Samba as a PDC for pre 2k domain
In conclude, our setup should meet the following requirement:
- ADS domain controller is not supported
- Domain user DB is stored in the LDAP
- User entries are shared with UNIX
- Password of the user for windows & Linux are synchronized
- Domain group is supported
Storing user DB in LDAP could have a lot of benefit, such as, as a replacement for NIS and propagate the user DB to other SAMBA BDC if you want to do so.
Perpetration
You should install OpenLDAP and included proper schema, setup necessary ACL, install pam_ldap (optional) and nss_ldap (must). For details, please refer to the following posts as reference:
More configuration on OpenLDAP for Samba
Schema setup
Your OpenLDAP should already included the following schema:
- core
- consine
- inetorgperson
- nis
You should include samba schema, /usr/doc/samba-3.5.10/examples/LDAP/samba.schema, into your LDAP.
As recently, OpenLDAP has changed the configuration backend from file into LDAP. You can’t simply put ‘include /usr/doc/samba-3.5.10/examples/LDAP/samba.schema’ into slapd.conf to make the schema available.
Following steps help to convert the samba.schema file into LDIF and let you import into the configuration backend.
- mkdir tmp.d
- create file samba-config.conf
include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/doc/samba-3.5.10/examples/LDAP/samba.schema
- Execute the following
/usr/local/openldap/sbin/slaptest -f samba-config.conf -F ./tmp.d
- The converted samba schema should be in ‘tmp.d/cn=config/cn=schema/cn={4}samba.ldif’, now you should change the dn & cn in the LDIF file as follow:
dn: cn=samba,cn=schema,cn=config ... cn: samba
and remove the following in the LDIF file
structuralObjectClass: olcSchemaConfig entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95 creatorsName: cn=config createTimestamp: 20080827045234Z entryCSN: 20080827045234.341425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080827045234Z
- import the LDIF into cn=config
ldapadd -h 127.0.0.1 -D 'cn=Manager,cn=config' -w xxxx -f './tmp.d/cn=config/cn=schema/cn={4}samba.ldif'
Setup Index
You may take the following index configuration in cn=config as reference
olcDbIndex: objectClass pres,eq olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: cn pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: displayName pres,eq,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub
Create Samba Manager in LDAP
- You should create a security object in LDAP for Samba to access and update the LDAP
dn: cn=sambaManager,ou=systemObject,dc=example,dc=net objectClass: top objectClass: simpleSecurityObject objectClass: organizationalRole cn: sambaManager userPassword: {SSHA}fdshfjhfjkwefsfdsf - Setup ACL in LDAP for sambaManager, suggested ACL
dn: olcDatabase={1}bdb, cn=config changetype: modify replace: olcAccess olcAccess: to attrs=userpassword by self write by dn="cn=libnssManager,ou=systemObject,dc=...." read by dn="cn=sambaManager,ou=systemObject,dc=..." write by anonymous auth by * none olcAccess: to attrs=SambaLMPassword,SambaNTPassword by self write by dn="cn=sambaManager,ou=systemObject,dc=..." write by * none olcAccess: to * by self write by dn="cn=sambaManager,ou=systemObject,dc=..." write by dn="cn=libnssManager,ou=systemObject,dc=..." read by dn="cn=pamManager,ou=systemObject,dc=..." read by dn="cn=squidCacheManger,ou=systemObject,dc=..." read by dn="cn=readOnlyAccess,ou=systemObject,dc=..." read by users read by anonymous auth by * none
smbldap-tools
A set of perl scripts to maintain the LDAP user database. You may download the tools on their website and install with following procedures:
./configure (--prefix=/usr/local/smbldap) make make install
Samba installation & configuration
After finishing the LDAP preparation, you could compile and install a Samba from source yourself, or as my setup is simply configure the Samba package in the Slackware distribution.
Sample /etc/samba/smbusers
root = administrator admin nobody = guest pcguest smbguest
Sample /etc/samba/smb.conf
[global]
username map = /etc/samba/smbusers
workgroup = EXAMPLE
netbios name = machine1
security = user
domain master = yes
local master = yes
preferred master = yes
os level = 65
#hosts allow = 127.0.0.1 192.168.0.0/16
#hosts deny = 0.0.0.0/0
interfaces = eth0 lo
bind interfaces only = yes
name resolve order = wins lmhosts hosts bcast
domain logons = yes
winbind enum groups = yes
winbind enum users = yes
encrypt passwords = true
add user script = /usr/local/smbldap/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/local/smbldap/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/local/smbldap/sbin/smbldap-userdel '%u'
set primary group script = /usr/local/smbldap/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/local/smbldap/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/smbldap/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/smbldap/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/smbldap/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/local/smbldap/sbin/smbldap-useradd -w '%u' -t 1
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=q-station,dc=net
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=computers
ldap idmap suffix = ou=idmap
ldap admin dn = cn=sambaManager,ou=systemObject,dc...
ldap ssl = off
ldap passwd sync = yes
ldap delete dn = no
idmap backend = tdb
idmap uid = 500001-600000
idmap gid = 500001-600000
idmap config EXAMPLE : backend = nss
idmap config EXAMPLE : range = 50000-500000
logon path = \\%L\profiles\%U\%a
logon home = \\%L\%U\.9xprofile
logon drive = P:
log file = /var/log/samba/samba.log
log level = 1
max log size = 1024
debug timestamp = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = No
read only = yes
[homes]
comment = Home Directory
read only = No
browseable = No
valid users = %S
[profiles]
comment = Network Profiles Share
path = /var/lib/samba/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
profile acls = yes
csc policy = disable
Create necessary directory
mkdir -p /var/lib/samba/netlogon/scripts mkdir -p /var/lib/samba/profiles chown root:root /var/lib/samba/profiles chmod 1777 /var/lib/samba/profiles
Initialize & 1st time running your SAMBA
Your Samba may have been start-up before and it may left some cache or may be some other data before. Following procedure will help you remove all the cache left behind and all of the samba DB. Please execute the following with CAUTION and ensure what you are doing.
sh /etc/rc.d/rc,samba stop kill `cat /var/run/winbindd.pid` rm -rf /var/cache/samba/* rm -rf /etc/samba/private/* smbpasswd -wsh /etc/rc.d/rc.samba start running smbldap-config.cmd in the smbldap source directory to configure your smblpda-installation (For slackware, you may use CRYPT as password encryption and %2s as crypt salt format) /usr/local/smbldap/sbin/smbldap-populate (initialize your samba with necessary group / users) sh /etc/rc.d/rc.samba restart winbindd
Now, your initialize configuration have been finished. You could further read other post about managing your Domain User DB / Groups. Following commands, may help you proofing your setup is well.
net groupmap list (output group mapping between Samba & your Linux) pdbedit -Lv (list out Samba user in LDAP) net rpc group list (list out all Domain/Local groups for Samba) net rpc user (list out all domain user)