70.el5_6.1.x86_64.rpm
samba3x-3.5.4-0.70.el5_6.1.x86_64.rpm
samba3x-common-3.5.4-0.70.el5_6.1.x86_64.rpm
samba3x-client



make directory server samba schema by converting samba schema

# cd /usr/share/doc/samba3x-3.5.4/LDAP/
# perl ol-schema-migrate.pl -b samba.schema > ~/61samba.ldif

copied to your slap-instance
# cp ~/61samba.ldif /etc/dirsrv/slapd-ketoprak/schema/

restart the service (your-instance)
# service dirsrv restart ketoprak


First get the Samba SID for your PDC : remember this SID
# net getlocalsid
SID for domain KETOPRAK is: S-1-5-21-3965608580-1676198639-4080886704



Edit samba configuration
# cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
# echo "" > /etc/samba/smb.conf
# vi /etc/samba/smb.conf


[global]
workgroup = SIDOEL
netbios name = KETOPRAK 

log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 

security = user
passdb backend = ldapsam:ldap://127.0.0.1
#ldap admin dn = cn=Directory Manager
ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldap suffix = dc=sidoel,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
#ldap ssl = start tls
ldap ssl = off 

domain master = yes
domain logons = yes
logon path = \\%L\profiles\%u
logon home = \\%L\%u\profiles
logon drive = H: 

local master = yes
os level = 65 
preferred master = yes 

wins support = yes 

template shell = /bin/false
winbind use default domain = no 

load printers = yes
printcap name = cups
printing = cups 

[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mask = 0775
directory mask = 0775 

[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = no
writable = yes
printable = yes
create mask = 0700
public = yes
available = yes
print command = /usr/bin/lpr -P %p -r %s 

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = no
writable = no
share modes = no
browseable = no
admin users = Administrator
valid users = %U 

[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
browseable = yes
guest ok = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %U 

[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
valid users = %U



make netlogon and profile directory

# mkdir -p /var/lib/samba
# mkdir /var/lib/samba/{netlogon,profiles}
# chown root:root -R /var/lib/samba
# chmod 0755 /var/lib/samba/netlogon
# chmod 1755 /var/lib/samba/profiles


Setup samba ldap administrator

# smbpasswd -w (ldap-admin-password)
Setting stored password for "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" in secrets.tdb


Importing samba domain name and net group

make sambaDomain entries and save as sambaDomainName.ldif file.

dn: sambaDomainName=SIDOEL,dc=sidoel,dc=com
objectclass: sambaDomain
objectclass: sambaUnixIdPool
objectclass: top
sambaDomainName: SIDOEL
sambaSID: S-1-5-21-3965608580-1676198639-4080886704
uidNumber: 550
gidNumber: 550


import to database

# /usr/lib64/dirsrv/slapd-ketoprak/ldif2ldap "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" admin sambaDomainName.ldif


Create Samba Domain Groups entries and save as sambaGroups.ldif file.

dn: cn=Domain Admins,ou=Groups,dc=sidoel,dc=com
objectClass: posixGroup
objectClass: top
cn: Domain Admins
userPassword: {crypt}x
gidNumber: 512

dn: cn=Domain Users,ou=Groups,dc=sidoel,dc=com
objectClass: posixGroup
objectClass: top
cn: Domain Users
userPassword: {crypt}x
gidNumber: 513

dn: cn=Domain Guests,ou=Groups,dc=sidoel,dc=com
objectClass: posixGroup
objectClass: top
cn: Domain Guests
userPassword: {crypt}x
gidNumber: 514

dn: cn=Domain Computers,ou=Groups,dc=sidoel,dc=com
objectClass: posixGroup
objectClass: top
cn: Domain Computers
userPassword: {crypt}x
gidNumber: 515



import to database

# /usr/lib64/dirsrv/slapd-ketoprak/ldif2ldap "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" admin sambaGroups.ldif


Map samba groups to linux groups

# net groupmap add rid=512 ntgroup='Domain Admins'  unixgroup='Domain Admins'
# net groupmap add rid=513 ntgroup='Domain Users' unixgroup='Domain Users'
# net groupmap add rid=514 ntgroup='Domain Guests' unixgroup='Domain Guests'
# net groupmap add rid=515 ntgroup='Domain Computers' unixgroup='Domain Computers'

# net groupmap list
Domain Admins (S-1-5-21-3965608580-1676198639-4080886704-512) -> Domain Admins
Domain Users (S-1-5-21-3965608580-1676198639-4080886704-513) -> Domain Users
Domain Guests (S-1-5-21-3965608580-1676198639-4080886704-514) -> Domain Guests
Domain Computers (S-1-5-21-3965608580-1676198639-4080886704-515) -> Domain Computers



make ldap admin for samba and save as sambaAdmin.ldif file

dn: uid=Administrator,ou=People,dc=sidoel,dc=com
objectClass: top
objectClass: posixaccount
cn: Samba Admin
gidNumber: 0
homeDirectory: /root
uid: Administrator
uidNumber: 0
gecos: Samba Admin
loginShell: /bin/bash
userPassword: {crypt}x



import to ldap database

# /usr/lib64/dirsrv/slapd-ketoprak/ldif2ldap "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" admin sambaAdmin.ldif


Create a Samba Administrator account, we already register samba admin to ldap, then setup the password, here my samba Administrator password similar like my ldap admin (uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot)the password is = admin

# smbpasswd -a Administrator
New SMB password: admin
Retype new SMB password: admin
Added user Administrator.



Show the Database Samba users

# pdbedit -L 
Administrator:0:Samba Admin



modify the account to use the correct Samba SID :
pdbedit -U your_machines_sid-500 -u Administrator

# pdbedit -U S-1-5-21-3965608580-1676198639-4080886704-500 -u Administrator


Start samba and testing samba

#/etc/init.d/smb start
#/etc/init.d/nmb start

you can use debug mode for nmbd
#/usr/sbin/nmbd -d 3 -i 

# smbclient -L localhost -U%
Domain=[SIDOEL] OS=[Unix] Server=[Samba 3.5.4-0.70.el5_6.1]

Sharename       Type      Comment
---------       ----      -------
profiles        Disk      Users profiles
public          Disk      Public Stuff
IPC$            IPC       IPC Service (Samba 3.5.4-0.70.el5_6.1)
Domain=[SIDOEL] OS=[Unix] Server=[Samba 3.5.4-0.70.el5_6.1]

Server               Comment
---------            -------
KETOPRAK             Samba 3.5.4-0.70.el5_6.1

Workgroup            Master
---------            -------
SIDOEL               KETOPRAK



see if your nss work, this should show the group list and user list based on ldap database

# getent passwd
# getent group



Join Domain with WinXP
1. Control Panel -> Network and Internet Connection -> Network Connection -> (right click) properties -> Internet protocol /TCP IP
setup to enable netbios over tcp ip,
2. fill the wins server to your samba/ldap ip 192.168.1.100 ,
3. change computer name with machine name then restart after that change domain name to your samba domain name

for win 7 you need to change registry setting,

Windows Registry Editor Version 5.00

; Win7_Samba3DomainMember
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001

; Speedup settings
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"SlowLinkDetectEnabled"=dword:00000000
"DeleteRoamingCache"=dword:00000001
"WaitForNetwork"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001

; Can drive you nuts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=dword:00000000


or you can download it at
https://bugzilla.samba.org/attachment.cgi?id=4988&action=view
http://wiki.samba.org/index.php/Windows7

continue with same step like windows XP

refrence:

http://directory.fedoraproject.org/wiki/Howto:Samba

Alhamdulillah....

Comments

  1. Done everything but pause on the later part:

    # net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins'
    # net groupmap add rid=513 ntgroup='Domain Users' unixgroup='Domain Users'
    # net groupmap add rid=514 ntgroup='Domain Guests' unixgroup='Domain Guests'
    # net groupmap add rid=515 ntgroup='Domain Computers' unixgroup='Domain Computers'

    Anyone of this command isn't working, it always say's:
    Can't lookup UNIX group Domain Admins

    I tried the ff. as well but didn't succeedd:
    http://forums.fedoraforum.org/showthread.php?t=166966

    ReplyDelete
  2. I get the same problem either,I'm using CentOS 5.7, samba-3.0.33-3.29.el5_6.2 and openldap-2.3.43-12.el5_6.7

    Can anyone here help me please.

    ReplyDelete
    Replies
    1. yeah, don't screw with the nsswitch.conf file.

      passwd: files sss
      shadow: files sss
      group: files sss

      netgroup: files sss

      don't make it ldap - this is my finding for CentOS 6.2, rather use authconfig-tui or authconfig-gui

      Delete
  3. hai,
    1. check /etc/ldap.conf at nss_base_group

    nss_base_group ou=Groups,dc=sidoel,dc=com?one

    and make sure the ou,is similar with nss_base_group.the ou are ou=Groups,dc=sidoel,dc=com.

    2. after that, import the samba group using ldif files,

    dn: cn=Domain Admins,ou=Groups,dc=sidoel,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: Domain Admins
    userPassword: {crypt}x
    gidNumber: 512

    and others group,

    3. make sure your group is visible on unix,

    check using "getent group".
    if not visible, recheck using "ldap search" and recheck again at /etc/ldap.conf,don't typo

    4. after samba group visible on unix, then repeat the process again, start mapping using net.

    I hope this help,
    alhamdulillah

    ReplyDelete
  4. Wow real good can you please also show how to add a BDC on diffrent subnet to this config ie new office with master ldap server and bdc server running slave ldap server.

    ReplyDelete

Post a Comment

Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder

openvpn howto make OCSP server using OpenSSL [Part2]