Samba PDC with LDAP backend
General Information
Build a Samba PDC on FreeBSD with a ldap backend. This will not let you authenticate ssh users just a plain samba server for your windows clients.
This Howto uses FreeBSD 8.1 AMD 64 with the ports tree dating 2010-10-12
Requirements
Shell access is assumed. You should perform the following as root.
Installation
First we going to install all the required ports so make sure your ports tree is up to date.
Server info
The name of the server in this HOW TO is smb-server01
The domain name is testdomain.com
So the FQDN is smb-server01.testdomain.com
Your /etc/hosts file should look like the following.
Code:
::1 localhost localhost.smbdomain.local
127.0.0.1 localhost localhost.smbdomain.local
192.168.3.10 smb-server01.testdomain.com smb-server01
192.168.3.10 smb-server01.testdomain.com.
Ports we need to install::1 localhost localhost.smbdomain.local
127.0.0.1 localhost localhost.smbdomain.local
192.168.3.10 smb-server01.testdomain.com smb-server01
192.168.3.10 smb-server01.testdomain.com.
1. lang/perl5.12
2. net/openldap24-server
3. print/cups-base
4. net/samba34
5. net/nss-ldap
6. net/smbldap-tools
First install perl
You can accept the default selected options
Code:
# cd /usr/ports/lang/perl5.12
# make install clean
Install Openldap server# cd /usr/ports/lang/perl5.12
# make install clean
You can accept the default selected options
Code:
# cd /usr/ports/net/openldap24-server
# make install clean
Install Cups-base# cd /usr/ports/net/openldap24-server
# make install clean
You can accept the default selected options
Ghostscript will also ask for config options, do not select X ,and set the default page for A4 if you use A4 as default.
Code:
# cd /usr/ports/print/cups-base
# make install clean
Installing samba# cd /usr/ports/print/cups-base
# make install clean
Code:
# cd /usr/ports/net/samba34
# make install clean
Select the settings shown below.# cd /usr/ports/net/samba34
# make install clean
Code:
+------------------------------+
Options for samba34 3.4.9
+------------------------------+
[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] CUPS With CUPS printing support
[X] WINBIND With WinBIND support
[ ] SWAT With SWAT WebGUI
[X] ACL_SUPPORT With ACL support
[X] AIO_SUPPORT With Asyncronous IO support
[ ] FAM_SUPPORT With File Alteration Monitor
[X] SYSLOG With Syslog support
[X] QUOTAS With Disk quota support
[X] UTMP With UTMP accounting support
[ ] PAM_SMBPASS With PAM authentication vs passdb backends
[ ] DNSUPDATE With dynamic DNS update(require ADS)
[ ] AVAHI With Bonjour service discovery support
[ ] EXP_MODULES With experimental modules
[X] POPT With system-wide POPT library
[ ] MAX_DEBUG With maximum debugging
[ ] SMBTORTURE With smbtorture
+-------------------------------+
[ OK ] Cancel
+-------------------------------+
install nss_ldap+------------------------------+
Options for samba34 3.4.9
+------------------------------+
[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] CUPS With CUPS printing support
[X] WINBIND With WinBIND support
[ ] SWAT With SWAT WebGUI
[X] ACL_SUPPORT With ACL support
[X] AIO_SUPPORT With Asyncronous IO support
[ ] FAM_SUPPORT With File Alteration Monitor
[X] SYSLOG With Syslog support
[X] QUOTAS With Disk quota support
[X] UTMP With UTMP accounting support
[ ] PAM_SMBPASS With PAM authentication vs passdb backends
[ ] DNSUPDATE With dynamic DNS update(require ADS)
[ ] AVAHI With Bonjour service discovery support
[ ] EXP_MODULES With experimental modules
[X] POPT With system-wide POPT library
[ ] MAX_DEBUG With maximum debugging
[ ] SMBTORTURE With smbtorture
+-------------------------------+
[ OK ] Cancel
+-------------------------------+
You can accept the default selected options.
Code:
# cd /usr/ports/net/nss_ldap/
# make install clean
install smb ldap tools# cd /usr/ports/net/nss_ldap/
# make install clean
You can accept the default selected options.
Code:
# cd /usr/ports/net/smbldap-tools
# make install clean
# cd /usr/ports/net/smbldap-tools
# make install clean
Configuration
Prepare the openldap config file (/usr/local/etc/openldap/slapd.conf)
First we need to create a password for the openldap server
Code:
# slappasswd -s very-secure-password
{SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
NOTE copy the output!!# slappasswd -s very-secure-password
{SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
Open the /usr/local/etc/openldap/slapd.conf file and make sure it looks like the following
Fill in the the output from the slappasswd at rootpw !!
Code:
# vi /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
#moduleload back_bdb
###########################
# BDB database definitions
###########################
database bdb
suffix "dc=testdomain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
#rootpw = very-secure-password
rootpw {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
directory /usr/local/var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
For some it is nessary to uncomment the moduleload back_bdb line.# vi /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
#moduleload back_bdb
###########################
# BDB database definitions
###########################
database bdb
suffix "dc=testdomain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
#rootpw = very-secure-password
rootpw {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
directory /usr/local/var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
If the slapd deamon will not start, and give an error like below.
Code:
Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
Also we need to copy the samba schema to the final directory.Starting slapd.
Unrecognized database type (bdb)
/usr/local/etc/rc.d/slapd: WARNING: failed to start slapd
Code:
# cp /usr/local/share/examples/samba34/LDAP/samba.schema /usr/local/etc/openldap/schema/
Now we need to create and copy some files. First, we want to create the database dir of openldap. # cp /usr/local/share/examples/samba34/LDAP/samba.schema /usr/local/etc/openldap/schema/
In this case it will be /usr/local/var/db/openldap-data.
If you want another location change the directory directive in the slapd.conf file.
Also we set the right permissions on the directory and files of openldap.
Code:
# mkdir -p /usr/local/var/db/openldap-data
# cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG
# chown -R ldap:ldap /usr/local/var/db/openldap-data
# chown -R ldap:ldap /usr/local/etc/openldap/
# chmod -R 0700 /usr/local/var/db/openldap-data
# chmod 0400 /usr/local/etc/openldap/slapd.conf
Now we want to make sure slapd logs to syslog. Add the following lines to the file /etc/syslog.conf# mkdir -p /usr/local/var/db/openldap-data
# cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG
# chown -R ldap:ldap /usr/local/var/db/openldap-data
# chown -R ldap:ldap /usr/local/etc/openldap/
# chmod -R 0700 /usr/local/var/db/openldap-data
# chmod 0400 /usr/local/etc/openldap/slapd.conf
Code:
!slapd
*.* /var/log/slapd.log
Now we create the log file and restart the syslog deamon!slapd
*.* /var/log/slapd.log
Code:
# touch /var/log/slapd.log
# /etc/rc.d/syslogd restart
nss_ldap.conf# touch /var/log/slapd.log
# /etc/rc.d/syslogd restart
Make sure the file /usr/local/etc/nss_ldap.conf looks like the following.
Code:
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.3.10/ ldap://127.0.0.1/
base dc=testdomain,dc=com
bind_policy soft
bind_timelimit 10
host localhost
idle_timelimit 3600
ldap_version 3
nss_base_group ou=Groups,dc=testdomain,dc=com?one
nss_base_passwd ou=People,dc=testdomain,dc=com?one
nss_base_passwd ou=Computers,dc=testdomain,dc=com?one
nss_base_shadow ou=People,dc=testdomain,dc=com?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
port 389
scope one
timelimit 30
Now we link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://192.168.3.10/ ldap://127.0.0.1/
base dc=testdomain,dc=com
bind_policy soft
bind_timelimit 10
host localhost
idle_timelimit 3600
ldap_version 3
nss_base_group ou=Groups,dc=testdomain,dc=com?one
nss_base_passwd ou=People,dc=testdomain,dc=com?one
nss_base_passwd ou=Computers,dc=testdomain,dc=com?one
nss_base_shadow ou=People,dc=testdomain,dc=com?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
port 389
scope one
timelimit 30
Code:
# rm /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
To make sure the slapd deamon (the openldap server) starts at a reboot we need to edit the /etc/rc.conf file.# rm /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
# ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
Add the following to the /etc/rc.conf file
Code:
#enable slapd
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://192.168.3.10/"'
slapd_sockets="/var/run/openldap/ldapi"
And we try to start it!#enable slapd
slapd_enable="YES"
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://127.0.0.1/ ldap://192.168.3.10/"'
slapd_sockets="/var/run/openldap/ldapi"
Code:
# /usr/local/etc/rc.d/slapd start
Starting slapd.
# ps ax | grep slap
11383 ?? Ss 0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar
11385 p2 S+ 0:00,00 grep slap
/etc/nsswitch.conf# /usr/local/etc/rc.d/slapd start
Starting slapd.
# ps ax | grep slap
11383 ?? Ss 0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar
11385 p2 S+ 0:00,00 grep slap
Edit the /etc/nsswitch file and make sure to edit the group: and passwd: line, so change compat to files ldap. The file looks like this after editing.
Code:
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Samba
All my data (shares) and other samba related files like username are in /usr/local/var/samba. So first we create that dir.
Code:
# mkdir /usr/local/var/samba
We also create a usermap file named usermap# mkdir /usr/local/var/samba
Code:
# vi /usr/local/var/samba/usermap
root = administrator
To create the following /usr/local/etc/smb.conf file, you must remove or empty the original one.# vi /usr/local/var/samba/usermap
root = administrator
Make sure you replace bge0 for your own network interface, or comment out the line's interfaces = and bind interfaces only =
Code:
# rm /usr/local/etc/smb.conf
# vi /usr/local/etc/smb.conf
# Global parameters
[global]
workgroup = TESTDOMAIN
server string = Samba Server
netbios name = smb-server01
hosts allow = 192.168.3. 127. 10.0.1.
interfaces = bge0, lo
bind interfaces only = Yes
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://smb-server01.testdomain.com/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 1
log file = /var/log/samba34/%m
max log size = 50
syslog = 0
# Name resolution
name resolve order = wins bcast host
# misc
timeserver = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
deadtime = 120
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
# printers - configured to use CUPS and automatically load them
load printers = Yes
printcap name = CUPS
printing = cups
cups options = Raw
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/local/sbin/smbldap-useradd -w %m
# LDAP-Configuration
ldap delete dn = Yes
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=testdomain,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=testdomain,dc=com
idmap backend = ldap:ldap://smb-server01.testdomain.com
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script = logon.bat
logon path = \%L\profiles\%u
logon path =
logon home = \%L\%U
logon drive = H:
# setting up as domain controller
username map = /usr/local/var/samba/usermap
preferred master = Yes
wins support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
map acl inherit = Yes
unix charset = UTF8
#== Share Definitions ==#
[netlogon]
comment = Network Logon Service
path = /usr/local/var/samba/netlogon
guest ok = yes
locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Profiles]
comment = Network Profiles Service
path = /usr/local/var/samba/profiles
read only = No
profile acls = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
profile acls = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
[print$]
comment = Printer Drivers
path = /usr/local/var/samba/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
[data]
comment = Data Directory
path = /usr/local/var/samba/data
write list = @testdomain
read only = No
create mask = 0777
directory mask = 0777
Create the following directories: netlogon, profiles, printer-drivers and the share data, and give them proper permissions.# rm /usr/local/etc/smb.conf
# vi /usr/local/etc/smb.conf
# Global parameters
[global]
workgroup = TESTDOMAIN
server string = Samba Server
netbios name = smb-server01
hosts allow = 192.168.3. 127. 10.0.1.
interfaces = bge0, lo
bind interfaces only = Yes
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://smb-server01.testdomain.com/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 1
log file = /var/log/samba34/%m
max log size = 50
syslog = 0
# Name resolution
name resolve order = wins bcast host
# misc
timeserver = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
deadtime = 120
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
# printers - configured to use CUPS and automatically load them
load printers = Yes
printcap name = CUPS
printing = cups
cups options = Raw
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script = /usr/local/sbin/smbldap-useradd -w %m
# LDAP-Configuration
ldap delete dn = Yes
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=testdomain,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=testdomain,dc=com
idmap backend = ldap:ldap://smb-server01.testdomain.com
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script = logon.bat
logon path = \%L\profiles\%u
logon path =
logon home = \%L\%U
logon drive = H:
# setting up as domain controller
username map = /usr/local/var/samba/usermap
preferred master = Yes
wins support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
map acl inherit = Yes
unix charset = UTF8
#== Share Definitions ==#
[netlogon]
comment = Network Logon Service
path = /usr/local/var/samba/netlogon
guest ok = yes
locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Profiles]
comment = Network Profiles Service
path = /usr/local/var/samba/profiles
read only = No
profile acls = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
profile acls = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
[print$]
comment = Printer Drivers
path = /usr/local/var/samba/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
[data]
comment = Data Directory
path = /usr/local/var/samba/data
write list = @testdomain
read only = No
create mask = 0777
directory mask = 0777
Code:
# mkdir /usr/local/var/samba/netlogon
# mkdir /usr/local/var/samba/profiles
# mkdir /usr/local/var/samba/printer-drivers
# mkdir /usr/local/var/samba/data
# chmod 777 /usr/local/var/samba/profiles
Check the smb.conf file by doing a testparm# mkdir /usr/local/var/samba/netlogon
# mkdir /usr/local/var/samba/profiles
# mkdir /usr/local/var/samba/printer-drivers
# mkdir /usr/local/var/samba/data
# chmod 777 /usr/local/var/samba/profiles
Code:
# testparm /usr/local/etc/smb.conf
You should see the following without errors# testparm /usr/local/etc/smb.conf
Code:
Load smb config files from /usr/local/etc/smb.conf
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
If you get the following error.Load smb config files from /usr/local/etc/smb.conf
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
Code:
Load smb config files from /usr/local/etc/smb.conf
max_open_files: sysctl_max (14745) below minimum Windows limit (16384)
rlimit_max: rlimit_max (14745) below minimum Windows limit (16384)
Edit your /boot/loader.conf file and add the followingLoad smb config files from /usr/local/etc/smb.conf
max_open_files: sysctl_max (14745) below minimum Windows limit (16384)
rlimit_max: rlimit_max (14745) below minimum Windows limit (16384)
Code:
# Samba 34
kern.maxfiles="20480"
We need to store the password from the ldap server in the secret.tdb file of samba. # Samba 34
kern.maxfiles="20480"
First we stop the openldap server(also for later when we import the data)
Code:
/usr/local/etc/rc.d/slapd stop
Stopping slapd.
Waiting for PIDS: 49851.
#
# smbpasswd -w very-secure-password
Setting stored password for "cn=Manager,dc=testdomain,dc=com" in secrets.tdb/usr/local/etc/rc.d/slapd stop
Stopping slapd.
Waiting for PIDS: 49851.
#
# smbpasswd -w very-secure-password
Make sure samba can start and will restart after a reboot
Add the following to your /etc/rc.conf file
Code:
#enable Samba
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
cupsd_enable="YES"
Now we start samba#enable Samba
nmbd_enable="YES"
smbd_enable="YES"
winbindd_enable="YES"
cupsd_enable="YES"
Code:
# /usr/local/etc/rc.d/samba start
Removing stale Samba tdb files: ....... done
Starting nmbd.
Starting smbd.
Starting winbindd.
Test if samba has started.# /usr/local/etc/rc.d/samba start
Removing stale Samba tdb files: ....... done
Starting nmbd.
Starting smbd.
Starting winbindd.
Code:
# ps -ax | grep mdb
1093 ?? Ss 0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1095 ?? I 0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1100 ?? Ss 0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
To make sure samba starts after the ldap server starts we need to edit the startup script of samba.# ps -ax | grep mdb
1093 ?? Ss 0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1095 ?? I 0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1100 ?? Ss 0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
So we put slapd after cupsd at the second line starting with # REQUIRE:
Code:
# vi /usr/local/etc/rc.d/samba
# PROVIDE: nmbd smbd
# PROVIDE: winbindd
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
# REQUIRE: cupsd slapd
# BEFORE: LOGIN
# KEYWORD: shutdown
# vi /usr/local/etc/rc.d/samba
# PROVIDE: nmbd smbd
# PROVIDE: winbindd
# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
# REQUIRE: cupsd slapd
# BEFORE: LOGIN
# KEYWORD: shutdown
smbldap-tools
Now we need to configure smbldap-tools.
First we need to grab the SID of the server.
Code:
net getlocalsid
SID for domain SMB-SERVER01 is: S-1-5-21-663278506-2669211824-1328585615
Now we going to edit the file /usr/local/etc/smbldap-tools/smbldap.confnet getlocalsid
SID for domain SMB-SERVER01 is: S-1-5-21-663278506-2669211824-1328585615
Code:
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
#########################
#
# General Configuration
#
#########################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-663278506-2669211824-1328585615"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="TESTDOMAIN"
#########################
#
# LDAP Configuration
#
#########################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="192.168.3.10"
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=testdomain,dc=com"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
##############################
#
# Unix Accounts Configuration
#
##############################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/usr/local/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="10000"
#######################
#
# SAMBA Configuration
#
#######################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\smb-server01\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\smb-server01\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="testdomain.com"
################################
#
# SMBLDAP-TOOLS Configuration
# (default are ok for a RedHat)
#
################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/local/bin/smbpasswd"
/
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/local/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
Also edit the /usr/local/etc/smbldap-tools/smbldap_bind.conf file# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
#########################
#
# General Configuration
#
#########################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-663278506-2669211824-1328585615"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="TESTDOMAIN"
#########################
#
# LDAP Configuration
#
#########################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="192.168.3.10"
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=testdomain,dc=com"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format=""
##############################
#
# Unix Accounts Configuration
#
##############################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/usr/local/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="10000"
#######################
#
# SAMBA Configuration
#
#######################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\smb-server01\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\smb-server01\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="testdomain.com"
################################
#
# SMBLDAP-TOOLS Configuration
# (default are ok for a RedHat)
#
################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/local/bin/smbpasswd"
/
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/local/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
Code:
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
masterDN="cn=Manager,dc=testdomain,dc=com"
masterPw="very-secure-password"
Now we start the ldap server again############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
masterDN="cn=Manager,dc=testdomain,dc=com"
masterPw="very-secure-password"
Code:
# /usr/local/etc/rc.d/slapd start
And we populate the database# /usr/local/etc/rc.d/slapd start
Code:
# smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain TESTDOMAIN (S-1-5-21-663278506-2669211824-1328585615)
(using builtin directory structure)
adding new entry: dc=testdomain,dc=com
adding new entry: ou=People,dc=testdomain,dc=com
adding new entry: ou=Groups,dc=testdomain,dc=com
adding new entry: ou=Computers,dc=testdomain,dc=com
adding new entry: ou=Idmap,dc=testdomain,dc=com
adding new entry: uid=root,ou=People,dc=testdomain,dc=com
adding new entry: uid=nobody,ou=People,dc=testdomain,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=testdomain,dc=com
adding new entry: sambaDomainName=TESTDOMAIN,dc=testdomain,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
The password can be any password and does not have to be the ldap password ( very-secure-password). # smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain TESTDOMAIN (S-1-5-21-663278506-2669211824-1328585615)
(using builtin directory structure)
adding new entry: dc=testdomain,dc=com
adding new entry: ou=People,dc=testdomain,dc=com
adding new entry: ou=Groups,dc=testdomain,dc=com
adding new entry: ou=Computers,dc=testdomain,dc=com
adding new entry: ou=Idmap,dc=testdomain,dc=com
adding new entry: uid=root,ou=People,dc=testdomain,dc=com
adding new entry: uid=nobody,ou=People,dc=testdomain,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=testdomain,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=testdomain,dc=com
adding new entry: sambaDomainName=TESTDOMAIN,dc=testdomain,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
It is the root (administrator) password for samba. Now we need to configure winbind:
Code:
# net rpc join -S smb-server01 -Uroot
Enter root's password:
Joined domain TESTDOMAIN.
For the administration of the server you can use USERMGR.exe from Microsoft. That is it!
# net rpc join -S smb-server01 -Uroot
Enter root's password:
Joined domain TESTDOMAIN.
