Samba/DcWithLdapBackend

Translation(s): English - ?Português Brasileiro

This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.

Page refactoring in progress below this point

Requirements

Setup the OpenLDAP (slapd) server
Optionally, setup a LDAP directory management utility (for example PhpLdapAdmin)

Install Samba

We will now install Samba that will be used to emulate a Windows NT server

aptitude install samba samba-doc

Enter your domain name when prompted ex. buster.lan
Answer NO when asked whether you want to modify smb.conf or not

Now install and edit the schema example that comes with LDAP

cd /usr/share/doc/samba-doc/examples/LDAP
gunzip samba.schema.gz
cp samba.schema /etc/ldap/schema/
vim /etc/ldap/slapd.conf

add this line after the other include lines:

include         /etc/ldap/schema/samba.schema

Now restart LDAP

/etc/init.d/slapd restart

Configure the Domain structure in LDAP

Through our PHPLDAPADMIN we are going to configure the domain.
open a webbrowser and go to: https://pdc/phpldapadmin/ (replace pdc with your server name or IP, replace https with http if phpldapadmin does not use SSL)
login with the following user:

cn=admin,dc=buster,dc=lan

use the password entered when you installed LDAP
expand the root node and then click on “Create new entry here”
select OU and click “proceed”
enter users for the OU name and click “Create object”
repeat the previous three steps and create two other OUs called “groups” and “machines”

Configure Samba to use LDAP

Now configure Samba to use LDAP.

vim /etc/samba/smb.conf

find:

passdb backend=tdsam

and replace it with:

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=buster,dc=lan
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nomis52,dc=net
ldap delete dn = no

# be a PDC
domain logons = yes

# allow user privileges
enable privileges = yes

Testing the configuration

make sure testparm executes successfully:

testparm

Set the samba password and restart samba

smbpasswd -w password
/etc/init.d/samba restart

Log back into phpldapadmin and verify that the ?DomainName record exists below the root
create the following Samba3 Mappings under the groups OU:<<BR>>

Unix/Windows Name	GID	SID ending number
admins	20000	512
users	20001	513
guests	20002	514

aptitude install libnss-ldap

Enter the server name as ldap://127.0.0.1/ when prompted
put in the search base as dc=buster,dc=lan (replace with your domain structure)
put in the samba version as 3
enter the admin profile as cn=admin,dc=buster,dc=lan (replace with your domain structure)
enter the admin password
accept with OK

vim /etc/nsswitch.conf

add “ldap” after every compat

verify that users, guests, and admins exist by executing:

getent group

Configure Server to authenticate locally using LDAP

aptitude install libpam-ldap

Answer yes
Answer no
Enter the admin profile - cn=admin,dc=buster,dc=lan (replace with your domain structure)
Enter your admin password

vim /etc/pam.d/common-account

add the following to the end of the file:

account         sufficient      pam_ldap.so
account         required        pam_unix.so     try_first_pass

vim /etc/pam.d/common-auth

add the following line to the beginning of the file:

password sufficient pam_ldap.so

restart ssh and samba

/etc/init.d/ssh restart (if ssh is installed)
/etc/init.d/samba restart

install nscd

aptitude install nscd
vim /etc/samba/smb.conf

add the following line to the file:

ldap password sync=yes

Setup users in the Domain

log back into phpldapadmin and create the following Samba3 Users under the users OU:

First Name	Last Name	username	UID	SID ending	Group	Home Directory
Domain	Admin	adminstrator	10000	21000	admins	/home/buster/adminstrator
(your)	(name)	(username)	10001	21001	admins	/home/buster/(username)

verify the new users are in the database:

getent passwd

create home directory

mkdir /home/buster
mkdir /home/buster/(username)
cp /etc/skel/.* /home/buster/(username)
chown -R (username):users /home/buster/(username)

Create Machine accounts for domain members

log back into phpldapadmin and create the a Samba3 machines under the machines OU:

Machine Name	UID
(machinename)$	30000

smbpwd -a root

enter your root password

Join a windows client to the domain

go to your windows machine and right-click on mycomputer and select properties
on the name tab select change
select the domain radio button and enter buster.lan and click ok
enter root for the username
enter your root password
you should see a welcome to the buster.lan domain message and then reboot and you can log in using user from your LDAP database.

CategoryNetwork | CategorySoftware | CategorySystemAdministration | CategoryObsolete | ToDo: merge with other Samba pages

SambaDcWithLdapBackend