NamHB's Blog

LDAP SAMBA to Primary Domain Controller - Part 2

Nam Ha Bach's photo
Nam Ha Bach
·

3 min read

------------------------------------------------------------------------------------

Samba config:

#vim /etc/samba/smb.conf

[global]
workgroup = hbn.local
netbios name = HBN
enable privileges = yes

#interfaces = 192.168.1.131
username map = /etc/samba/smbusers

server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root

#min passwd length = 3
obey pam restrictions = No

ldap passwd sync = Yes

log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000

#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1

#guest account = root

logon script = logon.bat
logon drive =
logon home =
logon path =

domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes

passdb backend = ldapsam:ldap://127.0.0.1

ldap admin dn = cn=Manager,dc=hbn,dc=local

ldap suffix = dc=hbn,dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000

#ldap ssl = start_tls
add user script = /usr/sbin/smbldap-useradd -a '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'

#logon script = STARTUP.BAT

[homes]

comment = Home Directories
valid users = %U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[profiles]

path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"

[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes

save and quit
------------------------------------------------------------------------------
# mkdir /home/samba
# mkdir /home/samba/netlogon
# mkdir /home/samba/profiles
# chmod 1777 /home/samba/profiles

#smbpasswd -w 123456
Setting stored password for "cn=Manager,dc=hbn,dc=local" in secrets.tdb

# smbldap-populate
Populating LDAP directory for domain hbn.local (S-1-5-21-3926925045-1584093657-3115473201)
(using builtin directory structure)

adding new entry: dc=hbn,dc=local
adding new entry: ou=Users,dc=hbn,dc=local
adding new entry: ou=Groups,dc=hbn,dc=local
adding new entry: ou=Computers,dc=hbn,dc=local
adding new entry: ou=Idmap,dc=hbn,dc=local
adding new entry: uid=root,ou=Users,dc=hbn,dc=local
adding new entry: uid=nobody,ou=Users,dc=hbn,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=hbn,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=hbn,dc=local
adding new entry: sambaDomainName=hbn.local,dc=hbn,dc=local

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

# vim dsa.ldif
dn: ou=DSA,dc=hbn,dc=local
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients

dn: cn=samba,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba

dn: cn=nssldap,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap

dn: cn=smbtools,ou=DSA,dc=hbn,dc=local
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools

# ldapadd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -f dsa.ldif -W
Enter LDAP Password:
adding new entry "ou=DSA,dc=hbn,dc=local"

adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"

adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"

adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"

#ldappasswd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -s password -W cn=samba,ou=DSA,dc=hbn,dc=local

# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]

Now create a samba user account for UNIX and SAMBA

# smbldap-useradd -a -m namhb
# smbldap-passwd namhb
Changing UNIX and samba passwords for namhb
New password:
Retype new password:

Now create a machine trust account
# smbldap-useradd -w winxp

Finish, join domain and test:
Demo:

Or:
http://www.mediafire.com/?qx982a5igkv51m5
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach