Configuring Samba Server as a Primary Domain Controller eases our requirement for a centralized authentication server. Below are the steps required to configure it.
Here we need three servers
1) DNS Server (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)
Here we need three servers
1) DNS Server (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)
[root@dns ~]# yum install bind* -y
[root@dns ~]# vim /var/named/chroot/etc/named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
include "/etc/named.rfc1912.zones";
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "dynamite.com" IN {
type master;
file "dynamite.com.fz";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "dynamite.com.rz";
};
[root@dns ~]# cd /var/named/chroot/var/named
[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone ./dynamite.com.fz
[root@dns named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./dynamite.com.rz
[root@dns named]# chown root.named dynamite*
[root@dns named]# vim dynamite.com.fz
$TTL 86400
@ IN SOA dns.dynamite.com. dnsadmin.dynamite.com. (
2111201101 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS dns.dynamite.com.
dns IN A 192.168.1.1
www IN CNAME dns
sambaldap IN A 192.168.1.2
winxp IN A 192.168.1.3
_ldap._tcp.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.
_ldap._tcp.dc._msdcs.dynamite.com. SRV 0 0 389 sambaldap.dynamite.com.
[root@dns named]# vim dynamite.com.fz
$TTL 86400
@ IN SOA dns.dynamite.com. dnsadmin.dynamite.com. (
2111201101 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.dynamite.com.
1 IN PTR dns
2 IN PTR sambaldap
3 IN PTR winxp
[root@dns named]# service named start
[root@dns named]# chkconfig named on
[root@dns ~]# nslookup dns.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: dns.dynamite.com
Address: 192.168.1.1
[root@dns ~]# nslookup
> 192.168.1.3
Server: 192.168.1.1
Address: 192.168.1.1#53
3.1.168.192.in-addr.arpa name = winxp.1.168.192.in-addr.arpa.
> sambaldap.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: sambaldap.dynamite.com
Address: 192.168.1.2
> www.dynamite.com
Server: 192.168.1.1
Address: 192.168.1.1#53
www.dynamite.com canonical name = dns.dynamite.com.
Name: dns.dynamite.com
Address: 192.168.1.1
> exit
[root@sambaldap ~]# yum install openldap* compat-db python-ldap php-ldap ldapjdk nss_ldap samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools -y
[root@sambaldap ~]# vim /etc/openldap/schema/samba.schema
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
DESC 'Logon Hours'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
DESC 'Share Name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
DESC 'Option Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
DESC 'An integer option'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
DESC 'A string option'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
DESC 'Trust Password Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "user must logon to change password"
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "maximum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "minimum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "reset count minutes"
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "bad lockout attempt"
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "refuse machine password change"
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours) )
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ) )
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ) )
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $ sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ) )
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
[root@sambaldap ~]# vim /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database bdb
suffix "dc=dynamite,dc=com"
rootdn "cn=Manager,dc=dynamite,dc=com"
rootpw redhat
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
#Access control List information
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
# users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=nssldap,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by anonymous auth
by self write
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=dynamite,dc=com"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=dynamite,dc=com"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=dynamite,dc=com"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=dynamite,dc=com"
by dn="cn=samba,ou=DSA,dc=dynamite,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=dynamite,dc=com" write
by dn="uid=root,ou=People,dc=dynamite,dc=com" write
by * none
access to *
by self read
by * none
[root@sambaldap ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@sambaldap ~]# chkconfig ldap on
root@sambaldap ~]# service ldap start
Checking configuration files for slapd: config file testing succeeded [ OK ]
Starting slapd: [ OK ]
[root@sambaldap ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=dynamite, dc=com
URI ldap://127.0.0.1
TLS_CACERTDIR /etc/openldap/cacerts
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
[root@sambaldap ~]# vim /etc/ldap.conf
In the end of the file insert the following
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[root@sambaldap ~]# vim /etc/ldap.secret
redhat
[root@sambaldap ~]# chmod 600 /etc/ldap.secret
[root@sambaldap ~]# smbpasswd -w redhat
Setting stored password for "cn=Manager,dc=dynamite,dc=com" in secrets.tdb
[root@sambaldap ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf.org
[root@sambaldap ~]# vim /etc/samba/smb.conf
[global]
workgroup = dynamite.com
netbios name = DYNAMITE
enable privileges = yes
#interfaces = 192.168.1.131
username map = /etc/samba/smbusers
server string = SAMBA-LDAP-PDC
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=dynamite,dc=com
ldap suffix = dc=dynamite,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
#logon script = STARTUP.BAT
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
[root@sambaldap ~]# mkdir /home/samba
[root@sambaldap ~]# mkdir /home/samba/netlogon
[root@sambaldap ~]# mkdir /home/samba/profiles
[root@sambaldap ~]# chmod 1777 /home/samba/profiles
[root@sambaldap ~]# net getlocalsid
SID for domain DYNAMITE is: S-1-5-21-3845255333-1124560154-2737011584
[root@sambaldap ~]# vim /etc/smbldap-tools/smbldap.conf
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3845255333-1124560154-2737011584"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="dynamite.com"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"
slaveLDAP="127.0.0.1"
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
#verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=dynamite,dc=com"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\192.168.1.2\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\192.168.1.2\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="dynamite.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
[root@sambaldap ~]# smbldap-populate
Populating LDAP directory for domain dynamite.com (S-1-5-21-3845255333-1124560154-2737011584)
(using builtin directory structure)
adding new entry dc=dynamite,dc=com
adding new entry ou=Users,dc=dynamite,dc=com
adding new entry ou=Groups,dc=dynamite,dc=com
adding new entry ou=Computers,dc=dynamite,dc=com
adding new entry ou=Idmap,dc=dynamite,dc=com
adding new entry uid=root,ou=Users,dc=dynamite,dc=com
adding new entry uid=nobody,ou=Users,dc=dynamite,dc=com
adding new entry cn=Domain Admins,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Users,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Guests,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Domain Computers,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Administrators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Account Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Print Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Backup Operators,ou=Groups,dc=dynamite,dc=com
adding new entry cn=Replicators,ou=Groups,dc=dynamite,dc=com
adding new entry sambaDomainName=dynamite.com,dc=dynamite,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: abc123
Retype new password: abc123
[root@sambaldap ~]# vim dsa.ldif
dn: ou=DSA,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: Security Accounts For LDAP Clients
dn: cn=samba,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=example,dc=com
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
[root@sambaldap ~]# ldapadd -D "cn=manager,dc=dynamite,dc=com" -x -W -f dsa.ldif
Enter LDAP Password: *******
adding new entry "ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=samba,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=nssldap,ou=DSA,dc=dynamite,dc=com"
adding new entry "cn=smbtools,ou=DSA,dc=dynamite,dc=com"
[root@sambaldap ~]# ldappasswd -D "cn=manager,dc=dynamite,dc=com" -x -W "cn=samba,ou=DSA,dc=dynamite,dc=com" -s password
Enter LDAP Password: redhat
Result: Success (0)
[root@sambaldap ~]# chkconfig smb on
[root@sambaldap ~]# service smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@sambaldap ~]# smbldap-useradd -a -m -c "Nagoor Vali Shaik" nagoor
[root@sambaldap ~]# smbldap-passwd nagoor
Changing UNIX and samba passwords for nagoor
New password:
Retype new password:
[root@sambaldap ~]# useradd nagoor
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@sambaldap ~]# smbldap-useradd -w winxp$
[root@sambaldap ~]# useradd -d /dev/null -s /bin/false winxp$
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@sambaldap ~]# ldapsearch -D "cn=manager,dc=dynamite,dc=com" -x -b "ou=Users,dc=dynamite,dc=com" -LLL -W
Note : Whenever an account is created with smbldap tools in LDAP, the same account must also be created in local accounts database i.e. /etc/passwd
Join the Windows XP machine to the domain DYNAMITE.COM
On Windows XP Machine Right Click My Computer -> Properties -> Select Computer Name tab -> Click Change -> Select input computer name and select Domain and input dynamite.com -> Click OK -> Provide the domain account credentials
i.e. (UserName: root & Password: abc123)
Login with the other user accounts into DYNAMITE.COM domain and confirm that they are able to access the network resources.