Samba4 with LDAP PDC

Samba4 with LDAP

OS: Centos 7

IP : 10.10.10.145

[root@localhost ~]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

10.10.10.145 ldap.example.com example.com
### Configure LDAP Server ###
1. yum -y install openldap-servers openldap-clients

2. cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

3. chown ldap. /var/lib/ldap/DB_CONFIG

4. systemctl start slapd

5. systemctl enable slapd

6. slappasswd # copy the result

7. vi chrootpw.ldif

dn: olcDatabase={0}config,cn=config

   changetype: modify
   add: olcRootPW
   olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx

In olcRootPW enter the encrypted password obtained from the 6th step.

8. ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

9. for i in /etc/openldap/schema/*.ldif; do ldapadd -Y EXTERNAL -H ldapi:/// -f $i ; done

This is done for adding the schemas into ldap.

slappasswd # copy the result for the next entry olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx step 10

10. vi chdomain.ldif

dn: olcDatabase={1}monitor,cn=config

changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read

11. ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

vi basedomain.ldif

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example dot Com
dc: Example
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
12. ldapadd -x -D cn=Manager,dc=example,dc=com -W -f basedomain.ldif
13. systemctl start slapd
 systemctl enable slapd
14. ### Configure Client ###
#-- without TLS --#

yum -y install openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --ldapbasedn="dc=example,dc=com" --enablemkhomedir --update

systemctl restart nslcd
systemctl enable nslcd

### Configure SAMBA ###
1. yum -y install samba samba-client

2.  cp /usr/share/doc/samba-4.2.3/LDAP/samba.ldif /etc/openldap/schema/

3.  ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif 

4.  vi samba_indexes.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
5. ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif
6.systemctl restart slapd
7. ### Configure openldap-tools ###
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm

8. yum install -y install smbldap-tools

9. cd /etc/samba

10. mv smb.conf smb.conf.bak 

11. vi /etc/samba/smb.conf
[global]
        workgroup = EXAMPLE
        netbios name = ldap
        deadtime = 10
        log level = 1
        log file = /var/log/samba/log.%m
        max log size = 5000
        debug pid = yes
        debug uid = yes
        syslog = 0
        utmp = yes
        security = user
        domain logons = yes
        os level = 64
        logon path =
        logon home =
        logon drive =
        logon script =
        passdb backend = ldapsam:"ldap://ldap.example.com/"
        ldap ssl = no
        ldap admin dn = cn=Manager,dc=example,dc=com
        ldap delete dn = no
        ldap password sync = yes
        ldap suffix = dc=example,dc=com
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
        rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
        add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
        admin users = domainadmin
[NETLOGON]
        path = /var/lib/samba/netlogon
        browseable = no
        share modes = no
[PROFILES]
        path = /var/lib/samba/profiles
        browseable = no
        writeable = yes
        create mask = 0611
        directory mask = 0700
        profile acls = yes
        csc policy = disable
        map system = yes
        map hidden = yes
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
12. mkdir /var/lib/samba/{netlogon,profiles}
13. smbpasswd -W    # type the password of ldap manager twice
 systemctl start nmb
 systemctl start smb
 systemctl enable nmb
 systemctl enable smb
 
14. smbldap-config
# Answer all the question down to the way
#  press ctrl-c and reload the command if you made a mistake
smbldap-populate
smbldap-groupadd -a domainadmin 
smbldap-useradd -am -g domainadmin domainadmin 
smbldap-passwd domainadmin 

Then setup DNS by following the steps provided in the URL and setup the resolv.conf for answering the query of example.com

http://websistent.com/setup-linux-dns-server-for-windows-active-directory/

 

On Windows

 

### Windows client modification ###
# Edit a text file named ‘sambafix.reg’

 

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

 

15. Double click the file to import the registry.

 

16. Add host entry in windows [c:\windows\system32\drivers\etc\hosts] for example.com

Also specify the DNS server as the Linux PDC server IP by changing the adapter settings in network and sharing center.

Verify the connectivity by pinging the servers each other . [Disable Windows Firewall if required]

17. Reboot and join the ‘EXAMPLE’ domain using domainadmin or root account.

>> Right-click ‘My Computer’ icon and choose ‘Properties’

>> From the left-side pane click ‘Advanced system settings’

>> Choose the ‘Computer Name’ tab and click ‘Change…’

>> Select option ‘Domain’, and insert EXAMPLE.

 

Note that if There are currently no logon servers available to service the logon request. Error occurs while logging in after you have joined the DOMAIN. Please add the following line in /etc/smb.conf in linux PDC.

 

server max protocol = NT1

And restart SAMBA service so that login should work successfully.




References:

 

https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains

http://phorum.study-area.org/index.php?topic=71604.0

http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/

http://websistent.com/setup-linux-dns-server-for-windows-active-directory/

http://linuxgateway.in/samba-4-active-directory-domain-controller-0n-centos-6-x/

 

 

Advertisements