Size: 4975
Comment:
|
Size: 6250
Comment: formatting
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
How to create samba3 PDC with ldap backend 1.execute - aptitude install slapd a)Enter password for ldap (password) 2.execute - aptitude install apache-ssl a)Enter your country code (US) b)Enter the name of your state (Utah) c)Enter the name of your city (Salt Lake City) d)Enter your organization (buster.lan) e)Enter your OU name (ITT) f)Enter your host name (pdc.buster.lan) g)Enter the contact email (root@buster.lan) 3.execute - wget http://www.nomis52.net/data/mkntpwd.tar.gz 4.execute - tar zxvf mkntpwd.tar.gz 5.execute - cd mkntpwd 6.execute - make 7.execute - cp mkntpwd /usr/local/bin/ 8.execute - aptitude install phpldapadmin make gcc libc-dev samba samba-doc a)Enter your domain name (buster.lan) b)Answer NO to whether you want to modify smb.conf 9.execute - cd /usr/share/doc/samba-doc/examples/LDAP 10.execute - gunzip samba.schema.gz 11.execute - cp samba.schema /etc/ldap/schema/ 12.execute - vim /etc/ldap/slapd.conf 13.add this line after the other include lines: include /etc/ldap/schema/samba.schema 14.execute - /etc/init.d/slapd restart 15.open a webbrowser and go to: https://pdc/phhldapadmin/ replacing pdc with your server name 16.login with the following user and password: cn=admin,dc=buster,dc=lan password (replace with your password) 17.expand the root node and then click on “Create new entry here” 18.select OU and click “proceed” 19.enter users for the OU name and click “Create object” 20.repeat 17-19 and create two other OUs called “groups” and “machines” 21.execute - vim /et c/samba/smb.conf 22.replace passdb backend=tdsam with: |
## page was renamed from SambaDcWithLdapBackend ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pt_BR/SambaDcWithLdapBackend|Português Brasileiro]]-~ This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism. Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client. {{{#!wiki note '''Note:''' the old, NT-style Domain Controller setup is not to be confused with the newer [[Samba/ActiveDirectoryDomainController]] setup available in Samba 4. }}} == Requirements == * [[LDAP/OpenLDAPSetup|Setup the OpenLDAP (slapd) server]] * Optionally, setup a [[LDAP#LDAP_directory_management|LDAP directory management]] utility (for example [[LDAP/phpldapadmin|PhpLdapAdmin]]) == Install Samba == We will now install Samba that will be used to emulate a Windows NT server * [[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] the [[DebianPkg:samba]] package * Answer {{{no}}} when asked whether you want to modify {{{smb.conf}}} or not * [[OpenLDAPSetup#Schema_Files|Load the samba schema into OpenLDAP]] {{{ gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif }}} * Restart the ldap server: `systemctl restart slapd` == Create the LDAP directory structure == ToDo: example adding OUs using ldapadd/ldif files The Samba domain setup requires three `OrganizationalUnit` objects at the root of your LDAP hierarchy: {{{ ou=users,dc=example,dc=org ou=groups,dc=example,dc=org ou=machines,dc=example,dc=org }}} == Configure Samba to use LDAP == * Edit the samba server configuration file: `nano /etc/samba/smb.conf` * We will configure Samba to use the `ldapsam` account database backend. Replace the default `passdb backend=tdbsam` with {{{ # which backend will be used for storing user/group information |
Line 39: | Line 58: |
ldap suffix = dc=nomis52,dc=net | # base for all ldap suffixes and for storing the sambaDomain object ldap suffix = dc=example,dc=org where machines should be added to the ldap tree. |
Line 41: | Line 63: |
# where users should be added to the ldap tree. | |
Line 42: | Line 65: |
# where groups should be added to the ldap tree. | |
Line 43: | Line 67: |
ldap admin dn = cn=admin,dc=nomis52,dc=net ldap delete dn = no # be a PDC |
# Distinguished Name (DN) name used by Samba to contact the LDAP server # when retreiving user account information ldap admin dn = cn=admin,dc=example,dc=org # provide the netlogon service for Windows 9X network logons for the # workgroup it is in. |
Line 49: | Line 77: |
# allow user privileges | # honor privileges assigned to specific SIDs via net rpc rights |
Line 51: | Line 79: |
23.execute - testparm 24.make sure testparm executed successfully 25.execute - smbpasswd -w password 26.execute - /etc/init.d/samba restart 27.go back to phpldapadmin and verify that the DomainName record exists below the root 28.create the following Samba3 Mappings under the groups OU: Unix/Windows Name GID SID ending number admins 20000 512 users 20001 513 guests 2002 514 29.execute - aptitude install libnss-ldap a)Enter the server name as ldap://127.0.0.1/ b)put in the search base dc=buster,dc=lan (replace with your domain structure) c)put in the samba version as 3 d)enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure) e)enter the admin password (password) f)accept with OK 30.execute - vim /etc/nsswitch.conf 31.add “ldap” after every compat 32.execute - getent group 33.verify that users, guests, and admins exist 34.execute - aptitude install libpam-ldap a)yes b)no c)cn=admin,dc=buster,dc=lan (replace with your domain structure) d)enter your password (password) 35.execute - vim /etc/pam.d/common-account 36.add the following to the end of the file: |
}}} * Test the configuration, set the samba password and restart the service: {{{ testparm smbpasswd -w password systemctl restart samba }}} * Using slapcat/ldapsearch, verify that a {{{DomainName}}} record was added at the root of the LDAP tree. (ToDo: add example commands) * create the following Samba3 Mappings under {{{ou=groups}}}: {{{ Unix/Windows Name: admins GID: 20000 SID ending number: 512 }}} {{{ Unix/Windows Name: users GID: 20001 SID ending number: 513 }}} {{{ Unix/Windows Name: guests GID: 20002 SID ending number: 514 }}} * Setup LDAP-backed authentication for Linux accounts ([[NSS#NSS_Setup_with_libnss-ldapd|NSS with libnss-ldapd]], [[PAM#PAM_Setup_with_libpam-ldapd|PAM with libpam-ldapd]], using: * `ldap://127.0.0.1/` as LDAP server URI * `dc=example,dc=org` as search base, * `3` as Samba version * `cn=admin,dc=example,dc=org` as the LDAP admin account (replace with your own value if different) * Verify that users, guests, and admins are retrieved by executing: `getent group` {{{#!wiki note Page refactoring in progress below this point }}} == Configure Server to authenticate locally using LDAP == {{{ aptitude install libpam-ldap }}} Answer yes<<BR>> Answer no<<BR>> Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)<<BR>> Enter your admin password<<BR>> {{{ vim /etc/pam.d/common-account }}} add the following to the end of the file: {{{ |
Line 90: | Line 140: |
37.execute - vim /etc/pam.d/common-auth 38.add the following to the end of the password required pam_unix.so: pam_unix.so --add the following line before the password required pam_unix.so pam_unix.so: |
}}} {{{ vim /etc/pam.d/common-auth }}} add the following line to the beginning of the file: {{{ |
Line 95: | Line 148: |
39.execute - /etc/init.d/ssh restart (if ssh is installed) 40.execute - /etc/init.d/samba restart 41.execute - aptitude install nscd 42.execute - vim /etc/samba/smb.conf 43.add the following line to the file: |
}}} restart ssh and samba {{{ /etc/init.d/ssh restart (if ssh is installed) /etc/init.d/samba restart }}} install nscd {{{ aptitude install nscd vim /etc/samba/smb.conf }}} add the following line to the file: {{{ |
Line 101: | Line 162: |
44.go back to phpldapadmin and create the following Samba3 Users under the users OU: First Name Last Name username UID SID ending Group admins Home Directory Domain Admin adminstrator 10000 21000 admins /home/buster/adminstrator (your) (name) (username) 10001 21001 admins /home/buster/(username) 45.execute - getent passwd 46.verify the new users created are listed 47.execute - mkdir /home/buster 48.execute - mkdir /home/buster/adminstrator 49.execute - mkdir /home/buster/(username) 50.execute - cp /etc/skel/.* /home/buster/(username) 51.execute - chown -R (username):users /home/buster/(username) 52.go back to phpldapadmin and create the a Samba3 machines under the machines OU: Machine Name UID (machinename)$ 30000 53.execute - smbpwd -a root 54.enter your root password (password) 55.go to your windows machine and right-click on mycomputer and select properties 56.on the name tab select change 57.select the domain radio button and enter buster.lan and click ok 58.enter root for the username 59.enter your password (password) 60.you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database. |
}}} == Setup users in the Domain == log back into phpldapadmin and create the following Samba3 Users under the users OU: ||First Name||Last Name||username||UID||SID ending||Group||Home Directory|| ||Domain||Admin||adminstrator||10000||21000||admins||/home/buster/adminstrator|| ||(your)||(name)||(username)||10001||21001||admins||/home/buster/(username)|| verify the new users are in the database: {{{ getent passwd }}} create home directory {{{ mkdir /home/buster mkdir /home/buster/(username) cp /etc/skel/.* /home/buster/(username) chown -R (username):users /home/buster/(username) }}} == Create Machine accounts for domain members == log back into phpldapadmin and create the a Samba3 machines under the machines OU: ||Machine Name||UID|| ||(machinename)$||30000|| {{{ smbpwd -a root }}} enter your root password == Join a windows client to the domain == go to your windows machine and right-click on mycomputer and select properties<<BR>> on the name tab select change<<BR>> select the domain radio button and enter buster.lan and click ok<<BR>> enter root for the username<<BR>> enter your root password<<BR>> you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.<<BR>> ---- CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other [[Samba]] pages |
Translation(s): English - ?Português Brasileiro
This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.
Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.
Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.
Requirements
Optionally, setup a LDAP directory management utility (for example PhpLdapAdmin)
Install Samba
We will now install Samba that will be used to emulate a Windows NT server
Answer no when asked whether you want to modify smb.conf or not
?Load the samba schema into OpenLDAP
gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
Restart the ldap server: systemctl restart slapd
Create the LDAP directory structure
ToDo: example adding OUs using ldapadd/ldif files
The Samba domain setup requires three OrganizationalUnit objects at the root of your LDAP hierarchy:
ou=users,dc=example,dc=org ou=groups,dc=example,dc=org ou=machines,dc=example,dc=org
Configure Samba to use LDAP
Edit the samba server configuration file: nano /etc/samba/smb.conf
We will configure Samba to use the ldapsam account database backend. Replace the default passdb backend=tdbsam with
# which backend will be used for storing user/group information passdb backend = ldapsam:ldap://127.0.0.1 # base for all ldap suffixes and for storing the sambaDomain object ldap suffix = dc=example,dc=org where machines should be added to the ldap tree. ldap machine suffix = ou=machines # where users should be added to the ldap tree. ldap user suffix = ou=users # where groups should be added to the ldap tree. ldap group suffix = ou=groups # Distinguished Name (DN) name used by Samba to contact the LDAP server # when retreiving user account information ldap admin dn = cn=admin,dc=example,dc=org # provide the netlogon service for Windows 9X network logons for the # workgroup it is in. domain logons = yes # honor privileges assigned to specific SIDs via net rpc rights enable privileges = yes
- Test the configuration, set the samba password and restart the service:
testparm smbpasswd -w password systemctl restart samba
Using slapcat/ldapsearch, verify that a DomainName record was added at the root of the LDAP tree. (ToDo: add example commands)
create the following Samba3 Mappings under ou=groups:
Unix/Windows Name: admins GID: 20000 SID ending number: 512
Unix/Windows Name: users GID: 20001 SID ending number: 513
Unix/Windows Name: guests GID: 20002 SID ending number: 514
Setup LDAP-backed authentication for Linux accounts (?NSS with libnss-ldapd, ?PAM with libpam-ldapd, using:
ldap://127.0.0.1/ as LDAP server URI
dc=example,dc=org as search base,
3 as Samba version
cn=admin,dc=example,dc=org as the LDAP admin account (replace with your own value if different)
Verify that users, guests, and admins are retrieved by executing: getent group
Page refactoring in progress below this point
Configure Server to authenticate locally using LDAP
aptitude install libpam-ldap
Answer yes
Answer no
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)
Enter your admin password
vim /etc/pam.d/common-account
add the following to the end of the file:
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
vim /etc/pam.d/common-auth
add the following line to the beginning of the file:
password sufficient pam_ldap.so
restart ssh and samba
/etc/init.d/ssh restart (if ssh is installed) /etc/init.d/samba restart
install nscd
aptitude install nscd vim /etc/samba/smb.conf
add the following line to the file:
ldap password sync=yes
Setup users in the Domain
log back into phpldapadmin and create the following Samba3 Users under the users OU:
First Name |
Last Name |
username |
UID |
SID ending |
Group |
Home Directory |
Domain |
Admin |
adminstrator |
10000 |
21000 |
admins |
/home/buster/adminstrator |
(your) |
(name) |
(username) |
10001 |
21001 |
admins |
/home/buster/(username) |
verify the new users are in the database:
getent passwd
create home directory
mkdir /home/buster mkdir /home/buster/(username) cp /etc/skel/.* /home/buster/(username) chown -R (username):users /home/buster/(username)
Create Machine accounts for domain members
log back into phpldapadmin and create the a Samba3 machines under the machines OU:
Machine Name |
UID |
(machinename)$ |
30000 |
smbpwd -a root
enter your root password
Join a windows client to the domain
go to your windows machine and right-click on mycomputer and select properties
on the name tab select change
select the domain radio button and enter buster.lan and click ok
enter root for the username
enter your root password
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.
CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other Samba pages