Now serving 108 guides.

KeptPrivate - Secure Private E-Mail Provider

Web site hosting
Guide Search: Search
Home | Guides | Requests | Stats
Username: Password: Login | Forgot Password Contribute | Register Now
Build a Samba PDC with LDAP backend
Updated: 12/20/2008
General Information
Build a Samba PDC on FreeBSD with a ldap backend. This will not let you authenticate ssh users just a plain samba server for your windows clients.
Requirements
Shell access is assumed. You should perform the following as root.
Installation
First we going to install all the required ports so make sure your ports tree is up to date.
The name of the server is serv01
The domain name is doublel.local
So the FQDN is serv01.smbdomain.local
Thus my /etc/hosts file looks like this
::1 localhost localhost.smbdomain.local
127.0.0.1 localhost localhost.smbdomain.local
192.168.50.195 serv01.smbdomain.local serv01
192.168.50.195 serv01.smbdomain.local.
We need to install the following ports:
1. /net/openldap24-server
2. /net/samba3 (should work with samba32-devel also)
3. /net/nss_ldap
4. /net/smbldap-tools
Openldap backend server
You can accept the default selected options
#
#
cd /usr/ports/net/openldap24-server
make install clean
Samba
#
#
cd /usr/ports/net/samba3
make install clean
Select the setting below
+--------------------------------------------------------------------+
| Options for samba 3.0.32_1,1 |
| +----------------------------------------------------------------+ |
| | [X] LDAP With LDAP support | |
| | [X] ADS With Active Directory support | |
| | [X] CUPS With CUPS printing support | |
| | [X] WINBIND With WinBIND support | |
| | [X] ACL_SUPPORT With ACL support | |
| | [X] AIO_SUPPORT With Asyncronous IO support | |
| | [ ] FAM_SUPPORT With File Alteration Monitor | |
Buy Low Cost NTP Servers Ultra-precise GPS/IRIG Synchronized Network Time Servers For Your Needs www.BrandywineComm.com/products
Precision Feed Drives Small Wire, Tube, & Narrow Strip 2,4,6 Roll & Belt Style Drives www.takenterprises.com
Bolts - Screws - Fastener Over 75,000 Items Listed on Website Inch, Metric, Standards, Specials www.MutualScrew.com
/Guides/FreeBSD/Networking/
| | [X] SYSLOG With Syslog support | |
| | [X] QUOTAS With Disk quota support | |
| | [X] UTMP With UTMP accounting support | |
| | [ ] PAM_SMBPASS With PAM authentication vs passdb backends | |
| | [ ] CLUSTER With experimental cluster support | |
| | [ ] DNSUPDATE With dynamic DNS update(require ADS) | |
| | [ ] EXP_MODULES With experimental modules | |
| | [X] POPT With system-wide POPT library | |
| | [X] PCH With precompiled headers optimization | |
| | [ ] MAX_DEBUG With maximum debugging | |
| | [ ] SMBTORTURE With smbtorture | |
+-+----------------------------------------------------------------+-+
| [ OK ] Cancel |
+--------------------------------------------------------------------+
Install nss_ldap
#
#
cd /usr/ports/net/nss_ldap/
make install clean
Install smbldap-tools
#
#
cd /usr/ports/net/smbldap-tools
make install clean
Configuration
Prepare the openldap config file (/usr/local/etc/openldap/slapd.conf)
First we need to create a password for the openldap server
# slappasswd -s very-secure-password
{SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
Note: Copy the output!!
Open the /usr/local/etc/openldap/slapd.conf file and make sure it looks like the following
# vi /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=smbdomain,dc=local"
rootdn "cn=Manager,dc=smbdomain,dc=local"
#rootpw = very-secure-password
rootpw {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
directory /usr/local/var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Now we need to create and copy some files. First, we want to create the database dir of openldap. In this case this is /usr/local/var/db/openldap-data. If you
want another location change the directory directive in the slapd.conf file. Also we set the right permissions on the directory and files of openldap.
#
#
#
#
#
#
mkdir -p /usr/local/var/db/openldap-data
cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG
chown -R ldap:ldap /usr/local/var/db/openldap-data
chown -R ldap:ldap /usr/local/etc/openldap/
chmod -R 0700 /usr/local/var/db/openldap-data
chmod 0400 /usr/local/etc/openldap/slapd.conf
Also we need to copy the samba schema to the final directory.
# cp /usr/local/share/examples/samba/LDAP/samba.schema /usr/local/etc/openldap/schema/
Then we want to make sure slapd logs to syslog. Add the lines to the file /etc/syslog.conf
# vi /etc/syslog.conf
!slapd
*.* /var/log/slapd.log
Now we create the log file and restart the syslog deamon
#
#
touch /var/log/slapd.log
/etc/rc.d/syslogd restart
nss_ldap.conf
Make sure the file /usr/local/etc/nss_ldap.conf looks like the following
# vi /usr/local/etc/nss_ldap.conf
base dc=smbdomain,dc=local
bind_policy soft
bind_timelimit 10
host localhost
idle_timelimit 3600
ldap_version 3
nss_base_group ou=Groups,dc=smbdomain,dc=local?one
nss_base_passwd ou=People,dc=smbdomain,dc=local?one
nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one
nss_base_shadow ou=People,dc=smbdomain,dc=local?one
nss_connect_policy persist
nss_paged_results yes
pagesize 1000
port 389
scope one
timelimit 30
Now we link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf
#
#
#
rm -/usr/local/etc/openldap/ldap.conf
ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf
ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
To make sure the slapd deamon (the openldap server) starts at a reboot we need to edit the /etc/rc.conf file.
#
#
#
#
echo "#enable slapd" >>/etc/rc.conf
echo slapd_enable=\"YES\" >>/etc/rc.conf
echo slapd_flags='-h \"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/\"' >>/etc/rc.conf
echo slapd_sockets=\"/var/run/openldap/ldapi\" >>/etc/rc.conf
And we try to start it!
# /usr/local/etc/rc.d/slapd start
Starting slapd.
# ps ax | grep slap
11383 ?? Ss 0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar
11385 p2 S+ 0:00,00 grep slap
/etc/nsswitch.conf
Edit the /etc/nsswitch file and make sure to edit the group: and passwd: line, so change compat to files ldap. The file looks like this after editing
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Samba
All my data (shares) and other samba related files like username are in /usr/local/samba. So first we create that dir
# mkdir /usr/local/samba
We also create a usermap file named usermap
# vi /usr/local/samba/usermap
root = administrator
To create the following /usr/local/etc/smb.conf file, you must remove or empty the original one. Make sure you replace fxp0 for your own network interface, or
comment out the line interfaces = and bind interfaces only =
# rm /usr/local/etc/smb.conf
# vi /usr/local/etc/smb.conf
# Global parameters
[global]
workgroup = SMBDOMAIN
server string = Samba Server
netbios name = serv01
hosts allow = 192.168.50. 127. 10.0.1.
interfaces = fxp0, lo
bind interfaces only = Yes
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://serv01.smbdomain.local/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 1
log file = /var/log/samba/%m
max log size = 50
syslog = 0
# Name resolution
name resolve order = wins bcast host
# misc
timeserver = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
deadtime = 120
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
# printers - configured to use CUPS and automatically load them
load printers = Yes
printcap name = CUPS
printing = cups
cups options = Raw
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
> add machine script = /usr/local/sbin/smbldap-useradd -w %m
# LDAP-iConfiguration
ldap delete dn = Yes
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=smbdomain,dc=local
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=smbdomain,dc=local
idmap backend = ldap:ldap://serv01.smbdomain.local
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script = logon.bat
logon path = \%Lprofiles%u
logon path =
logon home = \%L%U
logon drive = H:
# setting up as domain controller
username map = /usr/local/samba/usermap
preferred master = Yes
wins support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
map acl inherit = Yes
unix charset = UTF8
#============================ Share Definitions ==============================
[netlogon]
comment = Network Logon Service
path = /usr/local/etc/samba/netlogon
guest ok = yes
locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Profiles]
comment = Network Profiles Service
path = /usr/local/etc/samba/profiles
read only = No
profile acls = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
profile acls = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
[print$]
comment = Printer Drivers
path = /usr/local/samba/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
[data]
comment = Data Directory
path = /home/data
write list = @smbdomain
read only = No
create mask = 0777
directory mask = 0777
Create the following directories: netlogon, profiles, printer-drivers and the share data, and give them proper permissions.
#
#
#
#
#
mkdir /usr/local/samba/netlogon
mkdir /usr/local/samba/profiles
mkdir /usr/local/samba/printer-drivers
mkdir /usr/local/samba/data
chmod 777 /usr/local/samba/profiles
Check the smb.conf file by doing a testparm
# testparm /usr/local/etc/smb.conf
You should see the following without errors
Load smb config files from /usr/local/etc/smb.conf
Processing section "[netlogon]"
Processing section "[homes]"
Processing section "[Profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
We need to store the password from the ldap server in the secret.tdb file of samba. First we stop the openldap server(also for later when we import the data)
# /usr/local/etc/rc.d/slapd stop
Stopping slapd.
Waiting for PIDS: 49851.
#
# smbpasswd w very-secure-password
Setting stored password for "cn=Manager,dc=smbdomain,dc=local" in secrets.tdb
Make sure samba can start and will restart after a reboot
#
#
#
#
#
echo "#enable Samba" >>/etc/rc.conf
echo nmbd_enable="YES" >>/etc/rc.conf
echo smbd_enable="YES" >>/etc/rc.conf
echo winbindd_enable="YES" >>/etc/rc.conf
echo cupsd_enable="YES" >>/etc/rc.conf
Now we start samba
# /usr/local/etc/rc.d/samba start
Removing stale Samba tdb files: ....... done
Starting nmbd.
Starting smbd.
Starting winbindd.
Test if samba has started.
# ps -ax | grep mdb
1093 ?? Ss 0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1095 ?? I 0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf
1100 ?? Ss 0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
To make sure samba starts after the ldap server starts we need to edit the startup scrpit of samba. So we put slapd after cupsd at the second line starting with
# REQUIRE:
# vi /usr/local/etc/rc.d/samba
PROVIDE: nmbd smbd
PROVIDE: winbindd
REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv
REQUIRE: cupsd slapd
BEFORE: LOGIN
KEYWORD: shutdown
smbldap-tools
If you run the script you must answer a few questions. I put [HIT ENTER] after the lines that need no change, behind the others I put [<--- NEEDS CHANGE]
After the question ldap tls support (1/0) [0] there is a little timeout, now the script try's to get the SID and this can take a few seconds!
# /usr/local/share/examples/smbldap-tools/configure.pl
Use of $# is deprecated at /usr/local/share/examples/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/usr/local/etc/smb.conf] [HIT ENTER]
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] /usr/local/etc/smbldap-tools [<--- NEEDS
CHANGE]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [smbdomain] [HIT ENTER]
. netbios name: netbios name of the samba controler
netbios name [serv01] [HIT ENTER]
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] [HIT ENTER]
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\serv01%U'
logon home (press the "." character if you don't want homeDirectory) [\%L%U] [HIT ENTER]
. logon path: directory where roaming profiles are stored. Ex:'\serv01profiles%U'
logon path (press the "." character if you don't want roaming profile) [\serv01profiles%U] [HIT ENTER]
. home directory prefix (use %U as username) [/home/%U] [HIT ENTER]
. default users' homeDirectory mode [700] [HIT ENTER]
. default user netlogon script (use %U as username) [logon.bat] [HIT ENTER]
default password validation time (time in days) [45] 100000 [<--- NEEDS CHANGE]
. ldap suffix [dc=smbdomain,dc=local] [HIT ENTER]
. ldap group suffix [ou=Groups] [HIT ENTER]
. ldap user suffix [ou=People] [HIT ENTER]
. ldap machine suffix [ou=Computers] [HIT ENTER]
. Idmap suffix [ou=Idmap] [HIT ENTER]
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=smbdomain] [HIT ENTER]
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [serv01.smbdomain.local] [HIT ENTER]
. ldap master port [389] [HIT ENTER]
. ldap master bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
ldap master bind password [] very-secure-password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [serv01.smbdomain.local] [HIT ENTER]
. ldap slave port [389] [HIT ENTER]
. ldap slave bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
. ldap slave bind password [] very-secure-password
. ldap tls support (1/0) [0] [HIT ENTER]
. SID for domain smbdomain: SID of the domain (can be obtained with 'net getlocalsid serv01')
SID for domain smbdomain [S-1-5-21-2609998211-36760486-3473504348] [HIT ENTER]
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] [HIT ENTER]
. default user gidNumber [513] [HIT ENTER]
. default computer gidNumber [515] [HIT ENTER]
. default login shell [/bin/sh] [HIT ENTER]
. default skeleton directory [/etc/skel] [HIT ENTER]
. default domain name to append to mail adress [] [HIT ENTER]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value in concatenation (.) or string at /usr/local/share/examples/smbldap-tools/configure.pl
line 314, <STDINline 35.
backup old configuration files:
/usr/local/etc/smbldap-tools/smbldap.conf->/usr/local/etc/smbldap-tools/smbldap.conf.old
/usr/local/etc/smbldap-tools/smbldap_bind.conf->/usr/local/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/usr/local/etc/smbldap-tools/smbldap.conf done.
/usr/local/etc/smbldap-tools/smbldap_bind.conf done.
Now we start the ldap server again
# /usr/local/etc/rc.d/slapd start
And we populate the database
# smbldap-populate -u 10000 -g 10000 -r 10000
Populating LDAP directory for domain smbdomain (S-1-5-21-2609998211-36760486-3473504348)
(using builtin directory structure)
adding new entry: dc=smbdomain,dc=local
adding new entry: ou=People,dc=smbdomain,dc=local
adding new entry: ou=Groups,dc=smbdomain,dc=local
adding new entry: ou=Computers,dc=smbdomain,dc=local
adding new entry: ou=Idmap,dc=smbdomain,dc=local
adding new entry: uid=root,ou=People,dc=smbdomain,dc=local
adding new entry: uid=nobody,ou=People,dc=smbdomain,dc=local
adding new entry: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Users,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Guests,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Domain Computers,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Administrators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Account Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Print Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Backup Operators,ou=Groups,dc=smbdomain,dc=local
adding new entry: cn=Replicators,ou=Groups,dc=smbdomain,dc=local
adding new entry: sambaDomainName=smbdomain,dc=smbdomain,dc=local
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
The password can be any password and does not have to be the ldap password ( very-secure-password). It is the root (administrator) password for
samba. Now we need to configure winbind:
# net rpc join -S serv01 -Uroot
password:
joined domain smbdomain
For the administration of the server you can use USERMGR.exe from Microsoft. That is it!
This guide is 2008 - 2012 Johan.
Author: Johan
johan at double-l dot nl
4 Comments
Posted by ronaldg2 on December 18, 2008 at 6:06:27 am PST
Be aware that adding lines to rc.conf with > will overwrite the the file.
Posted by Sylhouette on December 19, 2008 at 12:16:20 am PST
you need to add a > extra to the echo commands.
so the commands need to be:
# echo "#enable slapd" >>/etc/rc.conf
# echo slapd_enable="YES" >>/etc/rc.conf
# echo slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/"' >>/etc/rc.conf
# echo slapd_sockets="/var/run/openldap/ldapi" >>/etc/rc.conf
and
# echo "#enable Samba" >>/etc/rc.conf
# echo nmbd_enable="YES" >>/etc/rc.conf
# echo smbd_enable="YES" >>/etc/rc.conf
# echo winbindd_enable="YES" >>/etc/rc.conf
# echo cupsd_enable="YES" >>/etc/rc.conf
In my uploaded file it is right on the website it leaves a > out.
Posted by renic on September 03, 2010 at 7:31:28 pm PDT
Something appears to be wrong with the line:
# echo slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/"' >> /etc/rc.conf
(backslashes were removed by the post a comment form, but they're there)
As it causes this output when you start slapd:
# /usr/local/etc/rc.d/slapd start
/etc/rc.conf: "ldapi://%2fvar%2frun%2fopenldap%2fldapi/: not found
Starting slapd.
/usr/local/etc/rc.d/slapd: WARNING: slapd: Can't find socket /var/run/openldap/ldapi
Posted by renic on September 03, 2010 at 7:35:40 pm PDT
# echo slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/"' >> /etc/rc.conf
does not insert the single quotes, simply edit /etc/rc.conf and make sure the line reads:
slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/"'
(http://forums.freebsd.org/showthread.php?t=770)
Login to comment.
Copyright 2003 - 2012 BSD Guides. All rights reserved. About | Terms of Use | Privacy | Contact