Span LDAP to other VLAN

Install and configure samba server

Samba server is configured to be a primary domain controller that provide domain authentication to the windows machine. It will use ldap as its backend so that both linux and windows users can have unified account information. The following is a guide for set up a samba server as a primary domain controller that use openldap as its backend.
  • Install samba and samba-openldap on the server machine
yum install samba, samba-client 
  • A new schema for samba is needed for defining objects for samba users, see if there is a file named samba.schema in the /etc/openldap/schema folder. If it does not exist, copy the attatched schema. There should be an copy also at  /usr/share/doc/samba-3.0.25b/LDAP Also the samba schema should be included in the slapd.conf file by adding:
 include /etc/openldap/schemas/samba.schema
  • edit slapd.conf file, add the following lines in approperate sections, note that no space is allowed between commas:
index sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by dn="cn=Manager,dc=blueprint,dc=org" write
        by anonymous auth
        by * none
  • edit samba config file (smb.conf) at /etc/samba/smb.conf. The sample samba file is attached with in this page. samba config file is very important because it specifies the property of the samba server, either as a file sharing server, or primary/backup domain controller etc. In this case, samba server should be configured to a primary domain controller that uses openldap as its password backends. The interesting lines of smb.conf are list here with explanation:

#This section describ the domain and netbios name of the samba domain controller, enable previleges would allow the users on the ldap directory (i.e. administrator) to have their corresponding previliges
    workgroup = BLUEPRINT-NT
    server string = Samba Server Version %v
    netbios name = BLUEPRINT-NT
    enable privileges = yes

#This section configure the password backend of the samba server to be openldap, and sepecify the locations on the ldap server that the accounts are stored.
    security = user
    #select yes so that the samba and linux account of the same user would have the same password
    ldap passwd sync = yes

        #specify the address of the ldap server
    passdb backend = ldapsam:ldaps://localhost
    ldap admin dn = cn=Manager,dc=blueprint,dc=org
    ldap suffix = dc=blueprint,dc=org
    ldap group suffix = ou=Groups
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers   
    ldap ssl = yes
    domain master = yes
    domain logons = yes

#The logon path is set to a null value to disable roaming profile support
    logon path =""                                                
#The following specifies the scripts used to add user to the ldap directory so that windows administrator could do the following task using samba
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    ldap delete dn = Yes
    delete user script = /usr/local/sbin/smbldap-userdel "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/local/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"


    comment = Home Directories
    browseable = no
    writable = yes
    valid users = %S
    create mask = 0664
    directory mask = 0775
    valid users = MYDOMAIN\%S

    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes

    comment = Network Logon Service
    path = /home/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no
  • Next is to create the appropriate directories according to the configuration files and assgin them the right permission
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
chmod 1777 /home/samba/profiles
  • Next step is to store the user account and password of the openldap manager in secrets.tbd so that samba can use them to access the openldap directory. For security reasons, this manager should not be the rootdn of the openldap database but in the testing the manager is set to the root dn for convinience.The password is stored in the database file /etc/samba/secret.bdb as clear text, therefore this file must not be world readable.
smbpasswd -w mysecretpwd
    where mysecretpwd is the password for the manager.
  • use testparm command to test the configuration files, if everything works. It'll say "Loaded Sevices File OK"
  • Start samba by
service smb start
and set samba to start by default by
chkconfig smb --level 35 on