i found this online, and forgot the url where i copied it. so if you are the author or know the original url, please leave it in the commends and i’ll gladly link it.
Hi all,
Hi everyone, after digging over the net and after spending a lot of time trying to understand how things work, I’m proud to present a very quick and super easy tutorial to create a Samba Primary Domain Controller with LDAP integration inside Ubuntu 10.04, both 32bit and 64bit.
In less than 30 minutes you’ll have:
- A fully working PDC for Windows Clients
- Roaming profiles NOT enabled (this is what most of you want)
- Be able to have shared folders automatically mounted when a user logs into the domain
- Tested and fully working with(all flavours): Windows XP, Windows Vista and even Windows 7!
If you do everything exactly like I wrote I guarantee it will work. One single error can compromise everything and you’ll have to restart from the beginning! You have been warned!
General Information before reading:
- In this guide each step will have a number, so if you ever have to ask me a question be sure you point the exact number, I will ignore any posts without the number being explicited.
- Commands you must type start with a “->”.
- The guide presumes you know how to use Nano text editor (or any other text editor from shell like Vim).
- In this guide my default password is always “pwd123″.
Let’s Start.
1)
Install Ubuntu Server 10.04 32Bit or 64Bit Once Ubuntu 10.04 is up, log with root user:
sudo su
From now on I assume you are always root user.
2)
Set a static IP, in this example the NIC card is eth0 and the network is part of 192.168.1.x class.
nano /etc/network/interfaces
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.10
broadcast 192.168.1.255
netmask 255.255.255.0
gateway 192.168.1.1
3)
/etc/init.d/networking restart
ifconfig
The output should show you the static IP, try pinging a local IP or an internet IP to be sure you are on the net, ex:
ping www.google.it
or try pinging your gateway set before:
ping 192.168.1.1
If you are unsure, reboot your machine to see if “ifconfig” command still shows you the same IP and to be sure you’re still part of the network by pinging as said before.
ONCE YOU FINISHED WITH THIS GUIDE, IF YOU EVER CHANGE YOUR IP BE SURE TO READ SECTION: “TIPS AND TRICKS”, FOUND AT THE END OF THIS GUIDE OR YOUR PDC WILL STOP WORKING.
4)
apt-get update
apt-get dist-upgrade
reboot
sudo su
5)
apt-get install slapd ldap-utils
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
6)
backend.example.com.ldif
Your next step will be to modify this file, the only thing you should care of changing is the password, which is set at line “olcRootPW:”. By default password is “pwd123″.
nano backend.example.com.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=pdc
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=pdc
olcRootPW: pwd123
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=pdc" write by * read
7)
From now on, if ldap commands similar to this ask for a password, put password set above in step 6, by default in this guide as said “pwd123″.
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif
8)
apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools
9)
Now I’ll make you download my samba configuration file.
wget http://acme-tech.net/blog/http://acme-tech.net/blog/wp-content/uploads/2012/10/smb.conf_.txt
After downloading it, you’ll have to change ONLY two values: “workgroup = “ and “netbios = “.
Workgroup is the name of the Domain. This is the name that you’ll have to enter in a Windows client to make it join the domain. Netbios is instead the name used to browse shared folders, for example in Windows you’ll put “\$netbiosname$shared_folder”.
DO NOT PUT WORKGROUP NAME IDENTICAL TO NETBIOS NAME.
IMPORTANT: carefully decide the NETBIOS name, once you change it YOU CAN’T CHANGE IT AGAIN OTHERWISE IT WILL BREAK EVERYTHING! YOU’VE BEEN WARNED.
Type the following and change the two values.
nano smb.conf
Once you changed the two values type:
cp -rf smb.conf /etc/samba/smb.conf
10)
In the next command it will prompt you to put a password, this must be the same as set before in step 6, by default in this guide “pwd123″
smbpasswd -W
11)
ervice smbd restart
12)
Now you must check that samba is running, it will ask you for a password, just hit Enter.
smbclient -L localhost
It should not give you any errors, instead it must show some stuff and you should see your Workgroup Name set in step 9
13)
mkdir -v /var/lib/samba/profiles
chmod 777 /var/lib/samba/profiles
mkdir -v -p /var/lib/samba/netlogon
chmod 777 /var/lib/samba/netlogon
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap-> /schema/
gzip -d /etc/ldap/schema/samba.schema.gz
14)
schema_convert.conf
nano schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
15)
mkdir /tmp/ldif_output
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif
16)
Now you’ll have to edit a file, open the file with the following command and read below to understand what must be edited.
nano /tmp/cn\=samba.ldif
At the very top you’ll see:
dn: cn{12}=samba,cn=schema,cn=config
Change it to:
dn: cn=samba,cn=schema,cn=config
Always at the top you’ll see:
cn: {12}samba
Change it to:
cn: samba
At the end of the file you’ll see:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
Delete all those lines, save and close.
17)
Be sure the following command does not give errors:
ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif
18)
samba_indexes.ldif
nano samba_indexes.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
19)
Be sure the following does not give any errors.
ldapmodify -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f samba_indexes.ldif
20)
Now thanks to the following command, you’ll finally understand if everything till now went fine. If everything goes fine, it will output a lot of stuff, including at the end strings similar to the ones found in step 18
ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb
21)
Now that ldap is working perfectly, we must also be sure Samba is working too. The following command MUST not give errors, and it must output something similar to this:
SID for domain DOMAIN is: S-1-5-21-908678672-1104131578-2020688504
So this is the command to type:
net getlocalsid
22)
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
23)
Next command is crucial to make Samba and Ldap work together. When prompted, press always Enter without inserting anything. There are only two cases where you must type something. When it asks for “Logon Home” and “Logon Path”, put a “.” character. At a certain point, it will ask you for a password two times, once for ldap bind master and then for ldap bind slave. In both cases, you must put the exact same password you put in step 6, by default in this guide “pwd123″. So now you know what to do, this is the command:
perl /usr/share/doc/smbldap-tools/configure.pl
24)
Following command should create some groups, at the end it will ask for a password. As always put password provided in step 6, default of this guide is “pwd123″.
smbldap-populate
25)
/etc/init.d/slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start
26)
If everything till now is really working, the next command will make user “root” be a Domain Administrator. In section “Tips and Tricks” you’ll see how to make other users be a Domain admin. THIS COMMAND MUST NOT GIVE ERRORS, otherwise it means LDAP is not working with Samba.
smbldap-groupmod -m 'root' 'Administrators'
27)
In the next command, it will ask you for some stuff. Do not make errors here! When it asks for questions that want a Yes/No reply, just press Enter leaving default.
When it asks for LDAP server Uniform Resource Identifier, leave it as it is “ldapi:///” When it asks for Distinguished name of the search base, put “dc=pdc” When it asks for LDAP account for root, put “cn=admin, dc=pdc” When it asks for LDAP password, put the same set in step 6, default of this guide was “pwd123″
The command is:
apt-get --yes install ldap-auth-client
IMPORTANT: if you do a mistake, you can reconfigure the previous command typing:
dpkg-reconfigure ldap-auth-config
28)
auth-client-config -t nss -p lac_ldap
29)
The following command is used to enable Unix, Ldap and Samba authentication. Be sure all of them are selected with “*” character and press Enter. The command is:
pam-auth-update ldap
30)
The following command should output something similar to this:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:root
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
The command is:
getent group
31)
reboot
32)
Good, we’re done. After reboot, let’s check that everything is working by creating a user.
sudo su
If the following command does not give errors, it means Samba and Ldap are both working together, and you should be happy! It will ask for a password, the password is the password you want for the user, in this case for user “user1″:
smbldap-useradd -a -m -P user1
33)
If you reached this step without errors, it means you are ready to make your Windows Clients join the domain.
However for security reasons it’s not a good idea to make your customer know the password of “root” account. At the moment, to make a Windows Client join the domain you’ll have to put user “root” and its password, let’s instead make another user which will be part of the Domain Administrators. We’ll call the user “adminpdc”.
smbldap-useradd -a -m -P adminpdc
smbldap-groupmod -m ' adminpdc' 'Administrators'
smbldap-groupmod -m ' adminpdc' 'Domain Admins'
sudo auth-client-config -t nss -p lac_ldap
Good, now we have user “adminpdc” that is a Domain Administrator but is in no way a possible security danger for your Linux machine, since it’s not part of sudoers. In this way you’ll never have to use account “root” to make a Windows client join the domain or to make changes to the Windows client OS.
Finally, make your Windows Client (xp,vista,7) join the domain! :
- In Windows XP, right click on Computer->Properties and click on Change as seen here: http://www.iaji.net/wp-content/uploa…uter_name3.png
- For Windows Vista and 7 instead, right click on Computer, on the left click on Advanced Settings and then click on “Change” under “Computer Name” Tab.
IMPORTANT ABOUT WINDOWS 7: To make Windows 7 be part of the domain, read below section Tips and Tricks.
- As domain, put the workgroup name you set in step 9
- When it asks for username and password, put “adminpdc” and the password of this user, you set this on step 33. If everything goes well it will say you joined the domain and you must reboot.
That’s all! TIPS AND TRICKS: Create/Delete/Manage Users: To Add: smbldap-useradd -a -m -P user To Delete: smbldap-userdel user To ChangePassword: smbldap-passwd user To add a Domain Administrator:
smbldap-groupmod -m 'user' 'Administrators'
smbldap-groupmod -m 'user' 'Domain Admins'
auth-client-config -t nss -p lac_ldap
If you ever change the static IP of the PDC:
service smbd stop
rm /var/cache/samba/browse.dat
rm /var/cache/samba/login_cache.tdb
rm /var/lib/samba/wins.dat
reboot
To make Windows 7 join the domain:
- Check : https://bugzilla.samba.org/attachmen…88&action=view
To make your PDC automatically map net drives:
apt-get install flip
/var/lib/samba/netlogon/allusers.bat
In this example you’ll have a shared folder for all users, of course you can edit /etc/samba/smb.conf to create specific user shares.
mkdir -p /var/lib/samba/shared/
chmod -R 777 /var/lib/samba/shared/
nano /var/lib/samba/netlogon/allusers.bat
NOTE: change “PSAMBA” with the Netbios name set in step 9. Change drive “m:” to any letter you prefer.
@echo off
net use m: /delete
net use m: "\\PSAMBA\shared"
> flip -m /var/lib/samba/netlogon/allusers.bat