Samba server is configured to be a primary domain controller that provide domain authentication to the windows machine. It will use ldap as its backend so that both linux and windows users can have unified account information. The following is a guide for set up a samba server as a primary domain controller that use openldap as its backend.
- Install samba and samba-openldap on the server machine
yum install samba, samba-client
- A new schema for samba is needed for defining objects for samba users, see if there is a file named samba.schema in the /etc/openldap/schema folder. If it does not exist, copy the attatched schema. There should be an copy also at /usr/share/doc/samba-3.0.25b/LDAP Also the samba schema should be included in the slapd.conf file by adding:
include /etc/openldap/schemas/samba.schema
- edit slapd.conf file, add the following lines in approperate sections, note that no space is allowed between commas:
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by dn="cn=Manager,dc=blueprint,dc=org" write
by anonymous auth
by * none
- edit samba config file (smb.conf) at /etc/samba/smb.conf. The sample samba file is attached with in this page. samba config file is very important because it specifies the property of the samba server, either as a file sharing server, or primary/backup domain controller etc. In this case, samba server should be configured to a primary domain controller that uses openldap as its password backends. The interesting lines of smb.conf are list here with explanation:
[global]
#This section describ the domain and netbios name of the samba domain controller, enable previleges would allow the users on the ldap directory (i.e. administrator) to have their corresponding previliges
workgroup = BLUEPRINT-NT
server string = Samba Server Version %v
netbios name = BLUEPRINT-NT
enable privileges = yes
#This section configure the password backend of the samba server to be openldap, and sepecify the locations on the ldap server that the accounts are stored.
security = user
#select yes so that the samba and linux account of the same user would have the same password
ldap passwd sync = yes
#specify the address of the ldap server
passdb backend = ldapsam:ldaps://localhost
ldap admin dn = cn=Manager,dc=blueprint,dc=org
ldap suffix = dc=blueprint,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap ssl = yes
domain master = yes
domain logons = yes
#The logon path is set to a null value to disable roaming profile support
logon path =""
#The following specifies the scripts used to add user to the ldap directory so that windows administrator could do the following task using samba
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mask = 0664
directory mask = 0775
valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no
- Next is to create the appropriate directories according to the configuration files and assgin them the right permission
mkdir /home/samba
mkdir /home/samba/netlogon
mkdir /home/samba/profiles
chmod 1777 /home/samba/profiles
-
Next step is to store the user account and password of the openldap manager in secrets.tbd so that samba can use them to access the openldap directory. For security reasons, this manager should not be the rootdn of the openldap database but in the testing the manager is set to the root dn for convinience.The password is stored in the database file /etc/samba/secret.bdb as clear text, therefore this file must not be world readable.
smbpasswd -w mysecretpwd
where mysecretpwd is the password for the manager.
-
use testparm command to test the configuration files, if everything works. It'll say "Loaded Sevices File OK"
- Start samba by
service smb start
and set samba to start by default by
chkconfig smb --level 35 on