- Samba Primary and Backup Domain-Controller LDAP Integration
1. Samba Primary and Backup Domain-Controller LDAP Integration
I was recently given the opportunity to setup Samba 3 with LDAP to provide domain controller service to an organization. The organization has two offices connected by a VPN, which gets pretty slow at times. They were using Samba 2.2 at the headquarters as a Primary Domain Controller and using WINS to connect their remote office with headquarters over the VPN. They wanted to incorporate a new server at the remote office... more to come
1.1. Install Software
You'll need:-
Samba 3 (preferably 3.0.2a probably--3.0.1 had fixed some issues in 3.0.0, but introduced more. 3.0.2rc1 fixed a number of problems and 3.0.2a should be good)
-
OpenLDAP (2.0 or later, later versions of 2.0 at least)
-
smbldap-tools (Distributed with Samba, but not installed by default)
-
Webmin (1.100 and later have "LDAP Users and Groups")
-
Perl modules, where the dependency fun never stops!
-
Net::LDAP
-
Convert::ASN1
-
More stuff probably (TODO)
1.2. Configure OpenLDAP master server
1.2.1. Configure basic ''slapd.conf''
-
Set suffix
-
Make rootdn correspond to suffix
-
Generate a rootpw by running slappasswd, copy & paste into config file
# slappasswd New password: Re-enter new password: {SSHA}oJZlXxLs/xiAU+hJT3h2oRT3f1Wmq56q -
Add LDAP indicies
index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
-
Add Samba schema
include /etc/openldap/schema/samba.schema
-
The final product should look something like this (but with comments):
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema include /etc/openldap/schema/samba.schema database ldbm suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}oJZlXxLs/xiAU+hJT3h2oRT3f1Wmq56q directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
1.2.2. Create skeleton directory tree
Save the following example to a file called samba-skel.ldif, and substitute your domain name for dc=example,dc=com.dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
dn: ou=Computers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Machines
dn: cn=SambaAdministrator,dc=example,dc=com
userPassword: test
objectClass: top
objectClass: simpleSecurityObject
Now use the slapadd command to add inital structures to your directory:
# slapadd -l samba-skel.ldif # chown ldap:ldap /var/lib/ldap/*
1.3. Configure Samba primary domain controller
1.3.1. Configure basic ''smb.conf''
Create an smb.conf based on this example:[global]
workgroup = EXAMPLE
server string = Samba Server
; Domain Controller Requirements
security = user
domain master = yes
domain logons = yes
local master = yes
preferred master = yes
os level = 33
; LDAP Settings
passdb backend = ldapsam:ldap://localhost
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=SambaAdministrator,dc=example,dc=com
ldap passwd sync = yes
ldap delete dn = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u" 1.3.2. Add samba admin entry to ''secrets.tdb''
Use the smbpasswd command to set the password for the Samba LDAP Administrator.# smbpasswd -w abc123 Setting stored password for "cn=SambaAdministrator,dc=example,dc=com" in secrets.tdb
1.4. Configure smbldap-tools
1.5. Add Basic Data to LDAP
1.5.1. Create a test entry
1.5.2. Create well-known domain groups
1.6. Test with client workstation
1.7. Set up OpenLDAP slave server
1.8. Set up Samba backup domain controller
1.9. Install Webmin
1.9.1. Add users with ''LDAP users and groups'' module
Note that there's an obvious error above. Can you find it?
![[MAILTO]](/wiki/nakedape/img/moin-email.png){kind=small}
E-mail me if you find it 