OpenLDAP + Samba Domain Controller On Ubuntu server 10.

04 LTS (Lucid)

samba domain controller authen ldap

login ( ,) ( ,)
ldap

hostname: eng

13

( !! )
domain name: eng.lnweng.com
My LDAP: lnweng.com

This translates to a Base DN of: dc=lnweng , dc=com

****

123456 ****
user: eng

123456

Assumptions
Ubuntu Server 10.04 is installed.
os

/etc/apt/sources.list

apt-get update
reboot

13

apt-get upgrade dist-upgrade

/etc/hostname : eng.lnweng.com
nano /etc/hostname

/etc/hosts 127.0.1.1 : eng eng.lnweng.com

nano /etc/hosts

127.0.1.1
127.0.1.1 eng eng.lnweng.com

13

set

 1 webmin

package ( webmin )
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl

13

apt-show-versions libapt-pkg-perl

: libmd5-perl ubuntu 10.04 ( ubuntu 8.04 )

download webmin 1.470 www.webmin.com

Debian package

13

webmin_1.470_all.deb Desktop

dpkg -i webmin_1.510-2_all.deb

webmin
http://localhost:10000/

localhost:10000 uses an invalid security certificate

13

toolbar Firefox
Edit -> Preferences

-> Advanced Button -> Encryption Tab ->View Certificates

13

Servers Tab ->Add Exception

Add Exception

 https://localhost:10000 ( address firefox )

Get Certificate
Confirm Security Exception

13

browser url: http://localhost:10000

Browser cert

cert
browser

case 1. Chromium chrome window

13

proceed anyway

login webmin

case 2. Firefox

13

> I understand the risks

> Add Exception

13

login webmin

login webmin user,password

User:root
Password:123456

username,password root login webmin

enter webmin

13

webmin

 2 openldap

apt-get install slapd ldap-utils migrationtools

13

Yes

protocol LDAPv2 No

 openldap
/etc/init.d/slapd restart

schema file terminal

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

13

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

ldif file
backeng.ldif
nano backend.ldif

 copy

# Load dynamic backend modules

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

13

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=lnweng,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=lnweng,dc=com
olcRootPW: 123456
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=lnweng,dc=com" write by
anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read

13

olcAccess: to dn.base="" by * read

olcAccess: to * by dn="cn=admin,dc=lnweng,dc=com" write by * read

: lnweng domain domain

domain

 ldif file directory

samba

13

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

samba

apt-get install samba samba-doc libpam-smbpass smbclient smbldap-tools samba-commonbin

samba /etc/samba/
cd /etc/samba/

smb.conf
cp smb.conf smb.conf.original

 samba config file : smb.conf

nano smb.conf

13

[global]
# Domain name ..
workgroup = LNWENG
# Server name - as seen by Windows PCs ..
netbios name = ENG
# Be a PDC ..
domain logons = Yes
domain master = Yes
# Be a WINS server ..
wins support = true

obey pam restrictions = Yes

dns proxy = No
os level = 35
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam password change = Yes

# Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
unix password sync = no
ldap passwd sync = yes

# Printing from PCs will go via CUPS ..

load printers = yes
printing = cups
printcap name = cups
# Use LDAP for Samba user accounts and groups ..
passdb backend = ldapsam:ldap://localhost

13

# This must match init.ldif ..

ldap suffix = dc=lnweng,dc=com
# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
# This is done by running 'sudo smbpasswd -w'.
ldap admin dn = cn=admin,dc=lnweng,dc=com

# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
# (Because we are using smbldap-tools, call them 'Users', 'Computers', etc.)
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
# Samba and LDAP server are on the same server in this example.
ldap ssl = no
# Scripts for Samba to use if it creates users, groups, etc.
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

# Script that Samba users when a PC joins the domain ..

# (when changing 'Computer Properties' on the PC)
add machine script = /usr/sbin/smbldap-useradd -w '%u'

13

# Values used when a new user is created ..

# (Note: '%L' does not work properly with smbldap-tools 0.9.4-1)
logon drive =
logon home =
logon path =
logon script = allusers.bat
# This is required for Windows XP client ..
server signing = auto
server schannel = Auto
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No
logon script = allusers.bat
[Profiles]

comment = Roaming Profile Share

# would probably change this to elsewhere in a production system ..
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
browsable = No

13

[printers]
comment = All Printers
path = /var/spool/samba
use client driver = Yes
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
public = yes
writable = yes
admin users = root
write list = root

[print$]
comment = Printer Drivers Share
path = /var/lib/samba/printers
write list = root
create mask = 0664
directory mask = 0775
admin users = root
[shared]
writeable = yes
path = /var/lib/samba/shared

public = yes
browseable = yes
[archive]
path = /exports/archive
browseable = yes
create mask = 755
directory mask = 755
read only = no
( )
4

13

2 smb.conf

13

smb.conf copy /etc/samba/

cp smb.conf /etc/samba/

smb.conf list
Ls /etc/samba

file smb.conf
cat /etc/samba/smb.conf

 password ldap admin samba

smbpasswd -W

restart samba

13

service smbd restart

samba samba-client
sudo smbclient -L localhost

: root password enter password

 : workgroup LNWENG
Master ENG
reboot smbclient -L localhost
( service smbd restart update )

profile netlogon
sudo mkdir -v -m 777 /var/lib/samba/profiles

13

sudo mkdir -v -p -m 777 /var/lib/samba/netlogon

samba schema ldap server

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

sudo gzip -d /etc/ldap/schema/samba.schema.gz

Schema ldif

schema_convert.conf
nano schema_convert.conf

 copy
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema

13

include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

slapcat schema ldif

sudo mkdir /tmp/ldif_output
sudo slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 s
"cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

Slapcat cn=samba.ldif
cn=samba.ldif

/tmp

13

dn: cn={12}samba,cn=schema,cn=config
cn: {12}samba


dn: cn=samba,cn=schema,cn=config

13

cn: samba

13

schema server

ldapadd -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif

adding new entry "cn=samba,cn=schema,cn=config"

query
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W
olcDatabase={1}hdb

13

 ldap server
samba

unpack unzip samba-ldap-tools

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz

ldap samba

net getlocalsid

13

SID for domain

perl script

sudo perl /usr/share/doc/smbldap-tools/configure.pl

13

 error script
populate server

13

sudo smbldap-populate

permission stop,start
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd stop
sudo slapindex
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd start

13

root domain administrators

sudo smbldap-groupmod -m 'root' 'Administrators'

client authen ldap package

sudo apt-get --yes install ldap-auth-client

LDAP server Uniform Resource Identifier: ldapi://127.0.0.1

Distinguished name of the search base: dc=lnweng,dc=com

LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=lnweng,dc=com
LDAP root account password: 123456

13

13

13

13

error

ldap.conf
nano /etc/ldap.conf

13

host 127.0.0.1
uri ldap://127.0.0.1/

rootbinddn cn=admin,dc=lnweng,dc=com
bind_policy soft

13

13

/etc/ldap.conf /etc/ldap/ldap.conf
cp /etc/ldap.conf /etc/ldap/ldap.conf

/etc/auth-client-config/profile.d/open_ldap
nano /etc/auth-client-config/profile.d/open_ldap


[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth

required pam_env.so

sufficient pam_unix.so likeauth nullok

auth

sufficient pam_ldap.so use_first_pass

auth

required pam_deny.so

13

auth

pam_account=account sufficient pam_unix.so

account sufficient pam_ldap.so

account required pam_deny.so

pam_password=password sufficient pam_unix.so nullok md5 shadow use_authtok

password sufficient pam_ldap.so use_first_pass
password required pam_deny.so

pam_session=session required pam_limits.so

session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so

13

/etc/nsswitch.conf

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

 /etc/pam.d/
cd /etc/pam.d/
mkdir lnwengbackup

13

cp * lnwengbackup/

pam name service switch ldasp authen

sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update ldap

 user database
sudo smbldap-useradd -a -m -P eng001

user

13

ldapsearch -xLLL -b "dc=lnweng,dc=com" uid=eng001

13

XD

 bind (dns server)

ldap dns

13

apt-get install bind9

O_O!!

 dns zone webmin

browser url http://localhost:10000/

login webmin

13

= eng = 123456

13

server > BIND server

bind server server refresh module

refresh bind server

13

server > BIND server bind server

"Existing DNS Zones" "Create master zone"

 Create

13

"Apply configuration"

 ip

13

ifconfig

"Address (0)" at the top.

13

create address

"Apply configuration" Return to record types

address 0 1 ;D

 dns
/etc/resolv.conf
nano /etc/resolv.conf
resolv.conf

resolv.conf

13

search lnweng.com
nameserver 192.168.158.130

reboot

workstation ldap
workstation

smbldap-useradd -w client-eng01

client windows xp professional

windows xp professional sp2-3
-
client-eng01

13

- windows

13

my computer > properties

computer name

13

change

domain domain

lnweng ok

13

server login

root 123456 enter

13

" Welcome to the lnweng domain." ok

ok

13

yes

ctrl+alt+delete login

13

option

login workgroup LNWENG = eng001 ,

= 123456

domain server

ok

13

windows

 start eng001 eng001 administrator

13

share my computer drive ( H: )

perl script

 apache2 php5 phpldapadmin

user workstation package

sudo apt-get install apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2common libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap php5-

13

common php5-ldap ssl-cert


/etc/php5/apache2/php.ini

13

nano /etc/php5/apache2/php.ini

memory default =128 200

/etc/apache2/httpd.conf
nano /etc/apache2/httpd.conf

ServeName eng.lnweng.com

 apache2
/etc/init.d/apache2 restart

phpldapadmin
wget https://launchpad.net/~ubuntu-security-

13

proposed/+archive/ppa/+build/1744905/+files/phpldapadmin_1.2.0.5-1ubuntu1.10.04.1_all.deb

13

sudo dpkg -i phpldapadmin_1.2.0.5-1ubuntu1.10.04.1_all.deb

soft link

sudo ln -s /usr/share/phpldapadmin /var/www/phpldapadmin

config.php
/etc/phpldapadmin/config.php


$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');

13

$servers->setValue('login','bind_id','cn=admin,dc=lnweng,dc=com');

apache2
/etc/init.d/apache2 restart

 phpldapadmin browser url

13

http://localhost/phpldapadmin/

login login

13

login search

domain dc=lnweng

13

dc=lnweng

uid = eng001, uid = eng uid = eng01

user
: uid $
client-eng01

 ubuntu ldap samba domain controller with ldap on

Ubuntu Server 10.04 LTS (Lucid)

13

http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10
http://ubuntuforums.org/showthread.php?t=640760

http://islandlinux.org/howto/installing-samba-openldap-ubuntu#configure_samba
http://spalinux.com/category/ldap

http://spalinux.com/category/samba
http://www.samba.org

http://www.openldap.org

http://tuxnetworks.blogspot.com/2010/06/howto-phpldapadmin-on-1004-lucid-lynx.html
http://tuxnetworks.blogspot.com/2010/07/howto-samba-ldap-on-1004-lucid-short.html