Differences between revisions 13 and 14
Revision 13 as of 2007-05-03 02:30:51
Size: 5284
Editor: ?BobBobly
Comment:
Revision 14 as of 2007-05-17 02:14:49
Size: 6538
Editor: ?BobBobly
Comment:
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
This page is a walktrhough of how to set up a Samba3 PDC with LDAP as an authentication mechanism similar to a Windows NT Domain Controller.[[BR]]
Line 5: Line 7:
We will use Aptitude to install our LDAP server.[[BR]]
Line 8: Line 11:
Enter password for the ldap admin when prompted Enter password for the ldap admin when prompted[[BR]]
Line 11: Line 14:
In order to manage our LDAP server we will use a web admin tool called PHPLDAPADMIN running on an apache server using SSL.[[BR]]
Line 14: Line 18:
You will be prompted to input information in order to create an SSL certificate:[[BR]]
Line 23: Line 28:
{{{ There is a tool available that will allow us to change and create passwords like you would through windows clients. We will need to download the tool and compile it. You may need to install make if you haven't allready.[[BR]]
{{{
aptitude install make gcc libc-dev
Line 32: Line 39:
{{{
aptitude install make gcc libc-dev samba samba-doc
We will now install Samba that will be used to emulate a Windows NT server[[BR]]
{{{
aptitude install samba samba-doc
Line 37: Line 45:
[[BR]]
Now install and edit the schema example that comes with LDAP
Line 47: Line 57:
Now restart LDAP Now restart LDAP[[BR]]
Line 51: Line 61:
== Configure the Domain structure in LDAP ==
Through our PHPLDAPADMIN we are going to configure the domain.[[BR]]
Line 61: Line 73:
[[BR]]
== Configure Samba to use LDAP ==
Now configure Samba to use LDAP.[[BR]]
Line 71: Line 86:
ldap suffix = dc=nomis52,dc=net ldap suffix = dc=buster,dc=lan
Line 85: Line 100:
== Testing the coniguration ==
Line 124: Line 140:
== Configure Server to authenticate locally using LDAP ==
Line 162: Line 179:

== Setup users in the Domain ==
Line 179: Line 198:

== Create Machine accounts for domain members ==
Line 189: Line 210:
== Join a windows client to the domain ==

Back to Home Page ["BuildingALinuxDomain"]

How to create samba3 PDC with ldap backend

This page is a walktrhough of how to set up a Samba3 PDC with LDAP as an authentication mechanism similar to a Windows NT Domain Controller.?BR

Install LDAP

We will use Aptitude to install our LDAP server.?BR

aptitude install slapd 

Enter password for the ldap admin when prompted?BR

Install PHPLDAPADMIN web interface

In order to manage our LDAP server we will use a web admin tool called PHPLDAPADMIN running on an apache server using SSL.?BR

aptitude install apache-ssl phpldapadmin

You will be prompted to input information in order to create an SSL certificate:?BR Enter your country code when prompted ex. US?BR Enter the name of your state when prompted ex. Utah?BR Enter the name of your city when prompted ex. Salt Lake City?BR Enter your organization when prompted ex. buster.lan?BR Enter your OU name when prompted ex. ITT?BR Enter your host name when prompted ex. pdc.buster.lan?BR Enter the contact email when prompted ex. root@buster.lan?BR

Install MKNTPWD

There is a tool available that will allow us to change and create passwords like you would through windows clients. We will need to download the tool and compile it. You may need to install make if you haven't allready.?BR

aptitude install make gcc libc-dev
wget http://www.nomis52.net/data/mkntpwd.tar.gz
tar zxvf mkntpwd.tar.gz
cd mkntpwd
make
cp mkntpwd /usr/local/bin/

Install Samba

We will now install Samba that will be used to emulate a Windows NT server?BR

aptitude install samba samba-doc

Enter your domain name when prompted ex. buster.lan?BR Answer NO when asked whether you want to modify smb.conf or not?BR ?BR Now install and edit the schema example that comes with LDAP

cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema/
vim /etc/ldap/slapd.conf

add this line after the other include lines:

include         /etc/ldap/schema/samba.schema

Now restart LDAP?BR

/etc/init.d/slapd restart

Configure the Domain structure in LDAP

Through our PHPLDAPADMIN we are going to configure the domain.?BR open a webbrowser and go to: https://pdc/phhldapadmin/ (replace pdc with your server name or IP)?BR login with the following user:?BR

cn=admin,dc=buster,dc=lan

use the password entered when you installed LDAP?BR expand the root node and then click on “Create new entry here”?BR select OU and click “proceed”?BR enter users for the OU name and click “Create object”?BR repeat the previous three steps and create two other OUs called “groups” and “machines”?BR ?BR

Configure Samba to use LDAP

Now configure Samba to use LDAP.?BR

vim /et c/samba/smb.conf

find:

passdb backend=tdsam

and replace it with:

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=buster,dc=lan
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nomis52,dc=net
ldap delete dn = no

# be a PDC
domain logons = yes

# allow user privileges
enable privileges = yes

Testing the coniguration

make sure testparm executes successfully:

testparm

Set the samba password and restart samba

smbpasswd -w password
/etc/init.d/samba restart

Log back into phpldapadmin and verify that the ?DomainName record exists below the root?BR create the following Samba3 Mappings under the groups OU:[[BR]]

Unix/Windows Name

GID

SID ending number

admins

20000

512

users

20001

513

guests

20002

514

aptitude install libnss-ldap

Enter the server name as ldap://127.0.0.1/ when prompted?BR put in the search base as dc=buster,dc=lan (replace with your domain structure)?BR put in the samba version as 3?BR enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)?BR enter the admin password?BR accept with OK?BR

vim /etc/nsswitch.conf

add “ldap” after every compat?BR

verify that users, guests, and admins exist by executing:

getent group

Configure Server to authenticate locally using LDAP

aptitude install libpam-ldap

Answer yes?BR Answer no?BR Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)?BR Enter your admin password?BR

vim /etc/pam.d/common-account

add the following to the end of the file:

account         sufficient      pam_ldap.so
account         required        pam_unix.so     try_first_pass

vim /etc/pam.d/common-auth

add the following line to the beginning of the file:

password sufficient pam_ldap.so

restart ssh and samaba

/etc/init.d/ssh restart (if ssh is installed)
/etc/init.d/samba restart

install nscd

aptitude install nscd
vim /etc/samba/smb.conf

add the following line to the file:

ldap password sync=yes

Setup users in the Domain

log back into phpldapadmin and create the following Samba3 Users under the users OU:

First Name

Last Name

username

UID

SID ending

Group

Home Directory

Domain

Admin

adminstrator

10000

21000

admins

/home/buster/adminstrator

(your)

(name)

(username)

10001

21001

admins

/home/buster/(username)

verify the new users are in the database:

getent passwd

create home directory

mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)

Create Machine accounts for domain members

log back into phpldapadmin and create the a Samba3 machines under the machines OU:

Machine Name

UID

(machinename)$

30000

smbpwd -a root

enter your root password

Join a windows client to the domain

go to your windows machine and right-click on mycomputer and select properties?BR on the name tab select change?BR select the domain radio button and enter buster.lan and click ok?BR enter root for the username?BR enter your root password?BR you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.?BR