|
Size: 6026
Comment: WIP refactoring, cleanup
|
Size: 6250
Comment: formatting
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 13: | Line 13: |
| {{{#!wiki note Page refactoring in progress below this point }}} |
|
| Line 37: | Line 34: |
| * Restart the ldap server `systemctl restart slapd` == Configure the Domain structure in LDAP == Through our PHPLDAPADMIN we are going to configure the domain.<<BR>> open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)<<BR>> login with the following user:<<BR>> {{{ cn=admin,dc=buster,dc=lan }}} use the password entered when you installed LDAP<<BR>> expand the root node and then click on “Create new entry here”<<BR>> select OU and click “proceed”<<BR>> enter users for the OU name and click “Create object”<<BR>> repeat the previous three steps and create two other OUs called “groups” and “machines”<<BR>> <<BR>> |
* Restart the ldap server: `systemctl restart slapd` == Create the LDAP directory structure == ToDo: example adding OUs using ldapadd/ldif files The Samba domain setup requires three `OrganizationalUnit` objects at the root of your LDAP hierarchy: {{{ ou=users,dc=example,dc=org ou=groups,dc=example,dc=org ou=machines,dc=example,dc=org }}} |
| Line 54: | Line 51: |
| Now configure Samba to use LDAP.<<BR>> {{{ vim /etc/samba/smb.conf }}} find: {{{ passdb backend=tdsam }}} and replace it with: {{{ |
* Edit the samba server configuration file: `nano /etc/samba/smb.conf` * We will configure Samba to use the `ldapsam` account database backend. Replace the default `passdb backend=tdbsam` with {{{ # which backend will be used for storing user/group information |
| Line 65: | Line 58: |
| ldap suffix = dc=buster,dc=lan | # base for all ldap suffixes and for storing the sambaDomain object ldap suffix = dc=example,dc=org where machines should be added to the ldap tree. |
| Line 67: | Line 63: |
| # where users should be added to the ldap tree. | |
| Line 68: | Line 65: |
| # where groups should be added to the ldap tree. | |
| Line 69: | Line 67: |
| ldap admin dn = cn=admin,dc=nomis52,dc=net ldap delete dn = no # be a PDC |
# Distinguished Name (DN) name used by Samba to contact the LDAP server # when retreiving user account information ldap admin dn = cn=admin,dc=example,dc=org # provide the netlogon service for Windows 9X network logons for the # workgroup it is in. |
| Line 75: | Line 77: |
| # allow user privileges | # honor privileges assigned to specific SIDs via net rpc rights |
| Line 79: | Line 81: |
| == Testing the configuration == make sure testparm executes successfully: |
* Test the configuration, set the samba password and restart the service: |
| Line 83: | Line 85: |
| }}} Set the samba password and restart samba {{{ |
|
| Line 88: | Line 86: |
| /etc/init.d/samba restart }}} Log back into phpldapadmin and verify that the DomainName record exists below the root<<BR>> create the following Samba3 Mappings under the groups OU:<<BR>> ||Unix/Windows Name||GID||SID ending number|| ||admins||20000||512|| ||users||20001||513|| ||guests||20002||514|| {{{ aptitude install libnss-ldap }}} Enter the server name as ldap://127.0.0.1/ when prompted<<BR>> put in the search base as dc=buster,dc=lan (replace with your domain structure)<<BR>> put in the samba version as 3<<BR>> enter the admin profile as cn=admin,dc=buster,dc=lan (replace with your domain structure)<<BR>> enter the admin password<<BR>> accept with OK<<BR>> {{{ vim /etc/nsswitch.conf }}} add “ldap” after every compat<<BR>> verify that users, guests, and admins exist by executing: {{{ getent group |
systemctl restart samba }}} * Using slapcat/ldapsearch, verify that a {{{DomainName}}} record was added at the root of the LDAP tree. (ToDo: add example commands) * create the following Samba3 Mappings under {{{ou=groups}}}: {{{ Unix/Windows Name: admins GID: 20000 SID ending number: 512 }}} {{{ Unix/Windows Name: users GID: 20001 SID ending number: 513 }}} {{{ Unix/Windows Name: guests GID: 20002 SID ending number: 514 }}} * Setup LDAP-backed authentication for Linux accounts ([[NSS#NSS_Setup_with_libnss-ldapd|NSS with libnss-ldapd]], [[PAM#PAM_Setup_with_libpam-ldapd|PAM with libpam-ldapd]], using: * `ldap://127.0.0.1/` as LDAP server URI * `dc=example,dc=org` as search base, * `3` as Samba version * `cn=admin,dc=example,dc=org` as the LDAP admin account (replace with your own value if different) * Verify that users, guests, and admins are retrieved by executing: `getent group` {{{#!wiki note Page refactoring in progress below this point |
Translation(s): English - ?Português Brasileiro
This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.
Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.
Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.
Requirements
Optionally, setup a LDAP directory management utility (for example PhpLdapAdmin)
Install Samba
We will now install Samba that will be used to emulate a Windows NT server
Answer no when asked whether you want to modify smb.conf or not
?Load the samba schema into OpenLDAP
gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
Restart the ldap server: systemctl restart slapd
Create the LDAP directory structure
ToDo: example adding OUs using ldapadd/ldif files
The Samba domain setup requires three OrganizationalUnit objects at the root of your LDAP hierarchy:
ou=users,dc=example,dc=org ou=groups,dc=example,dc=org ou=machines,dc=example,dc=org
Configure Samba to use LDAP
Edit the samba server configuration file: nano /etc/samba/smb.conf
We will configure Samba to use the ldapsam account database backend. Replace the default passdb backend=tdbsam with
# which backend will be used for storing user/group information passdb backend = ldapsam:ldap://127.0.0.1 # base for all ldap suffixes and for storing the sambaDomain object ldap suffix = dc=example,dc=org where machines should be added to the ldap tree. ldap machine suffix = ou=machines # where users should be added to the ldap tree. ldap user suffix = ou=users # where groups should be added to the ldap tree. ldap group suffix = ou=groups # Distinguished Name (DN) name used by Samba to contact the LDAP server # when retreiving user account information ldap admin dn = cn=admin,dc=example,dc=org # provide the netlogon service for Windows 9X network logons for the # workgroup it is in. domain logons = yes # honor privileges assigned to specific SIDs via net rpc rights enable privileges = yes
- Test the configuration, set the samba password and restart the service:
testparm smbpasswd -w password systemctl restart samba
Using slapcat/ldapsearch, verify that a DomainName record was added at the root of the LDAP tree. (ToDo: add example commands)
create the following Samba3 Mappings under ou=groups:
Unix/Windows Name: admins GID: 20000 SID ending number: 512
Unix/Windows Name: users GID: 20001 SID ending number: 513
Unix/Windows Name: guests GID: 20002 SID ending number: 514
Setup LDAP-backed authentication for Linux accounts (?NSS with libnss-ldapd, ?PAM with libpam-ldapd, using:
ldap://127.0.0.1/ as LDAP server URI
dc=example,dc=org as search base,
3 as Samba version
cn=admin,dc=example,dc=org as the LDAP admin account (replace with your own value if different)
Verify that users, guests, and admins are retrieved by executing: getent group
Page refactoring in progress below this point
Configure Server to authenticate locally using LDAP
aptitude install libpam-ldap
Answer yes
Answer no
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)
Enter your admin password
vim /etc/pam.d/common-account
add the following to the end of the file:
account sufficient pam_ldap.so account required pam_unix.so try_first_pass
vim /etc/pam.d/common-auth
add the following line to the beginning of the file:
password sufficient pam_ldap.so
restart ssh and samba
/etc/init.d/ssh restart (if ssh is installed) /etc/init.d/samba restart
install nscd
aptitude install nscd vim /etc/samba/smb.conf
add the following line to the file:
ldap password sync=yes
Setup users in the Domain
log back into phpldapadmin and create the following Samba3 Users under the users OU:
First Name |
Last Name |
username |
UID |
SID ending |
Group |
Home Directory |
Domain |
Admin |
adminstrator |
10000 |
21000 |
admins |
/home/buster/adminstrator |
(your) |
(name) |
(username) |
10001 |
21001 |
admins |
/home/buster/(username) |
verify the new users are in the database:
getent passwd
create home directory
mkdir /home/buster mkdir /home/buster/(username) cp /etc/skel/.* /home/buster/(username) chown -R (username):users /home/buster/(username)
Create Machine accounts for domain members
log back into phpldapadmin and create the a Samba3 machines under the machines OU:
Machine Name |
UID |
(machinename)$ |
30000 |
smbpwd -a root
enter your root password
Join a windows client to the domain
go to your windows machine and right-click on mycomputer and select properties
on the name tab select change
select the domain radio button and enter buster.lan and click ok
enter root for the username
enter your root password
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.
CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other Samba pages