Samba Primary Domain Controller with LDAP How TO a replacement to Windows2003 / 2008 Active Directory Services

Samba Primary Domain Controller with LDAP How-TO Written by: Muhammad Farrukh Siddique (LPIC)

Scenario: We are going to configure a Linux based Primary Domain Controller using Samba which will authenticate the domain users through LDAP

Domain Name : OSFP.org.pk

Hostname IP-Address OPerating System

dns.OSFP.org.pk 192.168.1.253 RedHat-5
ldap.OSFP.org.pk 192.168.1.140 CentOS-5.3
client1.OSFP.org.pk 192.168.1.145 Windows-XP-Service Pack2
client2.OSFP.org.pk 192.168.1.150 Windows-XP-Service Pack2

Default Gateway os all the servers is 192.168.1.1 which is the IP of DSL router for Internet

Required Packages: version number:
1).DNS packages>>
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher

2).OpenLDAP packages>>
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17

3).Samba packages>>
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer

4).samba-ldap tools>>
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a

Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine and after successful completion of our task, we will add ports tcp 53 for DNS and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.

lets check network settings

[[email protected] /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns

[[email protected] /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.253
GATEWAY=192.168.1.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

[[email protected] /]# vim /etc/resolv.conf
nameserver 192.168.1.253
search OSFP.org.pk

DNS configuration:
[[email protected] ~]# cd /var/named/chroot/etc/
[[email protected] etc]# vim named.conf

options
{
directory “/var/named”; // the default
dump-file “data/cache_dump.db”;
statistics-file “data/named_stats.txt”;
memstatistics-file “data/named_mem_stats.txt”;

};

zone “.” IN {
type hint;
file “named.root”;
};
zone “localhost” IN {
type master;
file “localhost.fwd”;
allow-update { none; };
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “localhost.rev”;
allow-update { none; };
};

zone “OSFP.org.pk” IN {
type master;
file “OSFP.org.pk.fwd”;
allow-update { none; };
};

zone “3.168.192.in-addr.arpa” IN {
type master;
file “OSFP.org.pk.rev”;
allow-update { none; };
};
Now we will create the zone files
[[email protected] etc]# cd /var/named/chroot/var/named/
[[email protected] named]# vim named.root

6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[[email protected] named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

localhost. IN A 127.0.0.1

[[email protected] named]# vim localhost.rev

$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

1.0.0.127.in-addr.arpa. IN PTR localhost.
[[email protected] named]# vim OSFP.org.pk.fwd
$ORIGIN OSFP.org.pk.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

dns.OSFP.org.pk. IN A 192.168.1.253
ldap.OSFP.org.pk. IN A 192.168.1.140
client1.OSFP.org.pk. IN A 192.168.1.145
client2.OSFP.org.pk. IN A 192.168.1.150

_ldap._tcp.OSFP.org.pk. SRV 0 0 389 ldap.OSFP.org.pk.
_ldap._tcp.dc._msdcs.OSFP.org.pk. SRV 0 0 389 ldap.OSFP.org.pk.
[[email protected] named]# vim OSFP.org.pk.rev

$ORIGIN 1.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.OSFP.org.pk. hostmaster.OSFP.org.pk. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.OSFP.org.pk.

135.3.168.192.in-addr.arpa. IN PTR dns.OSFP.org.pk.
140.3.168.192.in-addr.arpa. IN PTR ldap.OSFP.org.pk.
145.3.168.192.in-addr.arpa. IN PTR client1.OSFP.org.pk.
150.3.168.192.in-addr.arpa. IN PTR client2.OSFP.org.pk.
now run the dns daemon i.e named

[[email protected] named]# /etc/init.d/named start
Starting named: [ OK ]
[[email protected] named]#

make it sure that named service will run automatically at startup

[[email protected] named]# chkconfig –level 235 named on

now we will test our newly configured dns

[[email protected] named]# nslookup
> dns
Server: 192.168.1.253
Address: 192.168.1.253#53

Name: dns.OSFP.org.pk
Address: 192.168.1.253
> ldap
Server: 192.168.1.253
Address: 192.168.1.253#53

Name: ldap.OSFP.org.pk
Address: 192.168.1.140
> 192.168.1.253
Server: 192.168.1.253
Address: 192.168.1.253#53

135.3.168.192.in-addr.arpa name = dns.OSFP.org.pk.
> 192.168.1.140
Server: 192.168.1.253
Address: 192.168.1.253#53

140.3.168.192.in-addr.arpa name = ldap.OSFP.org.pk.
> exit

[[email protected] named]#

Everything is fine Alhamdulillah

***********************************************

Lets configure Primary Domain Controller

first of all check the network settings

[roo[email protected] /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.OSFP.org.pk

[[email protected] /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.1.140
GATEWAY=192.168.1.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes

[[email protected] /]# vim /etc/resolv.conf
nameserver 192.168.1.253
search OSFP.org.pk

[[email protected] /]# hostname
ldap.OSFP.org.pk
[[email protected] /]#

now restart the network service

[[email protected] /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[[email protected] /]#
download samba.schema and copy it into /etc/openldap/schema directory
then add samba.schema entry in ldap configuration file slapd.conf and also some other attributes

[[email protected] ~]# cd /etc/openldap/
[[email protected] openldap]# vim slapd.conf

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

loglevel -1

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section

# any u s e r s can a u t h e n t i c a t e and change h i s password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn=”cn=samba,ou=DSA,dc=osfp,dc=org,dc=pk” write
by dn=”cn=smbtools,ou=DSA,dc=osfp,dc=org,dc=pk” write
by dn=”cn=nssldap,ou=DSA,dc=osfp, dc=org,dc=pk” write
by selfwrite
by anonymous auth

# by ∗ none
# by * read

# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t ’ i d u s e r ’ can answer c o r r e c t l y

access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ read

# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v e s
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
by selfread
# by ∗ none

# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base=”dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn=”ou=Users,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s

access to dn=”ou=Groups,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn=”ou=Computers,dc=oxfamnovibpk,dc=org”
by dn=”cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org” write
by dn=”cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org” write
# by ∗ none

# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb
suffix “dc=oxfamnovibpk,dc=org”
rootdn “cn=Manager,dc=oxfamnovibpk,dc=org”

rootpw secret
# rootpw {crypt}ijFYNcSNctBYg

directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be

[[email protected] openldap]# stat slapd.conf
File: `slapd.conf’
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r—–) Uid: ( 0/ root) Gid: ( 55/ ldap)

[[email protected] openldap]#
[[email protected] openldap]# vim ldap.conf

#HOST 127.0.0.1
BASE dc=oxfamnovibpk,dc=org
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts

now copy the Databse file from /etc/openldap to /var/lib/ldap

[[email protected] openldap]# cp DB_CONFIG.example /var/lib/ldap/

rename DB file

[[email protected] openldap]# cd /var/lib/ldap/
[[email protected] openldap]# mv DB_CONFIG.example DB_CONFIG
[[email protected] openldap]#

start the ldap server

[[email protected] /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[[email protected] /]#

configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a service called nscd will also be used

[[email protected] /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[[email protected] /]#

[[email protected] /]# chkconfig –level 235 nscd on
[[email protected] /]#

[[email protected] /]# setup

run Authentication Configuration

select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication

Press the Next button

don’t select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=oxfamnovibpk,dc=org

Press OK and exit

[[email protected] /]# vim /etc/ldap.conf

host 127.0.0.1

base dc=oxfamnovibpk,dc=org

rootbinddn cn=manager,dc=oxfamnovibpk,dc=org

timelimit 120

bind_timelimit 120

idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in it the ldap password defined in slapd.conf
[[email protected] /]# vim /etc/ldap.secret
secret

[[email protected] /]# chmod 600 /etc/ldap.secret
[[email protected] /]#

****************************************************

smbldap-tools configuration

[[email protected] /]# cd /etc/opt/IDEALX/smbldap-tools/
[[email protected] smbldap-tools]#
[[email protected] smbldap-tools]# vim smbldap_bind.conf
slaveDN=”cn=Manager,dc=oxfamnovibpk,dc=org”
slavePw=”secret”
masterDN=”cn=Manager,dc=oxfamnovibpk,dc=org”
masterPw=”secret”

[[email protected] smbldap-tools]# vim smbldap.conf

##############################################################################
#
# General Configuration
#
##############################################################################

SID=”S-1-5-21-2815000769-282395026-991120840″

sambaDomain=”OSFP.org.pk”

##############################################################################
#
# LDAP Configuration
#
##############################################################################

slaveLDAP=”127.0.0.1″

# Slave LDAP port
slavePort=”389″

# Master LDAP server: needed for write operations
masterLDAP=”127.0.0.1″

# Master LDAP port
masterPort=”389″

suffix=”dc=oxfamnovibpk,dc=org”
usersdn=”ou=Users,${suffix}”
computersdn=”ou=Computers,${suffix}”
groupsdn=”ou=Groups,${suffix}”
idmapdn=”ou=Idmap,${suffix}”
sambaUnixIdPooldn=”sambaDomainName=OSFP.org.pk,${suffix}”
scope=”sub”
hash_encrypt=”SSHA”
crypt_salt_format=”%s”

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

userLoginShell=”/bin/bash”

# Home directory
userHome=”/home/%U”

# Default mode used for user homeDirectory
userHomeDirectoryMode=”700″

# Gecos
userGecos=”System User”

# Default User (POSIX and Samba) GID
defaultUserGid=”513″

# Default Computer (Samba) GID
defaultComputerGid=”515″

# Skel dir
skeletonDir=”/etc/skel”

defaultMaxPasswordAge=”45″

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon home’
# directive and/or disable roaming profiles
# Ex: userSmbHome=”\\PDC-SMB3\%U”
#userSmbHome=”\\192.168.1.140\%U”

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf ‘logon path’
# directive and/or disable roaming profiles
# Ex: userProfile=”\\PDC-SMB3\profiles\%U”
#userProfile=”\\192.168.1.140\profiles\%U”

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive=”H:”
#userHomeDrive=”H:”

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript=”startup.cmd” # make sure script file is edited under dos
userScript=”logon.bat”
# Domain appended to the users “mail”-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain=”idealx.com”
mailDomain=”oxfamnovibpk.com”

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”

with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”

# comment out the following line to get rid of the default banner
# no_banner=”1″
configuring smb.conf

[[email protected] smbldap-tools]# cd /etc/samba/
[[email protected] samba]# vim smb.conf
[global]

workgroup = OSFP.org.pk
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers

server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No

ldap passwd sync = Yes

log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

#guest account = root

logon script = logon.bat
logon drive =
logon home =
logon path =

domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes

passdb backend = ldapsam:ldap://127.0.0.1

ldap admin dn = cn=Manager,dc=oxfamnovibpk,dc=org

ldap suffix = dc=oxfamnovibpk,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap−useradd −m “%u”
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap−useradd −w “%u”
add group script = /usr//sbin/smbldap−groupadd −p “%g”
add user to group script = /usr/sbin/smbldap−groupmod −m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g “%g” “%u”
#logon script = STARTUP.BAT

;[homes]

;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No

;[profiles]

;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @”Domain Admins”
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow roaming profiles and home directories for domain users.

lets configure some directories referenced in /etc/samba/smb.conf
[[email protected] samba]# mkdir /home/samba
[[email protected] samba]# mkdir /home/samba/netlogon
[[email protected] samba]# mkdir /home/samba/profiles
[[email protected] samba]# chmod 1777 /home/samba/profiles [currently we will not use profile feature]

Samba must know the ldap admin dn password so lets do it
[[email protected] samba]# smbpasswd -w secret
Setting stored password for “cn=Manager,dc=oxfamnovibpk,dc=org” in secrets.tdb
[[email protected] samba]#

Now define the domain Secure ID (SID)
[[email protected] samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[[email protected] samba]#

Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above mentioned SID.

make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is defined in smb.conf
[[email protected] samba]# cd /opt/IDEALX/sbin/
[[email protected] sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[[email protected] sbin]# [[email protected] sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd /usr/local/sbin/
and so on..

Now add the default base entries

[[email protected] /]# smbldap-populate
Populating LDAP directory for domain OSFP.org.pk (S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)

adding new entry dc=oxfamnovibpk,dc=org
adding new entry ou=Users,dc=oxfamnovibpk,dc=org
adding new entry ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry ou=Computers,dc=oxfamnovibpk,dc=org
adding new entry ou=Idmap,dc=oxfamnovibpk,dc=org
adding new entry uid=root,ou=Users,dc=oxfamnovibpk,dc=org
adding new entry uid=nobody,ou=Users,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Admins,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Users,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Guests,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Domain Computers,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Administrators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Account Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Print Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Backup Operators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry cn=Replicators,ou=Groups,dc=oxfamnovibpk,dc=org
adding new entry sambaDomainName=OSFP.org.pk,dc=oxfamnovibpk,dc=org

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[[email protected] /]#

adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[[email protected] Desktop]# vim dsa.ldif
dn: ou=DSA,dc=oxfamnovibpk,dc=org
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap

dn: cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools

[[email protected] Desktop]# ldapadd -x -h localhost -D “cn=Manager,dc=oxfamnovibpk,dc=org” -f dsa.ldif -W
Enter LDAP Password:
adding new entry “ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=samba,,ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=nssldap,ou=DSA,dc=oxfamnovibpk,dc=org”

adding new entry “cn=smbtools,ou=DSA,dc=oxfamnovibpk,dc=org”

[[email protected] Desktop]#

Password of each security accoutn can be changed

[[email protected] Desktop]# ldappasswd -x -h localhost -D “cn=Manager,dc=oxfamnovibpk,dc=org” -s password -W cn=samba,ou=DSA,dc=oxfamnovibpk,dc=org

now start samba server

[[email protected] Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[[email protected] Desktop]#

Now create a samba user account for UNIX and SAMBA

[[email protected] Desktop]# smbldap-useradd -a -m -c “Muhammad Farrukh Siddique” mfarrukh
[[email protected] Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[[email protected] Desktop]#

Now create a machine trust account

[[email protected] Desktop]# smbldap-useradd -w client1

Machine trust accoutn must also be in /etc/passwd
[[email protected] Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)

lets search a user account

[[email protected] Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=oxfamnovibpk,dc=org
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[[email protected] Desktop]#

[[email protected] Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=osfp,dc=org,dc=pk
objectClass: top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command

ldapsearch -x -b “ou=Users,dc=osfp,dc=org,dc=pk” -LLL -D “cn=Manager,dc=osfp,dc=org,dc=pk” -W

Now Everything has been configured successfully.

Last step is to join domain.

Power ON xp machine

set the network settings according to this scenario these will be

IP Address: 192.168.1.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.1.1
Primary DNS: 192.168.1.253

Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.

I have done it successfully. ALHAMDULILLAH

Active Directory replacement SAMBA SAMBA PDC

Comments are closed.

Samba Primary Domain Controller with LDAP How TO a replacement to Windows2003 / 2008 Active Directory Services