Translation(s): English - Português (Brasil)

This page is a walkthrough of how to set up a Samba Windows NT-style Domain Controller with LDAP as an authentication mechanism.

Windows computers will be able to join the domain as they would a regular Windows NT domain. Users will be able to log on to the domain from Windows machines using the pGina client.

Note: the old, NT-style Domain Controller setup is not to be confused with the newer Samba/ActiveDirectoryDomainController setup available in Samba 4.

Requirements

Install Samba

We will now install Samba that will be used to emulate a Windows NT server

gunzip -c /usr/share/doc/samba/examples/LDAP/samba.ldif.gz > samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif

Create the LDAP directory structure

The Samba domain setup requires three OrganizationalUnit objects at the root of your LDAP hierarchy:

ou=users,dc=example,dc=org
ou=groups,dc=example,dc=org
ou=machines,dc=example,dc=org

Adding these entries can be done with:

ldapadd -H ldapi:/// -D cn=admin,dc=example,dc=org -W <<EOF
dn: ou=users,dc=example,dc=org
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=example,dc=org
objectClass: organizationalUnit
ou: groups

dn: ou=machines,dc=example,dc=org
objectClass: organizationalUnit
ou: machines
EOF

Configure Samba to use LDAP

# which backend will be used for storing user/group information
passdb backend = ldapsam:ldap://127.0.0.1

# base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=example,dc=org
 where machines should be added to the ldap tree.
ldap machine suffix = ou=machines
# where users should be added to the ldap tree.
ldap user suffix = ou=users
# where groups should be added to the ldap tree.
ldap group suffix = ou=groups

# Distinguished Name (DN) name used by Samba to contact the LDAP server
# when retreiving user account information
ldap admin dn = cn=admin,dc=example,dc=org


# provide the netlogon service for Windows 9X network logons for the
# workgroup it is in.
domain logons = yes

# honor privileges assigned to specific SIDs via net rpc rights
enable privileges = yes

testparm
smbpasswd -w password
service smbd restart
service nmdb restart

Unix/Windows Name: admins
GID: 20000
SID ending number: 512

Unix/Windows Name: users
GID: 20001
SID ending number: 513

Unix/Windows Name: guests
GID: 20002
SID ending number: 514

Configure authentication using LDAP

The server must be set up to allow local account authentication using accounts stored in LDAP.

See ?LDAP/NSS with libnss-ldapd and ?LDAP/PAM with libpam-ldapd for more information

To improve performance, you may ?setup nscd to cache account information locally so that the LDAP server is not queried on every operation. In addition you must then set the following setting in /etc/samba/smb.conf:

# sync the LDAP password with the NT and LM hashes for normal accounts
# (NOT for workstation, server or domain trusts) on a password change via SAMBA.
ldap passwd sync = yes

Setup users in the Domain

First Name: Domain
Last Name: Admin
Username: adminstrator
UID: 10000
SID ending: 21000
Group: admins
Home directory: /home/example.org/adminstrator

First Name: My
Last Name: Name
Username: my.name
UID: 10001
SID ending: 21001
Group: admins
Home directory: /home/example.org/my.name

getent passwd

mkdir -p /home/example.org/my.name
cp /etc/skel/.* /home/example.org/my.name/
chown -R my.name:users /home/example.org/my.name

Join Windows clients to the domain

Machine name: myclientmachine
UID: 30000

smbpwd -a root


CategoryNetwork | CategorySoftware | CategorySystemAdministration