6538
Comment:
|
6599
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
''' Back to Home Page ["BuildingALinuxDomain"] ''' = How to create samba3 PDC with ldap backend = This page is a walktrhough of how to set up a Samba3 PDC with LDAP as an authentication mechanism similar to a Windows NT Domain Controller.[[BR]] |
''' Back to Home Page [[BuildingALinuxDomain]] ''' = How to create samba3 PDC with LDAP backend = This page is a walkthrough of how to set up a Samba3 PDC with LDAP as an authentication mechanism similar to a Windows NT Domain Controller.<<BR>> |
Line 7: | Line 7: |
We will use Aptitude to install our LDAP server.[[BR]] | We will use Aptitude to install our LDAP server.<<BR>> |
Line 11: | Line 11: |
Enter password for the ldap admin when prompted[[BR]] | Enter password for the ldap admin when prompted<<BR>> |
Line 14: | Line 14: |
In order to manage our LDAP server we will use a web admin tool called PHPLDAPADMIN running on an apache server using SSL.[[BR]] | In order to manage our LDAP server we will use a web admin tool called PHPLDAPADMIN running on an apache server using SSL.<<BR>> |
Line 18: | Line 18: |
You will be prompted to input information in order to create an SSL certificate:[[BR]] Enter your country code when prompted ex. US[[BR]] Enter the name of your state when prompted ex. Utah[[BR]] Enter the name of your city when prompted ex. Salt Lake City[[BR]] Enter your organization when prompted ex. buster.lan[[BR]] Enter your OU name when prompted ex. ITT[[BR]] Enter your host name when prompted ex. pdc.buster.lan[[BR]] Enter the contact email when prompted ex. root@buster.lan[[BR]] |
You will be prompted to input information in order to create an SSL certificate:<<BR>> Enter your country code when prompted ex. US<<BR>> Enter the name of your state when prompted ex. Utah<<BR>> Enter the name of your city when prompted ex. Salt Lake City<<BR>> Enter your organization when prompted ex. buster.lan<<BR>> Enter your OU name when prompted ex. ITT<<BR>> Enter your host name when prompted ex. pdc.buster.lan<<BR>> Enter the contact email when prompted ex. root@buster.lan<<BR>> |
Line 28: | Line 28: |
There is a tool available that will allow us to change and create passwords like you would through windows clients. We will need to download the tool and compile it. You may need to install make if you haven't allready.[[BR]] | There is a tool available that will allow us to change and create passwords like you would through windows clients. We will need to download the tool and compile it. You may need to install make if you haven't already.<<BR>> |
Line 39: | Line 39: |
We will now install Samba that will be used to emulate a Windows NT server[[BR]] | We will now install Samba that will be used to emulate a Windows NT server<<BR>> |
Line 43: | Line 43: |
Enter your domain name when prompted ex. buster.lan[[BR]] Answer NO when asked whether you want to modify smb.conf or not[[BR]] [[BR]] |
Enter your domain name when prompted ex. buster.lan<<BR>> Answer NO when asked whether you want to modify smb.conf or not<<BR>> <<BR>> |
Line 57: | Line 57: |
Now restart LDAP[[BR]] | Now restart LDAP<<BR>> |
Line 61: | Line 61: |
Line 62: | Line 63: |
Through our PHPLDAPADMIN we are going to configure the domain.[[BR]] open a webbrowser and go to: https://pdc/phhldapadmin/ (replace pdc with your server name or IP)[[BR]] login with the following user:[[BR]] |
Through our PHPLDAPADMIN we are going to configure the domain.<<BR>> open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)<<BR>> login with the following user:<<BR>> |
Line 68: | Line 69: |
use the password entered when you installed LDAP[[BR]] expand the root node and then click on “Create new entry here”[[BR]] select OU and click “proceed”[[BR]] enter users for the OU name and click “Create object”[[BR]] repeat the previous three steps and create two other OUs called “groups” and “machines”[[BR]] [[BR]] |
use the password entered when you installed LDAP<<BR>> expand the root node and then click on “Create new entry here”<<BR>> select OU and click “proceed”<<BR>> enter users for the OU name and click “Create object”<<BR>> repeat the previous three steps and create two other OUs called “groups” and “machines”<<BR>> <<BR>> |
Line 75: | Line 77: |
Now configure Samba to use LDAP.[[BR]] {{{ vim /et c/samba/smb.conf |
Now configure Samba to use LDAP.<<BR>> {{{ vim /etc/samba/smb.conf |
Line 100: | Line 102: |
== Testing the coniguration == | == Testing the configuration == |
Line 112: | Line 114: |
Log back into phpldapadmin and verify that the DomainName record exists below the root[[BR]] create the following Samba3 Mappings under the groups OU:[[BR]] |
Log back into phpldapadmin and verify that the DomainName record exists below the root<<BR>> create the following Samba3 Mappings under the groups OU:<<BR>> |
Line 123: | Line 125: |
Enter the server name as ldap://127.0.0.1/ when prompted[[BR]] put in the search base as dc=buster,dc=lan (replace with your domain structure)[[BR]] put in the samba version as 3[[BR]] enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)[[BR]] enter the admin password[[BR]] accept with OK[[BR]] |
Enter the server name as ldap://127.0.0.1/ when prompted<<BR>> put in the search base as dc=buster,dc=lan (replace with your domain structure)<<BR>> put in the samba version as 3<<BR>> enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)<<BR>> enter the admin password<<BR>> accept with OK<<BR>> |
Line 133: | Line 135: |
add “ldap” after every compat[[BR]] | add “ldap” after every compat<<BR>> |
Line 144: | Line 146: |
Answer yes[[BR]] Answer no[[BR]] Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)[[BR]] Enter your admin password[[BR]] |
Answer yes<<BR>> Answer no<<BR>> Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)<<BR>> Enter your admin password<<BR>> |
Line 211: | Line 213: |
go to your windows machine and right-click on mycomputer and select properties[[BR]] on the name tab select change[[BR]] select the domain radio button and enter buster.lan and click ok[[BR]] enter root for the username[[BR]] enter your root password[[BR]] you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.[[BR]] |
go to your windows machine and right-click on mycomputer and select properties<<BR>> on the name tab select change<<BR>> select the domain radio button and enter buster.lan and click ok<<BR>> enter root for the username<<BR>> enter your root password<<BR>> you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.<<BR>> |
Back to Home Page BuildingALinuxDomain
How to create samba3 PDC with LDAP backend
This page is a walkthrough of how to set up a Samba3 PDC with LDAP as an authentication mechanism similar to a Windows NT Domain Controller.
Install LDAP
We will use Aptitude to install our LDAP server.
aptitude install slapd
Enter password for the ldap admin when prompted
Install PHPLDAPADMIN web interface
In order to manage our LDAP server we will use a web admin tool called PHPLDAPADMIN running on an apache server using SSL.
aptitude install apache-ssl phpldapadmin
You will be prompted to input information in order to create an SSL certificate:
Enter your country code when prompted ex. US
Enter the name of your state when prompted ex. Utah
Enter the name of your city when prompted ex. Salt Lake City
Enter your organization when prompted ex. buster.lan
Enter your OU name when prompted ex. ITT
Enter your host name when prompted ex. pdc.buster.lan
Enter the contact email when prompted ex. root@buster.lan
Install MKNTPWD
There is a tool available that will allow us to change and create passwords like you would through windows clients. We will need to download the tool and compile it. You may need to install make if you haven't already.
aptitude install make gcc libc-dev wget http://www.nomis52.net/data/mkntpwd.tar.gz tar zxvf mkntpwd.tar.gz cd mkntpwd make cp mkntpwd /usr/local/bin/
Install Samba
We will now install Samba that will be used to emulate a Windows NT server
aptitude install samba samba-doc
Enter your domain name when prompted ex. buster.lan
Answer NO when asked whether you want to modify smb.conf or not
Now install and edit the schema example that comes with LDAP
cd /usr/share/doc/samba-doc/examples/LDAP gunzip samba.schema.gz cp samba.schema /etc/ldap/schema/ vim /etc/ldap/slapd.conf
add this line after the other include lines:
include /etc/ldap/schema/samba.schema
Now restart LDAP
/etc/init.d/slapd restart
Configure the Domain structure in LDAP
Through our PHPLDAPADMIN we are going to configure the domain.
open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)
login with the following user:
cn=admin,dc=buster,dc=lan
use the password entered when you installed LDAP
expand the root node and then click on “Create new entry here”
select OU and click “proceed”
enter users for the OU name and click “Create object”
repeat the previous three steps and create two other OUs called “groups” and “machines”
Configure Samba to use LDAP
Now configure Samba to use LDAP.
vim /etc/samba/smb.conf
find:
passdb backend=tdsam
and replace it with:
passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = dc=buster,dc=lan ldap machine suffix = ou=machines ldap user suffix = ou=users ldap group suffix = ou=groups ldap admin dn = cn=admin,dc=nomis52,dc=net ldap delete dn = no # be a PDC domain logons = yes # allow user privileges enable privileges = yes
Testing the configuration
make sure testparm executes successfully:
testparm
Set the samba password and restart samba
smbpasswd -w password /etc/init.d/samba restart
Log back into phpldapadmin and verify that the ?DomainName record exists below the root
create the following Samba3 Mappings under the groups OU:<<BR>>
Unix/Windows Name |
GID |
SID ending number |
admins |
20000 |
512 |
users |
20001 |
513 |
guests |
20002 |
514 |
aptitude install libnss-ldap
Enter the server name as ldap://127.0.0.1/ when prompted
put in the search base as dc=buster,dc=lan (replace with your domain structure)
put in the samba version as 3
enter the admin profile as cn=admin,dc=buster,dc=lan (replcae with your domain structure)
enter the admin password
accept with OK
vim /etc/nsswitch.conf
add “ldap” after every compat
verify that users, guests, and admins exist by executing:
getent group
Configure Server to authenticate locally using LDAP
aptitude install libpam-ldap
Answer yes
Answer no
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)
Enter your admin password
vim /etc/pam.d/common-account
add the following to the end of the file:
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
vim /etc/pam.d/common-auth
add the following line to the beginning of the file:
password sufficient pam_ldap.so
restart ssh and samaba
/etc/init.d/ssh restart (if ssh is installed) /etc/init.d/samba restart
install nscd
aptitude install nscd vim /etc/samba/smb.conf
add the following line to the file:
ldap password sync=yes
Setup users in the Domain
log back into phpldapadmin and create the following Samba3 Users under the users OU:
First Name |
Last Name |
username |
UID |
SID ending |
Group |
Home Directory |
Domain |
Admin |
adminstrator |
10000 |
21000 |
admins |
/home/buster/adminstrator |
(your) |
(name) |
(username) |
10001 |
21001 |
admins |
/home/buster/(username) |
verify the new users are in the database:
getent passwd
create home directory
mkdir /home/buster mkdir /home/buster/(username) cp /etc/skel/.* /home/buster/(username) chown -R (username):users /home/buster/(username)
Create Machine accounts for domain members
log back into phpldapadmin and create the a Samba3 machines under the machines OU:
Machine Name |
UID |
(machinename)$ |
30000 |
smbpwd -a root
enter your root password
Join a windows client to the domain
go to your windows machine and right-click on mycomputer and select properties
on the name tab select change
select the domain radio button and enter buster.lan and click ok
enter root for the username
enter your root password
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.