How To Configure Samba As A Primary Domain Controller

Configuring Samba Server as a Primary Domain Controller eases our requirement for a centralized authentication server. Below are the steps required to configure it.

Here we need three servers 
1) DNS Server  (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)



[root@dns ~]# yum install bind* -y

[root@dns ~]# vim /var/named/chroot/etc/named.conf

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
        // Those options should be used carefully because they disable port
        // randomization
            // query-source    port 53;         
            // query-source-v6 port 53;
           
            // Put files that named is allowed to write in the data/ directory:
            directory "/var/named"; // the default
            dump-file                      "data/cache_dump.db";
        statistics-file          "data/named_stats.txt";
        memstatistics-file   "data/named_mem_stats.txt";

};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        }; 
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
            include "/etc/named.rfc1912.zones";
            // all views must contain the root hints zone:
            include "/etc/named.root.hints";

        // include "named.rfc1912.zones";
            // you should not serve your rfc1912 names to non-localhost clients.
            // These are your "authoritative" internal zones, and would probably
            // also be included in the "localhost_resolver" view above :

            zone "dynamite.com" IN {
                        type master;
                        file "dynamite.com.fz";
            };

            zone "1.168.192.in-addr.arpa" IN {
                        type master;
                        file "dynamite.com.rz";
            };

[root@dns ~]# cd /var/named/chroot/var/named

[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone ./dynamite.com.fz

[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./dynamite.com.rz

[root@dns named]# chown root.named dynamite*

[root@dns named]# vim dynamite.com.fz

$TTL     86400
@                     IN SOA  dns.dynamite.com. dnsadmin.dynamite.com. (
                                                            2111201101       ; serial (d. adams)
                                                            3H                    ; refresh
                                                            15M                  ; retry
                                                            1W                   ; expiry
                                                            1D )                  ; minimum
@                 IN NS                    dns.dynamite.com.
dns                   IN A                  192.168.1.1
www                 IN CNAME         dns
sambaldap        IN A                  192.168.1.2
winxp                IN A                  192.168.1.3

_ldap._tcp.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.
_ldap._tcp.dc._msdcs.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.

[root@dns named]# vim dynamite.com.fz

$TTL     86400
@                     IN SOA  dns.dynamite.com. dnsadmin.dynamite.com. (
                                                            2111201101       ; serial (d. adams)
                                                            3H                    ; refresh
                                                            15M                  ; retry
                                                            1W                   ; expiry
                                                            1D )                  ; minimum
                        IN NS                dns.dynamite.com.
1                      IN PTR              dns
2                      IN PTR              sambaldap
3                      IN PTR              winxp

[root@dns named]# service named start

[root@dns named]# chkconfig named on

[root@dns ~]# nslookup dns.dynamite.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   dns.dynamite.com
Address: 192.168.1.1

[root@dns ~]# nslookup
> 192.168.1.3
Server:         192.168.1.1
Address:        192.168.1.1#53

3.1.168.192.in-addr.arpa        name = winxp.1.168.192.in-addr.arpa.
> sambaldap.dynamite.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   sambaldap.dynamite.com
Address: 192.168.1.2
> www.dynamite.com
Server:         192.168.1.1
Address:        192.168.1.1#53

www.dynamite.com        canonical name = dns.dynamite.com.
Name:   dns.dynamite.com
Address: 192.168.1.1
> exit

[root@sambaldap ~]# yum install openldap* compat-db python-ldap php-ldap ldapjdk nss_ldap samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools -y

[root@sambaldap ~]# vim /etc/openldap/schema/samba.schema

#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################

##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
            DESC 'LanManager Password'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
            DESC 'MD4 hash of the unicode password'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
            DESC 'Account Flags'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
            DESC 'Timestamp of the last password update'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
            DESC 'Timestamp of when the user is allowed to update the password'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
            DESC 'Timestamp of when the password will expire'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
            DESC 'Timestamp of last logon'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
            DESC 'Timestamp of last logoff'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
            DESC 'Timestamp of when the user will be logged off automatically'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
            DESC 'Bad password attempt count'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
            DESC 'Time of the last bad password attempt'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
            DESC 'Logon Hours'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )

##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
            DESC 'Driver letter of home directory mapping'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
            DESC 'Logon script path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
            DESC 'Roaming profile path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
            DESC 'List of user workstations the user is allowed to logon to'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
            DESC 'Home directory UNC path'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
            DESC 'Windows NT domain to which the user belongs'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
            DESC 'Base64 encoded user parameter string'
            EQUALITY caseExactMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )

attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
            DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

##
## SID, of any type
##

attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
            DESC 'Security ID'
            EQUALITY caseIgnoreIA5Match
            SUBSTR caseExactIA5SubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

##
## Primary group SID, compatible with ntSid
##

attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
            DESC 'Primary Group Security ID'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
            DESC 'Security ID List'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
            DESC 'NT Group Type'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## Store info on the domain
##

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
            DESC 'Next NT rid to give our for users'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
            DESC 'Next NT rid to give out for groups'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
            DESC 'Next NT rid to give out for anything'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
            DESC 'Base at which the samba RID generation algorithm should operate'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
            DESC 'Share Name'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
            DESC 'Option Name'
            EQUALITY caseIgnoreMatch
            SUBSTR caseIgnoreSubstringsMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
            DESC 'A boolean option'
            EQUALITY booleanMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
            DESC 'An integer option'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
            DESC 'A string option'
            EQUALITY caseExactIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
            DESC 'A string list option'
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )

##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
            DESC 'Trust Password Flags'
            EQUALITY caseIgnoreIA5Match
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

# "min password length"
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
            DESC 'Minimal password length (default: 5)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
            DESC 'Length of Password History Entries (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "user must logon to change password"
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
            DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "maximum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
            DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "minimum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
            DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
            DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "reset count minutes"
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
            DESC 'Reset time after lockout in minutes (default: 30)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "bad lockout attempt"
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
            DESC 'Lockout users after bad logon attempts (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
            DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

# "refuse machine password change"
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
            DESC 'Allow Machine Password changes (default: 0 => off)'
            EQUALITY integerMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################

## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1

##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
            DESC 'Samba 3.0 Auxilary SAM Account'
            MUST ( uid $ sambaSID )
            MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
            sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
            sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
            displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
            sambaProfilePath $ description $ sambaUserWorkstations $
            sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
            sambaBadPasswordCount $ sambaBadPasswordTime $
            sambaPasswordHistory $ sambaLogonHours) )

##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
            DESC 'Samba Group Mapping'
            MUST ( gidNumber $ sambaSID $ sambaGroupType )
            MAY ( displayName $ description $ sambaSIDList ) )

##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
            DESC 'Samba Trust Password'
            MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
            MAY ( sambaSID $ sambaPwdLastSet ) )

##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
            DESC 'Samba Domain Information'
            MUST ( sambaDomainName $ sambaSID )
            MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
            sambaAlgorithmicRidBase $
            sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
            sambaMaxPwdAge $ sambaMinPwdAge $
            sambaLockoutDuration $ sambaLockoutObservationWindow $
            sambaLockoutThreshold $
            sambaForceLogoff $ sambaRefuseMachinePwdChange ) )

##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
            DESC 'Pool for allocating UNIX uids/gids'
            MUST ( uidNumber $ gidNumber ) )


objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
            DESC 'Mapping from a SID to an ID'
            MUST ( sambaSID )
            MAY ( uidNumber $ gidNumber ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
            DESC 'Structural Class for a SID'
            MUST ( sambaSID ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
            DESC 'Samba Configuration Section'
            MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
            DESC 'Samba Share Section'
            MUST ( sambaShareName )
            MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
            DESC 'Samba Configuration Option'
            MUST ( sambaOptionName )
            MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
            sambaStringListoption $ description ) )

[root@sambaldap ~]# vim /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

loglevel -1

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################


# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName     eq

database        bdb
suffix          "dc=dynamite,dc=com"
rootdn          "cn=Manager,dc=dynamite,dc=com"

rootpw          redhat
# rootpw                {crypt}ijFYNcSNctBYg

directory       /var/lib/ldap


#Access control List information
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
        by selfwrite
        by anonymous auth
# users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=nssldap,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by anonymous auth
        by self write
        by * none

# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by * read

# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by self write
        by * read

# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by self read
        by * none

# samba need to be able to create the samba domain account
access to dn.base="dc=dynamite,dc=com"
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by * none

# samba need to be able to create new users account
access to dn="ou=Users,dc=dynamite,dc=com"
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by * none

# samba need to be able to create new groups account
access to dn="ou=Groups,dc=dynamite,dc=com"
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by * none

# samba need to be able to create new computers account
access to dn="ou=Computers,dc=dynamite,dc=com"
        by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
        by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
        by dn="uid=root,ou=People,dc=dynamite,dc=com" write
        by * none

access to *
        by self read
        by * none

[root@sambaldap ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@sambaldap ~]# chkconfig ldap on

root@sambaldap ~]# service ldap start
Checking configuration files for slapd:  config file testing succeeded         [  OK  ]
Starting slapd:                                                                                       [  OK  ]

[root@sambaldap ~]# vim /etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE     dc=dynamite, dc=com
URI       ldap://127.0.0.1
TLS_CACERTDIR /etc/openldap/cacerts

#URI     ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT        12
#TIMELIMIT       15
#DEREF             never

[root@sambaldap ~]# vim /etc/ldap.conf

In the end of the file insert the following

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

[root@sambaldap ~]# vim /etc/ldap.secret
redhat

[root@sambaldap ~]# chmod 600 /etc/ldap.secret

[root@sambaldap ~]# smbpasswd -w redhat
Setting stored password for "cn=Manager,dc=dynamite,dc=com" in secrets.tdb

[root@sambaldap ~]# cp /etc/samba/smb.conf    /etc/samba/smb.conf.org

[root@sambaldap ~]# vim /etc/samba/smb.conf

[global]
workgroup = dynamite.com
netbios name = DYNAMITE
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers

server string = SAMBA-LDAP-PDC
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No

ldap passwd sync = Yes

log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

#guest account = root

logon script = logon.bat
logon drive =
logon home =
logon path =

domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes

passdb backend = ldapsam:ldap://127.0.0.1

ldap admin dn = cn=Manager,dc=dynamite,dc=com

ldap suffix = dc=dynamite,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'

#logon script = STARTUP.BAT

[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"

[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes

[root@sambaldap ~]# mkdir /home/samba

[root@sambaldap ~]# mkdir /home/samba/netlogon

[root@sambaldap ~]# mkdir /home/samba/profiles

[root@sambaldap ~]# chmod 1777 /home/samba/profiles

[root@sambaldap ~]# net getlocalsid
SID for domain DYNAMITE is: S-1-5-21-3845255333-1124560154-2737011584

[root@sambaldap ~]# vim /etc/smbldap-tools/smbldap.conf

# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3845255333-1124560154-2737011584"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="dynamite.com"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"

# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
#verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dynamite,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.1.2\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.1.2\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="dynamite.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

[root@sambaldap ~]# smbldap-populate

Populating LDAP directory for domain dynamite.com (S-1-5-21-3845255333-1124560154-2737011584)
(using builtin directory structure)

adding new entry dc=dynamite,dc=com
adding new entry ou=Users,dc=dynamite,dc=com
adding new entry ou=Groups,dc=dynamite,dc=com
adding new entry ou=Computers,dc=dynamite,dc=com
adding new entry ou=Idmap,dc=dynamite,dc=com
adding new entry uid=root,ou=Users,dc=dynamite,dc=com
adding new entry uid=nobody,ou=Users,dc=dynamite,dc=com
adding new entry cn=Domain Admins,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Users,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Guests,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Computers,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Administrators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Account Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Print Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Backup Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Replicators,ou=Groups,dc=dynamite,dc=com
adding new entry sambaDomainName=dynamite.com,dc=dynamite,dc=com

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: abc123 
Retype new password: abc123

[root@sambaldap ~]# vim dsa.ldif

dn: ou=DSA,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: Security Accounts For LDAP Clients

dn: cn=samba,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba

dn: cn=nssldap,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap

dn: cn=smbtools,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools

[root@sambaldap ~]# ldapadd -D "cn=manager,dc=dynamite,dc=com" -x -W -f dsa.ldif
Enter LDAP Password: *******
adding new entry "ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=samba,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=nssldap,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=smbtools,ou=DSA,dc=dynamite,dc=com"

[root@sambaldap ~]# ldappasswd -D "cn=manager,dc=dynamite,dc=com" -x -W "cn=samba,ou=DSA,dc=dynamite,dc=com" -s password
Enter LDAP Password: redhat
Result: Success (0)

[root@sambaldap ~]# chkconfig smb on

[root@sambaldap ~]# service smb start
Starting SMB services:                                     [  OK  ]
Starting NMB services:                                     [  OK  ]

[root@sambaldap ~]# smbldap-useradd -a -m -c "Nagoor Vali Shaik" nagoor

[root@sambaldap ~]# smbldap-passwd nagoor
Changing UNIX and samba passwords for nagoor
New password:
Retype new password:

[root@sambaldap ~]# useradd nagoor
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.

[root@sambaldap ~]# smbldap-useradd -w winxp$

[root@sambaldap ~]# useradd -d /dev/null -s /bin/false winxp$
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.

[root@sambaldap ~]# ldapsearch -D "cn=manager,dc=dynamite,dc=com" -x -b "ou=Users,dc=dynamite,dc=com" -LLL -W

Note : Whenever an account is created with smbldap tools in LDAP, the same account must also be created in local accounts database i.e. /etc/passwd

Join the Windows XP machine to the domain DYNAMITE.COM

On Windows XP Machine Right Click My Computer -> Properties -> Select Computer Name tab -> Click Change -> Select input computer name and select Domain and input dynamite.com -> Click OK -> Provide the domain account credentials
i.e. (UserName: root & Password: abc123)

Login with the other user accounts into DYNAMITE.COM domain and confirm that they are able to access the network resources.

Post a Comment

Mới hơn Cũ hơn