Differences between revisions 38 and 39
Revision 38 as of 2021-01-17 16:45:11
Size: 6259
Editor: nodiscc
Comment: WIP refactor
Revision 39 as of 2021-01-17 16:55:48
Size: 6277
Editor: nodiscc
Comment: page refactoring complete, add TOC
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:

<<TableOfContents()>>
Line 135: Line 137:
{{{#!wiki note
Page refactoring in progress below this point
}}}
Line 158: Line 156:
== Create Machine accounts for domain members ==
log back into phpldapadmin and create the a Samba3 machines under the machines OU:
Line 161: Line 157:
||Machine Name||UID||
||(machinename)$||30000||
== Join Windows clients to the domain ==

 * Create the Samba 3 machine accounts under the {{{ou=machines}}} OU of your LDAP hierarchy:

{{{
Machine name: myclientmachine
UID: 30000
}}}

 * Make sure the Samba server root password is set, you will need it to join the machine to the domain:
Line 167: Line 171:
enter your root password
Line 169: Line 172:
== Join a windows client to the domain ==
go to your windows machine and right-click on mycomputer and select properties<<BR>>
on the name tab select change<<BR>>
select the domain radio button and enter buster.lan and click ok<<BR>>
enter root for the username<<BR>>
enter your root password<<BR>>
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.<<BR>>
 * Go to your windows machine, right-click `My Computer`, select `Properties`
 * On the `Name` tab select `Change`
 * Select the `Domain` radio button and enter `example.org`, click OK
 * You will be prompted for domain admin credentials to allow the machine to join the domain. Enter `root` for the username and the samba root password.
 * You should see a `Welcome to the example.org domain` message
 * Reboot and you can log in using user from your LDAP database.
Line 179: Line 181:
CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other [[Samba]] pages CategoryNetwork | CategorySoftware | CategorySystemAdministration

Translation(s): English - ?Português Brasileiro

This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.

Requirements

Install Samba

We will now install Samba that will be used to emulate a Windows NT server

  • Install the samba package

  • Answer no when asked whether you want to modify smb.conf or not

  • ?Load the samba schema into OpenLDAP

gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif
  • Restart the ldap server: systemctl restart slapd

Create the LDAP directory structure

ToDo: example adding OUs using ldapadd/ldif files

The Samba domain setup requires three OrganizationalUnit objects at the root of your LDAP hierarchy:

ou=users,dc=example,dc=org
ou=groups,dc=example,dc=org
ou=machines,dc=example,dc=org

Configure Samba to use LDAP

  • Edit the samba server configuration file: nano /etc/samba/smb.conf

  • We will configure Samba to use the ldapsam account database backend. Replace the default passdb backend=tdbsam with

# which backend will be used for storing user/group information
passdb backend = ldapsam:ldap://127.0.0.1

# base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=example,dc=org
 where machines should be added to the ldap tree.
ldap machine suffix = ou=machines
# where users should be added to the ldap tree.
ldap user suffix = ou=users
# where groups should be added to the ldap tree.
ldap group suffix = ou=groups

# Distinguished Name (DN) name used by Samba to contact the LDAP server
# when retreiving user account information
ldap admin dn = cn=admin,dc=example,dc=org


# provide the netlogon service for Windows 9X network logons for the
# workgroup it is in.
domain logons = yes

# honor privileges assigned to specific SIDs via net rpc rights
enable privileges = yes
  • Test the configuration, set the samba password and restart the service:

testparm
smbpasswd -w password
systemctl restart samba
  • Using slapcat/ldapsearch, verify that a DomainName record was added at the root of the LDAP tree. (ToDo: add example commands)

  • create the following Samba3 Mappings under ou=groups:

Unix/Windows Name: admins
GID: 20000
SID ending number: 512

Unix/Windows Name: users
GID: 20001
SID ending number: 513

Unix/Windows Name: guests
GID: 20002
SID ending number: 514

Configure authentication using LDAP

The server must be set up to allow local account authentication using accounts stored in LDAP.

  • Install the libnss-ldapd and libpam-ldapd packages. During installation, provide the following configuration:

    • ldap://127.0.0.1/ as LDAP server URI

    • dc=example,dc=org as search base,

    • 3 as Samba version

    • cn=admin,dc=example,dc=org as the LDAP admin account (replace with your own value if different)

  • Restart the samba service: systemctl restart samba

  • Verify that users, guests, and admins are retrieved by executing: getent group

See ?LDAP/NSS with libnss-ldapd and ?LDAP/PAM with libpam-ldapd for more information

To improve performance, you may ?setup nscd to cache account information locally so that the LDAP server is not queried on every operation. In addition you must then set the following setting in /etc/samba/smb.conf:

# sync the LDAP password with the NT and LM hashes for normal accounts
# (NOT for workstation, server or domain trusts) on a password change via SAMBA.
ldap passwd sync = yes

Setup users in the Domain

log back into phpldapadmin and create the following Samba3 Users under the users OU:

First Name

Last Name

username

UID

SID ending

Group

Home Directory

Domain

Admin

adminstrator

10000

21000

admins

/home/buster/adminstrator

(your)

(name)

(username)

10001

21001

admins

/home/buster/(username)

verify the new users are in the database:

getent passwd

create home directory

mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)

Join Windows clients to the domain

  • Create the Samba 3 machine accounts under the ou=machines OU of your LDAP hierarchy:

Machine name: myclientmachine
UID: 30000
  • Make sure the Samba server root password is set, you will need it to join the machine to the domain:

smbpwd -a root
  • Go to your windows machine, right-click My Computer, select Properties

  • On the Name tab select Change

  • Select the Domain radio button and enter example.org, click OK

  • You will be prompted for domain admin credentials to allow the machine to join the domain. Enter root for the username and the samba root password.

  • You should see a Welcome to the example.org domain message

  • Reboot and you can log in using user from your LDAP database.


CategoryNetwork | CategorySoftware | CategorySystemAdministration