Differences between revisions 1 and 32 (spanning 31 versions)
Revision 1 as of 2007-05-03 00:53:09
Size: 4975
Editor: ?BobBobly
Comment:
Revision 32 as of 2021-01-17 16:14:38
Size: 6026
Editor: nodiscc
Comment: WIP refactoring, cleanup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
How to create samba3 PDC with ldap backend ## page was renamed from SambaDcWithLdapBackend
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pt_BR/SambaDcWithLdapBackend|Português Brasileiro]]-~
Line 3: Line 4:
 1.execute - aptitude install slapd
 a)Enter password for ldap (password)
 2.execute - aptitude install apache-ssl
 a)Enter your country code (US)
 b)Enter the name of your state (Utah)
 c)Enter the name of your city (Salt Lake City)
 d)Enter your organization (buster.lan)
 e)Enter your OU name (ITT)
 f)Enter your host name (pdc.buster.lan)
 g)Enter the contact email (root@buster.lan)
 3.execute - wget http://www.nomis52.net/data/mkntpwd.tar.gz
 4.execute - tar zxvf mkntpwd.tar.gz
 5.execute - cd mkntpwd
 6.execute - make
 7.execute - cp mkntpwd /usr/local/bin/
 8.execute - aptitude install phpldapadmin make gcc libc-dev samba samba-doc
 a)Enter your domain name (buster.lan)
 b)Answer NO to whether you want to modify smb.conf
 9.execute - cd /usr/share/doc/samba-doc/examples/LDAP
 10.execute - gunzip samba.schema.gz
 11.execute - cp samba.schema /etc/ldap/schema/
 12.execute - vim /etc/ldap/slapd.conf
 13.add this line after the other include lines:
include /etc/ldap/schema/samba.schema
 14.execute - /etc/init.d/slapd restart
 15.open a webbrowser and go to: https://pdc/phhldapadmin/ replacing pdc with your server name
 16.login with the following user and password:
This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

{{{#!wiki note
'''Note:''' the old, NT-style Domain Controller setup is not to be confused with the newer [[Samba/ActiveDirectoryDomainController]] setup available in Samba 4.
}}}


{{{#!wiki note
Page refactoring in progress below this point
}}}

== Requirements ==

 * [[LDAP/OpenLDAPSetup|Setup the OpenLDAP (slapd) server]]
 * Optionally, setup a [[LDAP#LDAP_directory_management|LDAP directory management]] utility (for example [[LDAP/phpldapadmin|PhpLdapAdmin]])


== Install Samba ==

We will now install Samba that will be used to emulate a Windows NT server

 * [[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] the [[DebianPkg:samba]] package
 * Answer {{{no}}} when asked whether you want to modify {{{smb.conf}}} or not
 * [[OpenLDAPSetup#Schema_Files|Load the samba schema into OpenLDAP]]


{{{
gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
}}}

 * Restart the ldap server `systemctl restart slapd`

== Configure the Domain structure in LDAP ==
Through our PHPLDAPADMIN we are going to configure the domain.<<BR>>
open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)<<BR>>
login with the following user:<<BR>>
{{{
Line 31: Line 45:
password (replace with your password)
 17.
expand the root node and then click on “Create new entry here”
 18.
select OU and click “proceed”
 19.
enter users for the OU name and click “Create object”
 20.repeat 17-19
and create two other OUs called “groups” and “machines”
 21
.execute - vim /et c/samba/smb.conf
 22.replace passdb backend=tdsam with:
}}}
use the password entered when
you installed LDAP<<BR>>
expand the root node and then click on “Create new entry here”<<BR>>
select OU and click “proceed”<<BR>>
enter users for the OU name and click “Create object”<<BR>>
repeat the previous three steps
and create two other OUs called “groups” and “machines”<<BR>>
<<BR>>

== Configure Samba to use LDAP ==
Now configure Samba to use LDAP
.<<BR>>
{{{
vim /etc/samba/smb.conf
}}}
find:
{{{
passdb backend=tdsam
}}}
and replace it
with:
{{{
Line 39: Line 65:
ldap suffix = dc=nomis52,dc=net ldap suffix = dc=buster,dc=lan
Line 51: Line 77:
 23.execute - testparm
 24.make sure testparm executed successfully
 25.execute - smbpasswd -w password
 26.execute - /etc/init.d/samba restart
 27.go back to phpldapadmin and verify that the DomainName record exists below the root
 28.create the following Samba3 Mappings under the groups OU:
}}}
Line 58: Line 79:
Unix/Windows Name
GID
SID ending number
admins
20000
512
users
20001
513
guests
2002
514
 29.execute - aptitude install libnss-ldap
 a)Enter the server name as ldap://127.0.0.1/
 b)put in the search base dc=buster,dc=lan (replace with your domain structure)
 c)put in the samba version as 3
 d)enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)
 e)enter the admin password (password)
 f)accept with OK
 30.execute - vim /etc/nsswitch.conf
 31.add “ldap” after every compat
 32.execute - getent group
 33.verify that users, guests, and admins exist
 34.execute - aptitude install libpam-ldap
 a)yes
 b)no
 c)cn=admin,dc=buster,dc=lan (replace with your domain structure)
 d)enter your password (password)
 35.execute - vim /etc/pam.d/common-account
 36.add the following to the end of the file:
== Testing the configuration ==
make sure testparm executes successfully:
{{{
testparm
}}}

Set the samba password and restart samba
{{{
smbpasswd -w password
/etc/init.d/samba restart
}}}

Log back into phpldapadmin and verify that the DomainName record exists below the root<<BR>>
create the following Samba3 Mappings under the groups OU:<<BR>>

||Unix/Windows Name||GID||SID ending number||
||admins||20000||512||
||users||20001||513||
||guests||20002||514||

{{{
aptitude install libnss-ldap
}}}
Enter the server name as ldap://127.0.0.1/ when prompted<<BR>>
put in the search base as dc=buster,dc=lan (replace with your domain structure)<<BR>>
put in the samba version as 3<<BR>>
enter the admin profile as cn=admin,dc=buster,dc=lan (replace with your domain structure)<<BR>>
enter the admin password<<BR>>
accept with OK<<BR>>

{{{
vim /etc/nsswitch.conf
}}}
add “ldap” after every compat<<BR>>

verify that users, guests, and admins exist by executing:
{{{
getent group
}}}

== Configure Server to authenticate locally using LDAP ==
{{{
aptitude install libpam-ldap
}}}
Answer yes<<BR>>
Answer no<<BR>>
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)<<BR>>
Enter your admin password<<BR>>

{{{
vim /etc/pam.d/common-account
}}}
add the following to the end of the file:
{{{
Line 90: Line 135:
 37.execute - vim /etc/pam.d/common-auth
 38.add the following to the end of the password required pam_unix.so:
pam_unix.so
--add the following line before the password required pam_unix.so pam_unix.so:
}}}

{{{
vim /etc/pam.d/common-auth
}}}
add the following line to the beginning of the file:
{{{
Line 95: Line 143:
 39.execute - /etc/init.d/ssh restart (if ssh is installed)
 40.execute - /etc/init.d/samba restart
 41.execute - aptitude install nscd
 42.execute - vim /etc/samba/smb.conf
 43.add the following line to the file:
}}}
restart ssh and samba
{{{
/etc/init.d/ssh restart (if ssh is installed)
/etc/init.d/samba restart
}}}
install nscd
{{{
aptitude install nscd
vim /etc/samba/smb.conf
}}}
add the following line to the file:
{{{
Line 101: Line 157:
}}}
Line 102: Line 159:
 44.go back to phpldapadmin and create the following Samba3 Users under the users OU:
First Name
Last Name
username
UID
SID ending
Group admins
Home Directory
Domain
Admin
adminstrator
10000
21000
admins
/home/buster/adminstrator
(your)
(name)
(username)
10001
21001
admins
/home/buster/(username)
 45.execute - getent passwd
 46.verify the new users created are listed
 47.execute - mkdir /home/buster
 48.execute - mkdir /home/buster/adminstrator
 49.execute - mkdir /home/buster/(username)
 50.execute - cp /etc/skel/.* /home/buster/(username)
 51.execute - chown -R (username):users /home/buster/(username)
 52.go back to phpldapadmin and create the a Samba3 machines under the machines OU:
== Setup users in the Domain ==
log back into phpldapadmin and create the following Samba3 Users under the users OU:
||First Name||Last Name||username||UID||SID ending||Group||Home Directory||
||Domain||Admin||adminstrator||10000||21000||admins||/home/buster/adminstrator||
||(your)||(name)||(username)||10001||21001||admins||/home/buster/(username)||
Line 133: Line 165:
Machine Name
UID
(machinename)$
30000
 53.execute - smbpwd -a root
 54.enter your root password (password)
 55.go to your windows machine and right-click on mycomputer and select properties
 56.on the name tab select change
 57.select the domain radio button and enter buster.lan and click ok
 58.enter root for the username
 59.enter your password (password)
 60.you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.
verify the new users are in the database:
{{{
getent passwd
}}}

create home directory
{{{
mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)
}}}

== Create Machine accounts for domain members ==
log back into phpldapadmin and create the a Samba3 machines under the machines OU:

||Machine Name||UID||
||(machinename)$||30000||

{{{
smbpwd -a root
}}}
enter your root password

== Join a windows client to the domain ==
go to your windows machine and right-click on mycomputer and select properties<<BR>>
on the name tab select change<<BR>>
select the domain radio button and enter buster.lan and click ok<<BR>>
enter root for the username<<BR>>
enter your root password<<BR>>
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.<<BR>>

----

CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other [[Samba]] pages

Translation(s): English - ?Português Brasileiro

This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.

Page refactoring in progress below this point

Requirements

Install Samba

We will now install Samba that will be used to emulate a Windows NT server

  • Install the samba package

  • Answer no when asked whether you want to modify smb.conf or not

  • ?Load the samba schema into OpenLDAP

gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
  • Restart the ldap server systemctl restart slapd

Configure the Domain structure in LDAP

Through our PHPLDAPADMIN we are going to configure the domain.
open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)
login with the following user:

cn=admin,dc=buster,dc=lan

use the password entered when you installed LDAP
expand the root node and then click on “Create new entry here”
select OU and click “proceed”
enter users for the OU name and click “Create object”
repeat the previous three steps and create two other OUs called “groups” and “machines”

Configure Samba to use LDAP

Now configure Samba to use LDAP.

vim /etc/samba/smb.conf

find:

passdb backend=tdsam

and replace it with:

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=buster,dc=lan
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nomis52,dc=net
ldap delete dn = no

# be a PDC
domain logons = yes

# allow user privileges
enable privileges = yes

Testing the configuration

make sure testparm executes successfully:

testparm

Set the samba password and restart samba

smbpasswd -w password
/etc/init.d/samba restart

Log back into phpldapadmin and verify that the ?DomainName record exists below the root
create the following Samba3 Mappings under the groups OU:<<BR>>

Unix/Windows Name

GID

SID ending number

admins

20000

512

users

20001

513

guests

20002

514

aptitude install libnss-ldap

Enter the server name as ldap://127.0.0.1/ when prompted
put in the search base as dc=buster,dc=lan (replace with your domain structure)
put in the samba version as 3
enter the admin profile as cn=admin,dc=buster,dc=lan (replace with your domain structure)
enter the admin password
accept with OK

vim /etc/nsswitch.conf

add “ldap” after every compat

verify that users, guests, and admins exist by executing:

getent group

Configure Server to authenticate locally using LDAP

aptitude install libpam-ldap

Answer yes
Answer no
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)
Enter your admin password

vim /etc/pam.d/common-account

add the following to the end of the file:

account         sufficient      pam_ldap.so
account         required        pam_unix.so     try_first_pass

vim /etc/pam.d/common-auth

add the following line to the beginning of the file:

password sufficient pam_ldap.so

restart ssh and samba

/etc/init.d/ssh restart (if ssh is installed)
/etc/init.d/samba restart

install nscd

aptitude install nscd
vim /etc/samba/smb.conf

add the following line to the file:

ldap password sync=yes

Setup users in the Domain

log back into phpldapadmin and create the following Samba3 Users under the users OU:

First Name

Last Name

username

UID

SID ending

Group

Home Directory

Domain

Admin

adminstrator

10000

21000

admins

/home/buster/adminstrator

(your)

(name)

(username)

10001

21001

admins

/home/buster/(username)

verify the new users are in the database:

getent passwd

create home directory

mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)

Create Machine accounts for domain members

log back into phpldapadmin and create the a Samba3 machines under the machines OU:

Machine Name

UID

(machinename)$

30000

smbpwd -a root

enter your root password

Join a windows client to the domain

go to your windows machine and right-click on mycomputer and select properties
on the name tab select change
select the domain radio button and enter buster.lan and click ok
enter root for the username
enter your root password
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.


CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other Samba pages