Differences between revisions 12 and 50 (spanning 38 versions)
Revision 12 as of 2007-05-03 02:28:54
Size: 5282
Editor: ?BobBobly
Comment:
Revision 50 as of 2021-01-27 17:42:01
Size: 7592
Editor: nodiscc
Comment: add links to smblap-tools manpages
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
"" Back to Home Page ["BuildingALinuxDomain"] ""
= How to create samba3 PDC with ldap backend =

== Install LDAP ==
{{{
aptitude install slapd
}}}
Enter password for the ldap admin when prompted

== Install PHPLDAPADMIN web interface ==
{{{
aptitude install apache-ssl phpldapadmin
}}}
Enter your country code when prompted ex. US[[BR]]
Enter the name of your state when prompted ex. Utah[[BR]]
Enter the name of your city when prompted ex. Salt Lake City[[BR]]
Enter your organization when prompted ex. buster.lan[[BR]]
Enter your OU name when prompted ex. ITT[[BR]]
Enter your host name when prompted ex. pdc.buster.lan[[BR]]
Enter the contact email when prompted ex. root@buster.lan[[BR]]

== Install MKNTPWD ==
{{{
wget http://www.nomis52.net/data/mkntpwd.tar.gz
tar zxvf mkntpwd.tar.gz
cd mkntpwd
make
cp mkntpwd /usr/local/bin/
}}}		 ## page was renamed from SambaDcWithLdapBackend
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pt_BR/SambaDcWithLdapBackend|Português Brasileiro]]-~

This page is a walkthrough of how to set up a [[Samba]] Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

{{{#!wiki note
'''Note:''' the old, NT-style Domain Controller setup is not to be confused with the newer [[Samba/ActiveDirectoryDomainController]] setup available in Samba 4.
}}}


<<TableOfContents()>>


== Requirements ==

 * [[LDAP/OpenLDAPSetup|Setup the OpenLDAP (slapd) server]]
 * Optionally, setup a [[LDAP#LDAP_directory_management|LDAP directory management]] utility (for example [[LDAP/phpldapadmin|PhpLdapAdmin]])
Line 32: Line 23:
{{{
aptitude install make gcc libc-dev samba samba-doc
}}}
Enter your domain name when prompted ex. buster.lan[[BR]]
Answer NO when asked whether you want to modify smb.conf or not[[BR]]
{{{
cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema/
vim /etc/ldap/slapd.conf
}}}
add this line after the other include lines:
{{{
include /etc/ldap/schema/samba.schema
}}}
Now restart LDAP
{{{
/etc/init.d/slapd restart
}}}
open a webbrowser and go to: https://pdc/phhldapadmin/ (replace pdc with your server name or IP)[[BR]]
login with the following user:[[BR]]
{{{
cn=admin,dc=buster,dc=lan
}}}
use the password entered when you installed LDAP[[BR]]
expand the root node and then click on “Create new entry here”[[BR]]
select OU and click “proceed”[[BR]]
enter users for the OU name and click “Create object”[[BR]]
repeat the previous three steps and create two other OUs called “groups” and “machines”[[BR]]
{{{
vim /et c/samba/smb.conf
}}}
find:
{{{
passdb backend=tdsam
}}}
and replace it with:
{{{
We will now install Samba that will be used to emulate a Windows NT server

 * [[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] the [[DebianPkg:samba]] package
 * Answer {{{no}}} when asked whether you want to modify {{{smb.conf}}} or not
 * [[OpenLDAPSetup#Schema_Files|Load the samba schema into OpenLDAP]]


{{{
gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
}}}

 * Restart the ldap server: `service slapd restart`


== Create the LDAP directory structure ==

ToDo: example adding OUs using ldapadd/ldif files

The Samba domain setup requires three `OrganizationalUnit` objects at the root of your LDAP hierarchy:

{{{
ou=users,dc=example,dc=org
ou=groups,dc=example,dc=org
ou=machines,dc=example,dc=org
}}}


== Configure Samba to use LDAP ==

 * Edit the samba server configuration file: `nano /etc/samba/smb.conf`
 * We will configure Samba to use the `ldapsam` account database backend. Replace the default `passdb backend=tdbsam` with

{{{
# which backend will be used for storing user/group information
Line 71: Line 60:
ldap suffix = dc=nomis52,dc=net
# base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=example,dc=org
 where machines should be added to the ldap tree.
Line 73: Line 65:
# where users should be added to the ldap tree.
Line 74: Line 67:
# where groups should be added to the ldap tree.
Line 75: Line 69:
ldap admin dn = cn=admin,dc=nomis52,dc=net
ldap delete dn = no

# be a PDC
# Distinguished Name (DN) name used by Samba to contact the LDAP server
# when retreiving user account information
ldap admin dn = cn=admin,dc=example,dc=org


# provide the netlogon service for Windows 9X network logons for the
# workgroup it is in.
Line 81: Line 79:
# allow user privileges # honor privileges assigned to specific SIDs via net rpc rights
Line 85: Line 83:
make sure testparm executes successfully:  * Test the configuration, set the samba password and restart the service:
Line 88: Line 87:
}}}

Set the samba password and restart samba
{{{
Line 93: Line 88:
/etc/init.d/samba restart
}}}

Log back into phpldapadmin and verify that the DomainName record exists below the root[[BR]]
create the following Samba3 Mappings under the groups OU:[[BR]]

||Unix/Windows Name||GID||SID ending number||
||admins||20000||512||
||users||20001||513||
||guests||20002||514||

{{{
aptitude install libnss-ldap
}}}
Enter the server name as ldap://127.0.0.1/ when prompted[[BR]]
put in the search base as dc=buster,dc=lan (replace with your domain structure)[[BR]]
put in the samba version as 3[[BR]]
enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)[[BR]]
enter the admin password[[BR]]
accept with OK[[BR]]

{{{
vim /etc/nsswitch.conf
}}}
add “ldap” after every compat[[BR]]

verify that users, guests, and admins exist by executing:
{{{
getent group
}}}

{{{
aptitude install libpam-ldap
}}}
Answer yes[[BR]]
Answer no[[BR]]
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)[[BR]]
Enter your admin password[[BR]]

{{{
vim /etc/pam.d/common-account
}}}
add the following to the end of the file:
{{{
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
}}}

{{{
vim /etc/pam.d/common-auth
}}}
add the following line to the beginning of the file:
{{{
password sufficient pam_ldap.so
}}}
restart ssh and samaba
{{{
/etc/init.d/ssh restart (if ssh is installed)
/etc/init.d/samba restart
}}}
install nscd
{{{
aptitude install nscd
vim /etc/samba/smb.conf
}}}
add the following line to the file:
{{{
ldap password sync=yes
}}}
log back into phpldapadmin and create the following Samba3 Users under the users OU:
||First Name||Last Name||username||UID||SID ending||Group||Home Directory||
||Domain||Admin||adminstrator||10000||21000||admins||/home/buster/adminstrator||
||(your)||(name)||(username)||10001||21001||admins||/home/buster/(username)||

verify the new users are in the database:		 service smbd restart
service nmdb restart
}}}

 * Using slapcat/ldapsearch, verify that a {{{DomainName}}} record was added at the root of the LDAP tree. (ToDo: add example commands)
 * create the following Samba3 Mappings under {{{ou=groups}}}:

{{{
Unix/Windows Name: admins
GID: 20000
SID ending number: 512
}}}

{{{
Unix/Windows Name: users
GID: 20001
SID ending number: 513
}}}

{{{
Unix/Windows Name: guests
GID: 20002
SID ending number: 514
}}}


== Configure authentication using LDAP ==

The server must be set up to allow local account authentication using accounts stored in LDAP.
 * [[PackageManagement#Installing.2C_removing.2C_upgrading_software|Install]] the [[DebianPkg:libnss-ldapd]] and [[DebianPkg:libpam-ldapd]] packages. During installation, provide the following configuration:
   * `ldap://127.0.0.1/` as LDAP server URI
   * `dc=example,dc=org` as search base,
   * `3` as Samba version
   * `cn=admin,dc=example,dc=org` as the LDAP admin account (replace with your own value if different)
 * Restart the samba service: `service samba restart`
 * Verify that users, guests, and admins are retrieved by executing: `getent group`


See [[NSS#NSS_Setup_with_libnss-ldapd|LDAP/NSS with libnss-ldapd]] and [[PAM#PAM_Setup_with_libpam-ldapd|LDAP/PAM with libpam-ldapd]] for more information


To improve performance, you may [[NSS#Offline_caching_of_NSS_with_nscd|setup nscd]] to cache account information locally so that the LDAP server is not queried on every operation. In addition you must then set the following setting in `/etc/samba/smb.conf`:

{{{
# sync the LDAP password with the NT and LM hashes for normal accounts
# (NOT for workstation, server or domain trusts) on a password change via SAMBA.
ldap passwd sync = yes
}}}


== Setup users in the Domain ==

 * In your LDAP directory create the following Samba users under the `ou=users` OU:

{{{
First Name: Domain
Last Name: Admin
Username: adminstrator
UID: 10000
SID ending: 21000
Group: admins
Home directory: /home/example.org/adminstrator
}}}

{{{
First Name: My
Last Name: Name
Username: my.name
UID: 10001
SID ending: 21001
Group: admins
Home directory: /home/example.org/my.name
}}}

 * Verify that the Domain Controller is abe to access the user accounts:
Line 172: Line 168:
create home directory
{{{
mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)
}}}
log back into phpldapadmin and create the a Samba3 machines under the machines OU:

||Machine Name||UID||
||(machinename)$||30000||		  * Manually create home directories for your user

{{{
mkdir -p /home/example.org/my.name
cp /etc/skel/.* /home/example.org/my.name/
chown -R my.name:users /home/example.org/my.name
}}}


== Join Windows clients to the domain ==

 * Create the Samba 3 machine accounts under the {{{ou=machines}}} OU of your LDAP hierarchy:

{{{
Machine name: myclientmachine
UID: 30000
}}}

 * Make sure the Samba server root password is set, you will need it to join the machine to the domain:
Line 187: Line 191:
enter your root password

go to your windows machine and right-click on mycomputer and select properties[[BR]]
on the name tab select change[[BR]]
select the domain radio button and enter buster.lan and click ok[[BR]]
enter root for the username[[BR]]
enter your root password[[BR]]
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.[[BR]]
 * Go to your windows machine, right-click `My Computer`, select `Properties`
 * On the `Name` tab select `Change`
 * Select the `Domain` radio button and enter `example.org`, click OK
 * You will be prompted for domain admin credentials to allow the machine to join the domain. Enter `root` for the username and the samba root password.
 * You should see a `Welcome to the example.org domain` message
 * Reboot and you can log in using user from your LDAP database.


== External links ==

 * [[https://wiki.samba.org/index.php/Samba_&_LDAP| Samba & LDAP - SambaWiki]]
 * [[https://ubuntu.com/server/docs/samba-openldap-backend|Samba - OpenLDAP Backend - Ubuntu]]
 * [[https://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database|Initialization LDAP Database - SambaWiki]]
 * [[https://ldapwiki.com/wiki/Schema%20for%20Samba%203|Ldapwiki: Schema for Samba 3]]
 * [[https://spredzy.wordpress.com/2013/08/30/samba-standalone-openldap/|Samba 3.6 standalone + OpenLDAP (CentOS 6)]]
 * [[https://www.ibm.com/developerworks/linux/tutorials/l-ldapsamba/index.html|LDAP-based authentication for Samba (NT4 Domain Controller) (Fedora, 2006)]]
 * [[DebianMan:smbldap-groupadd.8]]
 * [[DebianMan:smbldap-groupdel.8]]
 * [[DebianMan:smbldap-grouplist.8]]
 * [[DebianMan:smbldap-groupmod.8]]
 * [[DebianMan:smbldap-groupshow.8]]
 * [[DebianMan:smbldap-passwd.8]]
 * [[DebianMan:smbldap-populate.8]]
 * [[DebianMan:smbldap-useradd.8]]
 * [[DebianMan:smbldap-userdel.8]]
 * [[DebianMan:smbldap-userinfo.8]]
 * [[DebianMan:smbldap-userlist.8]]
 * [[DebianMan:smbldap-usermod.8]]
 * [[DebianMan:smbldap-usershow.8]]

----

CategoryNetwork | CategorySoftware | CategorySystemAdministration

Translation(s): English - ?Português Brasileiro

This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.

Contents

  1. Requirements
  2. Install Samba
  3. Create the LDAP directory structure
  4. Configure Samba to use LDAP
  5. Configure authentication using LDAP
  6. Setup users in the Domain
  7. Join Windows clients to the domain
  8. External links

Requirements

Install Samba

We will now install Samba that will be used to emulate a Windows NT server

  • Install the samba package

  • Answer no when asked whether you want to modify smb.conf or not

  • ?Load the samba schema into OpenLDAP 

gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif

  • Restart the ldap server: service slapd restart

Create the LDAP directory structure

ToDo: example adding OUs using ldapadd/ldif files

The Samba domain setup requires three OrganizationalUnit objects at the root of your LDAP hierarchy: 

ou=users,dc=example,dc=org
ou=groups,dc=example,dc=org
ou=machines,dc=example,dc=org

Configure Samba to use LDAP

  • Edit the samba server configuration file: nano /etc/samba/smb.conf

  • We will configure Samba to use the ldapsam account database backend. Replace the default passdb backend=tdbsam with 

# which backend will be used for storing user/group information
passdb backend = ldapsam:ldap://127.0.0.1

# base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=example,dc=org
 where machines should be added to the ldap tree.
ldap machine suffix = ou=machines
# where users should be added to the ldap tree.
ldap user suffix = ou=users
# where groups should be added to the ldap tree.
ldap group suffix = ou=groups

# Distinguished Name (DN) name used by Samba to contact the LDAP server
# when retreiving user account information
ldap admin dn = cn=admin,dc=example,dc=org


# provide the netlogon service for Windows 9X network logons for the
# workgroup it is in.
domain logons = yes

# honor privileges assigned to specific SIDs via net rpc rights
enable privileges = yes
  • Test the configuration, set the samba password and restart the service: 

testparm
smbpasswd -w password
service smbd restart
service nmdb restart

  • Using slapcat/ldapsearch, verify that a DomainName record was added at the root of the LDAP tree. (ToDo: add example commands)

  • create the following Samba3 Mappings under ou=groups: 

Unix/Windows Name: admins
GID: 20000
SID ending number: 512

Unix/Windows Name: users
GID: 20001
SID ending number: 513

Unix/Windows Name: guests
GID: 20002
SID ending number: 514

Configure authentication using LDAP

The server must be set up to allow local account authentication using accounts stored in LDAP.

  • Install the libnss-ldapd and libpam-ldapd packages. During installation, provide the following configuration:

    • ldap://127.0.0.1/ as LDAP server URI

    • dc=example,dc=org as search base,

    • 3 as Samba version

    • cn=admin,dc=example,dc=org as the LDAP admin account (replace with your own value if different)

  • Restart the samba service: service samba restart

  • Verify that users, guests, and admins are retrieved by executing: getent group

See ?LDAP/NSS with libnss-ldapd and ?LDAP/PAM with libpam-ldapd for more information

To improve performance, you may ?setup nscd to cache account information locally so that the LDAP server is not queried on every operation. In addition you must then set the following setting in /etc/samba/smb.conf: 

# sync the LDAP password with the NT and LM hashes for normal accounts
# (NOT for workstation, server or domain trusts) on a password change via SAMBA.
ldap passwd sync = yes

Setup users in the Domain

  • In your LDAP directory create the following Samba users under the ou=users OU: 

First Name: Domain
Last Name: Admin
Username: adminstrator
UID: 10000
SID ending: 21000
Group: admins
Home directory: /home/example.org/adminstrator

First Name: My
Last Name: Name
Username: my.name
UID: 10001
SID ending: 21001
Group: admins
Home directory: /home/example.org/my.name
  • Verify that the Domain Controller is abe to access the user accounts: 

getent passwd
  • Manually create home directories for your user 

mkdir -p /home/example.org/my.name
cp /etc/skel/.* /home/example.org/my.name/
chown -R my.name:users /home/example.org/my.name

Join Windows clients to the domain

  • Create the Samba 3 machine accounts under the ou=machines OU of your LDAP hierarchy: 

Machine name: myclientmachine
UID: 30000
  • Make sure the Samba server root password is set, you will need it to join the machine to the domain: 

smbpwd -a root

  • Go to your windows machine, right-click My Computer, select Properties

  • On the Name tab select Change

  • Select the Domain radio button and enter example.org, click OK

  • You will be prompted for domain admin credentials to allow the machine to join the domain. Enter root for the username and the samba root password.

  • You should see a Welcome to the example.org domain message

  • Reboot and you can log in using user from your LDAP database.

CategoryNetwork | CategorySoftware | CategorySystemAdministration