Samba Primary Domain Controller with LDAP How TO a replacement to Windows2003 / 2008 Active Directory Services

Samba Primary Domain Controller with LDAP How-TO  Written by: Muhammad Farrukh Siddique (LPIC)

Scenario:   We are going to configure a Linux based Primary Domain Controller using Samba which will authenticate the domain users through LDAP

Domain Name : OSFP.org.pk

Hostname IP-Address OPerating System

dns.OSFP.org.pk 192.168.1.253 RedHat-5
ldap.OSFP.org.pk 192.168.1.140 CentOS-5.3
client1.OSFP.org.pk 192.168.1.145 Windows-XP-Service Pack2
client2.OSFP.org.pk 192.168.1.150 Windows-XP-Service Pack2

Default Gateway os all the servers is 192.168.1.1 which is the IP of DSL router for Internet

Required Packages: version number:
1).DNS packages>>
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher

2).OpenLDAP packages>>
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17

3).Samba packages>>
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer

4).samba-ldap tools>>
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a

Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine and after successful completion of our task, we will add ports tcp 53 for DNS and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.

lets check network settings

[root@dns /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns

[root@dns /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.253
GATEWAY=192.168.1.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

[root@dns /]# vim /etc/resolv.conf
nameserver 192.168.1.253
search OSFP.org.pk

[root@dns /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@dns /]#

DNS configuration:
[root@dns ~]# cd /var/named/chroot/etc/
[root@dns etc]# vim named.conf

options
{
directory “/var/named”; // the default
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
memstatistics-file “data/named_mem_stats.txt”;

};

zone “.” IN {
type hint;
file “named.root”;
};
zone “localhost” IN {
type master;
file “localhost.fwd”;
allow-update { none; };
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “localhost.rev”;
allow-update { none; };
};

zone “OSFP.org.pk” IN {
type master;
file “OSFP.org.pk.fwd”;
allow-update { none; };
};

zone “3.168.192.in-addr.arpa” IN {
type master;
file “OSFP.org.pk.rev”;
allow-update { none; };
};
Now we will create the zone files
[root@dns etc]# cd /var/named/chroot/var/named/
[root@dns named]# vim named.root

6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[root@dns named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

localhost. IN A 127.0.0.1

 

[root@dns named]# vim localhost.rev

$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

1.0.0.127.in-addr.arpa. IN PTR localhost.
[root@dns named]# vim OSFP.org.pk.fwd
$ORIGIN OSFP.org.pk.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

dns.OSFP.org.pk. IN A 192.168.1.253
ldap.OSFP.org.pk. IN A 192.168.1.140
client1.OSFP.org.pk. IN A 192.168.1.145
client2.OSFP.org.pk. IN A 192.168.1.150

 

_ldap._tcp.OSFP.org.pk. SRV 0 0 389 ldap.OSFP.org.pk.
_ldap._tcp.dc._msdcs.OSFP.org.pk. SRV 0 0 389 ldap.OSFP.org.pk.
[root@dns named]# vim OSFP.org.pk.rev

$ORIGIN 1.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

135.3.168.192.in-addr.arpa. IN PTR dns.OSFP.org.pk.
140.3.168.192.in-addr.arpa. IN PTR ldap.OSFP.org.pk.
145.3.168.192.in-addr.arpa. IN PTR client1.OSFP.org.pk.
150.3.168.192.in-addr.arpa. IN PTR client2.OSFP.org.pk.
now run the dns daemon i.e named

[root@dns named]# /etc/init.d/named start
Starting named: [ OK ]
[root@dns named]#

make it sure that named service will run automatically at startup

[root@dns named]# chkconfig –level 235 named on

now we will test our newly configured dns

[root@dns named]# nslookup
> dns
Server: 192.168.1.253
Address: 192.168.1.253#53

Name: dns.OSFP.org.pk
Address: 192.168.1.253
> ldap
Server: 192.168.1.253
Address: 192.168.1.253#53

Name: ldap.OSFP.org.pk
Address: 192.168.1.140
> 192.168.1.253
Server: 192.168.1.253
Address: 192.168.1.253#53

135.3.168.192.in-addr.arpa name = dns.OSFP.org.pk.
> 192.168.1.140
Server: 192.168.1.253
Address: 192.168.1.253#53

140.3.168.192.in-addr.arpa name = ldap.OSFP.org.pk.
> exit

[root@dns named]#

Everything is fine Alhamdulillah

***********************************************

Lets configure Primary Domain Controller

first of all check the network settings

[root@ldap /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.OSFP.org.pk

[root@ldap /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.1.140
GATEWAY=192.168.1.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes

[root@ldap /]# vim /etc/resolv.conf
nameserver 192.168.1.253
search OSFP.org.pk

[root@ldap /]# hostname
ldap.OSFP.org.pk
[root@ldap /]#

now restart the network service

[root@ldap /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@ldap /]#
download samba.schema and copy it into /etc/openldap/schema directory
then add samba.schema entry in ldap configuration file slapd.conf and also some other attributes

[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# vim slapd.conf

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

loglevel -1

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section

# any u s e r s can a u t h e n t i c a t e and change h i s password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn=”cn=samba,ou=DSA,dc=osfp,dc=org,dc=pk” write
by dn=”cn=smbtools,ou=DSA,dc=osfp,dc=org,dc=pk” write
by dn=”cn=nssldap,ou=DSA,dc=osfp, dc=org,dc=pk” write
by selfwrite
by anonymous auth

# by ∗ none
# by * read

# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t ’ i d u s e r ’ can answer c o r r e c t l y

access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ read

# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v e s
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
by selfread
# by ∗ none

# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base=”dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn=”ou=Users,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s

access to dn=”ou=Groups,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn=”ou=Computers,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix “dc=oxfamnovibpk,dc=org”
rootdn “cn=Manager,dc=oxfamnovibpk,dc=org”

rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be

[root@ldap openldap]# stat slapd.conf
File: `slapd.conf’
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r—–) Uid: ( 0/ root) Gid: ( 55/ ldap)

[root@ldap openldap]#
[root@ldap openldap]# vim ldap.conf

#HOST 127.0.0.1
BASE dc=oxfamnovibpk,dc=org
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts

now copy the Databse file from /etc/openldap to /var/lib/ldap

[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/

rename DB file

[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG
[root@ldap openldap]#

start the ldap server

[root@ldap /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap /]#

configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a service called nscd will also be used

[root@ldap /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[root@ldap /]#

[root@ldap /]# chkconfig –level 235 nscd on
[root@ldap /]#

[root@ldap /]# setup

run Authentication Configuration

select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication

Press the Next button

don’t select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=oxfamnovibpk,dc=org

Press OK and exit

[root@ldap /]# vim /etc/ldap.conf

host 127.0.0.1

base dc=oxfamnovibpk,dc=org

rootbinddn cn=manager,dc=oxfamnovibpk,dc=org

timelimit 120

bind_timelimit 120

idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in it the ldap password defined in slapd.conf
[root@ldap /]# vim /etc/ldap.secret
secret

[root@ldap /]# chmod 600 /etc/ldap.secret
[root@ldap /]#

****************************************************

smbldap-tools configuration

[root@ldap /]# cd /etc/opt/IDEALX/smbldap-tools/
[root@ldap smbldap-tools]#
[root@ldap smbldap-tools]# vim smbldap_bind.conf
slaveDN=”cn=Manager,dc=oxfamnovibpk,dc=org”
slavePw=”secret”
masterDN=”cn=Manager,dc=oxfamnovibpk,dc=org”
masterPw=”secret”

[root@ldap smbldap-tools]# vim smbldap.conf

##############################################################################
#
# General Configuration
#
##############################################################################

SID=”S-1-5-21-2815000769-282395026-991120840″

sambaDomain=”OSFP.org.pk”

##############################################################################
#
# LDAP Configuration
#
##############################################################################

slaveLDAP=”127.0.0.1″

# Slave LDAP port
slavePort=”389″

# Master LDAP server: needed for write operations
masterLDAP=”127.0.0.1″

# Master LDAP port
masterPort=”389″

suffix=”dc=oxfamnovibpk,dc=org”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=OSFP.org.pk,${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

userLoginShell=”/bin/bash”

# Home directory
userHome=”/home/%U”

# Default mode used for user homeDirectory
userHomeDirectoryMode=”700″

# Gecos
userGecos=”System User”

# Default User (POSIX and Samba) GID
defaultUserGid=”513″

# Default Computer (Samba) GID
defaultComputerGid=”515″

# Skel dir
skeletonDir=”/etc/skel”

defaultMaxPasswordAge=”45″

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon home’
# directive and/or disable roaming profiles
# Ex: userSmbHome=”\\PDC-SMB3\%U”
#userSmbHome=”\\192.168.1.140\%U”

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon path’
# directive and/or disable roaming profiles
# Ex: userProfile=”\\PDC-SMB3\profiles\%U”
#userProfile=”\\192.168.1.140\profiles\%U”

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive=”H:”
#userHomeDrive=”H:”

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript=”startup.cmd” # make sure script file is edited under dos
userScript=”logon.bat”
# Domain appended to the users “mail”-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain=”idealx.com”
mailDomain=”oxfamnovibpk.com”

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”

with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”

# comment out the following line to get rid of the default banner
# no_banner=”1″
configuring smb.conf

[root@ldap smbldap-tools]# cd /etc/samba/
[root@ldap samba]# vim smb.conf
[global]

workgroup = OSFP.org.pk
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers

server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No

ldap passwd sync = Yes

log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

#guest account = root

logon script = logon.bat
logon drive =
logon home =
logon path =

domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes

passdb backend = ldapsam:ldap://127.0.0.1

ldap admin dn = cn=Manager,dc=oxfamnovibpk,dc=org

ldap suffix = dc=oxfamnovibpk,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap−useradd −m “%u”
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap−useradd −w “%u”
add group script = /usr//sbin/smbldap−groupadd −p “%g”
add user to group script = /usr/sbin/smbldap−groupmod −m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”
#logon script = STARTUP.BAT

;[homes]

;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No

;[profiles]

;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @”Domain Admins”
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow roaming profiles and home directories for domain users.

lets configure some directories referenced in /etc/samba/smb.conf
[root@ldap samba]# mkdir /home/samba
[root@ldap samba]# mkdir /home/samba/netlogon
[root@ldap samba]# mkdir /home/samba/profiles
[root@ldap samba]# chmod 1777 /home/samba/profiles [currently we will not use profile feature]

Samba must know the ldap admin dn password so lets do it
[root@ldap samba]# smbpasswd -w secret
Setting stored password for “cn=Manager,dc=oxfamnovibpk,dc=org” in secrets.tdb
[root@ldap samba]#

Now define the domain Secure ID (SID)
[root@ldap samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[root@ldap samba]#

Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above mentioned SID.

make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is defined in smb.conf
[root@ldap samba]# cd /opt/IDEALX/sbin/
[root@ldap sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[root@ldap sbin]# [root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd /usr/local/sbin/
and so on..

Now add the default base entries

[root@ldap /]# smbldap-populate
Populating LDAP directory for domain OSFP.org.pk (S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)

adding new entry dc=oxfamnovibpk,dc=org
adding new entry ou=Users,dc=oxfamnovibpk,dc=org
adding new entry ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry ou=Computers,dc=oxfamnovibpk,dc=org
adding new entry ou=Idmap,dc=oxfamnovibpk,dc=org
adding new entry uid=root,ou=Users,dc=oxfamnovibpk,dc=org
adding new entry uid=nobody,ou=Users,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Admins,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Users,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Guests,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Computers,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Administrators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Account Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Print Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Backup Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Replicators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry sambaDomainName=OSFP.org.pk,dc=oxfamnovibpk,dc=org

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@ldap /]#

adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[root@ldap Desktop]# vim dsa.ldif
dn: ou=DSA,dc=oxfamnovibpk,dc=org
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap

 

dn: cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools

[root@ldap Desktop]# ldapadd -x -h localhost -D “cn=Manager,dc=oxfamnovibpk,dc=org” -f dsa.ldif -W
Enter LDAP Password:
adding new entry “ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=samba,,ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=nssldap,ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org”

[root@ldap Desktop]#

Password of each security accoutn can be changed

[root@ldap Desktop]# ldappasswd -x -h localhost -D “cn=Manager,dc=oxfamnovibpk,dc=org” -s password -W cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org

now start samba server

[root@ldap Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap Desktop]#

Now create a samba user account for UNIX and SAMBA

[root@ldap Desktop]# smbldap-useradd -a -m -c “Muhammad Farrukh Siddique” mfarrukh
[root@ldap Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[root@ldap Desktop]#

Now create a machine trust account

[root@ldap Desktop]# smbldap-useradd -w client1

Machine trust accoutn must also be in /etc/passwd
[root@ldap Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)

lets search a user account

[root@ldap Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=oxfamnovibpk,dc=org
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[root@ldap Desktop]#

[root@ldap Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=osfp,dc=org,dc=pk
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command

ldapsearch -x -b “ou=Users,dc=osfp,dc=org,dc=pk” -LLL -D “cn=Manager,dc=osfp,dc=org,dc=pk” -W

 

Now Everything has been configured successfully.

Last step is to join domain.

Power ON xp machine

set the network settings according to this scenario these will be

IP Address: 192.168.1.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.1.1
Primary DNS: 192.168.1.253

Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.

I have done it successfully. ALHAMDULILLAH

 

Samba Primary Domain Controller with LDAP How TO a replacement to Windows2003 / 2008 Active Directory Services

Leave a Reply

Your email address will not be published. Required fields are marked *