this is obsolete doc -- see http://doc.nethence.com/ instead
Samba/LDAP configuration (RHEL5)
updated 02/03/2011
http://pbraun.nethence.com/doc/net/samba-ldap.html
http://pbraun.nethence.com/doc/www/phpldapadmin.html
Introduction
A straightforward tutorial to configure Samba/LDAP as a Primary Domain Controller / Directory on RHEL5.
Requirements
Make sure you've got those RHEL packages installed,
rpm -q \
openldap \
openldap-clients \
openldap-servers \
nss_ldap \
samba \
samba-client \
perl-DBI \
perl-Convert-ASN1 \
perl-XML-NamespaceSupport \
perl-XML-SAX \
perl-Net-SSLeay \
perl-IO-Socket-SSL \
perl-LDAP \
perl-Digest-SHA1
Note. the "nss_ldap" package provides the PAM/LDAP library,
ls -l /lib/security/pam_ldap.so
Plus those few ones from EPEL (http://fedoraproject.org/wiki/EPEL),
mkdir epelsmbldap/
cd epelsmbldap/
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Crypt-SmbHash-0.12-6.el5.noarch.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Digest-MD4-1.5-4.el5.i386.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Jcode-2.06-6.el5.noarch.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Unicode-Map-0.112-12.el5.i386.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Unicode-Map8-0.12-15.el5.i386.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Unicode-MapUTF8-1.11-7.el5.noarch.rpm
wget http://download.fedora.redhat.com/pub/epel/5/i386/perl-Unicode-String-2.09-7.el5.i386.rpm
rpm -ivh *.rpm
cd ../
rpm -q \
perl-Crypt-SmbHash \
perl-Digest-MD4 \
perl-Jcode \
perl-Unicode-Map \
perl-Unicode-Map8 \
perl-Unicode-MapUTF8 \
perl-Unicode-String
Network settings
Configure at least local static lookups,
vi /etc/hosts
like e.g.,
127.0.0.1 localhost
SERVER_IP lusers.example.net lusers
OpenLDAP server
Add that schema,
cd /etc/openldap/schema/
#cp /usr/share/doc/samba-3.0.25b/LDAP/samba.schema ./
cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema ./
Configure the daemon,
cd /etc/openldap/
slappasswd
# (copy/paste the SSHA password into the following configuration)
mv slapd.conf slapd.conf.dist
cat > slapd.conf <<EOF9
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=lusers,dc=example,dc=net"
rootdn "cn=admin,dc=lusers,dc=example,dc=net"
rootpw {SSHA}PASTE_HERE
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
EOF9
Note. it's also possible to use an ldap password in clear text
Note. no need to force the hash type with password-hash
Fix some database setting,
cd /var/lib/ldap/
cp /etc/openldap/DB_CONFIG.example DB_CONFIG
chown ldap:ldap DB_CONFIG
chmod 600 DB_CONFIG
OpenLDAP directory initialization
Start, check and stop the service,
cd ~/
service ldap start
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# (should return two lines)
service ldap stop
slapcat
# (should return empty)
Initialize the database,
cd /etc/openldap/
cat > init.ldif <<EOF9
dn: dc=lusers,dc=example,dc=net
objectclass: top
objectclass: organization
objectclass: dcObject
o: ORGANIZATION
dc: lusers
dn: cn=admin,dc=lusers,dc=example,dc=net
objectclass: organizationalRole
cn: admin
EOF9
slapadd -l init.ldif
chown -R ldap:ldap /var/lib/ldap/
chmod 600 /var/lib/ldap/*
slapcat
# (should return two paragraphs)
Note. for 'dc: lusers' we need to have 'dn: dc=lusers,...'
Note. in case you need to try again, here's how to (brutally) clean it up,
#cd /var/lib/ldap/
#rm -rf *
#cp /etc/openldap/DB_CONFIG.example DB_CONFIG
#chown ldap:ldap DB_CONFIG
#chmod 600 DB_CONFIG
Start, enable and verify the ldap daemon,
service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=lusers,dc=example,dc=net"
# (should return two entries)
Samba Primary Domain Controller
Extract smbldap-tools,
cd ~/
wget http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.6.tar.gz
tar xzf smbldap-tools-0.9.6.tar.gz
Configure the samba daemons,
cd /etc/samba/
[[ ! -f smb.conf.dist ]] && mv smb.conf smb.conf.dist
sed -n '1,/^\[netlogon\]$/p;' ~/smbldap-tools-0.9.6/doc/smb.conf | grep -v '\[netlogon\]' > smb.conf.tmp
sed '
/^$/d;
/^#/d;
/^[[:space:]]*#/d;
s/DOMSMB/MYDOMAIN/g;
s|/opt/IDEALX/|/usr/local/|g;
s/cn=Manager/cn=admin/g;
s/dc=idealx,dc=org/dc=lusers,dc=example,dc=net/g;
s/dc=company,dc=com/dc=lusers,dc=example,dc=net/g;
s/idealx.com/example.net/g;
s/PDC-SRV/LUSERS/g;
s/Samba Server %v/Samba\/LDAP on steroids/g
/min passwd length/d;
/printer admin/d;
' smb.conf.tmp > smb.conf && rm -f smb.conf.tmp
#s/IDEALX-NT/EXAMPLE/g;
#' /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smb.conf > smb.conf
cat >> smb.conf <<EOF9
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
EOF9
Note. removing netlogon, shares and printers, otherwise make sure those are really available.
Samba needs to know the ldap admin user password (not ldap root which will be populated later on),
smbpasswd -w LDAP_PASSWORD
Start and enable the samba daemons,
testparm
service smb restart
chkconfig smb on
Check everything's fine,
tail -F /var/log/messages &
tail -F /var/log/samba/* &
#echo 'screen -t "smb" 0 tail -F /var/log/samba/nmbd.log /var/log/samba/smbd.log' >> ~/.screenrc
service smb status
Smbldap-tools connector
Eventually fetch latest smbldap-tools (http://download.gna.org/smbldap-tools/packages/) and deploy them,
cd /usr/local/sbin/
#cp /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap-* ./
#cp /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap_tools.pm ./
cp ~/smbldap-tools-0.9.6/smbldap-* ./
cp ~/smbldap-tools-0.9.6/smbldap_tools.pm ./
chmod +x smbldap*
Configure the connector (without TLS in this example),
mkdir -p /etc/smbldap-tools/
cd /etc/smbldap-tools/
sed '
/^$/d;
/^#/d;
/^[[:space:]]*#/d;
s/DOMSMB/MYDOMAIN/g;
s|/opt/IDEALX/|/usr/local/|g;
s/cn=Manager/cn=admin/g;
s/dc=idealx,dc=org/dc=lusers,dc=example,dc=net/g;
s/dc=company,dc=com/dc=lusers,dc=example,dc=net/g;
s/idealx.com/example.net/g;
s/PDC-SRV/LUSERS/g;
s/dc=iallanis,dc=info/dc=lusers,dc=example,dc=net/g;
s/ldap.iallanis.info/127.0.0.1/g;
s/iallanis.info/example.net/g;
s/ldapTLS="1"/ldapTLS="0"/;
/cafile/d;
/clientcert/d;
/clientkey/d;
' ~/smbldap-tools-0.9.6/smbldap.conf > smbldap.conf
#' /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/smbldap.conf > smbldap.conf
find out and fix the domain controller SID in that config,
net getlocalsid
vi smbldap.conf
change,
SID=SID_HERE
Configure the access information,
cd /etc/smbldap-tools/
cat > smbldap_bind.conf <<EOF9
masterDN="cn=admin,dc=lusers,dc=example,dc=net"
masterPw="LDAP_PASSWORD"
EOF9
Fix file permissions,
cd /etc/smbldap-tools/
chmod 644 smbldap.conf
chmod 600 smbldap_bind.conf
LDAP user mapping
Local user mapping against the LDAP is mandatory as Samba needs UNIX users too.
Configure the LDAP-UNIX user mapping,
authconfig-tui
enable,
user information: use ldap (/etc/nsswitch.conf)
authentication: use ldap authentication
authentication: local authorization is sufficient
ldap settings,
server: ldap://127.0.0.1/
base dn: dc=lusers,dc=example,dc=net
Note. those files (at least) get altered,
#/etc/nsswitch.conf
#/etc/pam.d/system-auth-ac
#/etc/ldap.conf
#/etc/openldap/ldap.conf
LDAP tree for smbldap-tools
Populate the LDAP tree (groups and two users: nobody and root),
smbldap-populate
and provide a DOMAIN_ROOT_PASSWORD (netbios domain administrator).
Check for new groups,
net groupmap list
Check for samba service with the newly created domain/ldap root user,
smbclient -L 127.0.0.1
(DOMAIN_ROOT_PASSWORD)
Ready to go
Create an ldap user for the machine you want to join the domain with,
smbldap-useradd -W windows-host$
Note the trailing '$' for the 'Computer' group
You should now be able to join the "MYDOMAIN" domain from that Windows box with those creditentials:
Login : root
Password : DOMAIN_ROOT_PASSWORD
Troubbleshooting
If you get this error message in the samba logs,
fetch_ldap_pw: neither ldap secret retrieved!
it's simply because 'secrets.tdb' is missing. Provide samba with the admin ldap user password (smbpasswd -w LDAP_PASSWORD), not the domain/ldap root one.
If you get this error message when trying to join the domain (French Windows XP here),
le nom d'utilisateur est introuvable
make sure the machine/user has been created first (smbldap-useradd -W).
If you get this error message when trying to join the domain (French Windows XP here),
le chemin réseau n'a pas été trouvé
make sure the samba daemons are up and running (check with smbclient -L 127.0.0.1).
Usage
Create a group,
smbldap-groupadd -a GROUPNAME
Create a user,
smbldap-useradd -a -g GROUPNAME -G 'Domain Users' -m -s /bin/ksh -d /home/USERNAME -F '' -P USERNAME
Note. primary group 'GROUPNAME' and secondary group 'Domain Users'
Note. other possible groups : "Administrators" and "Domain Admins"
Check in the LDAP repository for USERNAME's primary group,
dn: uid=USERNAME,ou=Users,dc=lusers,dc=example,dc=net
...
gidNumber: GID_NUMBER
and secondary groups (primary group is also referenced as secondary group in the LDAP repo),
dn: cn=GROUPNAME,ou=Groups,dc=lusers,dc=example,dc=net
...
memberUid: USERNAME
also,
dn: cn=Domain Users,ou=Groups,dc=lusers,dc=example,dc=net
...
memberUid: USERNAME
Check,
#net groupmap list
getent group | grep GROUPNAME
getent passwd | grep USERNAME
smbldap-usershow USERNAME
smbclient -U USERNAME -L 127.0.0.1
# (you can also try to connect with ssh as long as /etc/nsswitch.conf passwd shadow and group points to ldap too)
Maintainance
Restart the whole thing,
service smb stop
service ldap restart
service smb start
References
smbldap-tools documentation : /usr/share/doc/samba-3.0.25b/LDAP/smbldap-tools-0.9.2/INSTALL
Samba (v.3) PDC LDAP howto : http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
Redhat knowledge base : http://kbase.redhat.com/faq/
http://wiki.samba.org/index.php/Samba_&_LDAP
http://damstux.free.fr/wiki/index.php?title=PDC_Samba_LDAP
Additionnal links
Official guide : http://us3.samba.org/samba/docs/man/Samba-Guide/happy.html
Simple PDC : http://www.oregontechsupport.com/samba/samba-pdc.php
Ldap scripts alternative : http://ldapscripts.sourceforge.net/
+ http://contribs.martymac.com/sambaConfig/smb.conf
+ http://contribs.martymac.com/sambaConfig/base.ldif
Another alternative : http://sourceforge.net/projects/smb-scripts/
Fedora Directory : http://fdstools.wiki.sourceforge.net/
(FR) Guide on debian : http://www.coagul.org/spip.php?article625
(FR) Yet another debian guide : http://damstux.free.fr/wiki/index.php?title=PDC_Samba_et_LDAP