Openldap + Samba Domain Controller: Preface
Openldap + Samba Domain Controller: Preface
Openldap + Samba Domain Controller: Preface
Preface
This document is a step by step guide for configuring Ubuntu 7.10 as a Samba Domain
Controller with an LDAP backend (OpenLDAP). The point is to configure a server that can be
comparable, from a central authentication point of view, to a Windows Server 2003 Domain
Controller. The end result will be a server with an LDAP directory for storing user, group, and
computer accounts. A Windows XP Professional SP2 workstation will be able to join the domain
once properly configured. Please note that you do not have a fully comparable Windows domain
controller at this time. Do not kid yourself, this guide only gets you a server with LDAP
authentication. Of course this can be expanded to include slave servers to spread out
authentication over multiple networks. Please also note that it took me approximately two and a
half weeks to compile this information and get it working. The same functionality can be had in
Windows in less than four hours (and this includes operating system installation). In my humble
opinion the open source community will need to work on this side of Linux in order for it to be a
true alternative to Windows.
Legal/Warranty/Etc...
This document is provided as-is with no implied warranty or agreement. I will not support other
systems without compensation. This document is the property of Richard Maloley II. This
document may be redistributed, copied, printed, and modified at will, however my name must
remain as the original source. Legal action can and will be brought against any and all infractions
of the terms.
Assumptions
* You edited your /etc/hosts file so that your hostname and fully qualified domain name are on
the line 127.0.1.1
127.0.1.1 dc01-ubuntu dc01-ubuntu.example.local
* You did not set a password on the root account. All commands will be run with sudo or by
opening a root shell.
sudo bash
* Currently you do not have any other software running nor do you have any other users on the
system.
# Install WebMin
dpkg -i webmin_1.380_all.deb
# Restart OpenLDAP.
/etc/init.d/slapd restart
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
# Add the following lines to the document where the other "include" lines are:
include
include
/etc/ldap/schema/samba.schema
/etc/ldap/schema/misc.schema
# to:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
# Restart OpenLDAP:
/etc/init.d/slapd restart
#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
#######################################################################
#
#
Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=example,dc=local
ldap suffix = dc=example, dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
#
End: Custom LDAP Entries
#
#####################################################
#STOP COPYING HERE!
#####################################################
# Restart SAMBA.
/etc/init.d/samba restart
We will be using the smbldap-tools package to populate our directory, add users, add
workstations, etc... But, the tools need to be configured first!
# Open up the examples directory.
cd /usr/share/doc/smbldap-tools/examples/
# Edit the file so that the following information is correct (according to your individual setup):
SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the
same SID as when you ran "net getlocalsid"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=local"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="example.local"
# Edit the file so that the following information is correct (according to your individual setup):
slaveDN="cn=admin,dc=example,dc=local"
slavePw="12345"
masterDN="cn=admin,dc=example,dc=local"
masterPw="12345"
The basic steps for this section came from the Ubuntu Forums
(http://ubuntuforums.org/showthread.php?t=597056). Thanks to all who contributed to that
thread! Basically we need to tell our server to use LDAP authentication as one of its options. Be
careful with this! It can cause your server to break! This is why we always have a backup
around.
# Install the necessary software for this to work.
apt-get install auth-client-config libpam-ldap libnss-ldap
pam_account=account
sufficient
pam_unix.so
account
sufficient
pam_ldap.so
account
required
pam_deny.so
pam_password=password
sufficient
pam_unix.so nullok md5 shadow
use_authtok
password
sufficient
pam_ldap.so use_first_pass
password
required
pam_deny.so
pam_session=session
required
pam_limits.so
session
required
pam_mkhomedir.so skel=/etc/skel/
session
required
pam_unix.so
session
optional
pam_ldap.so
# Enable the new LDAP Authentication Profile by executing the following command:
auth-client-config -a -p open_ldap
# Reboot the server and test to ensure that you can still log in using SSH and LDAP.
reboot
* "client-winxp" is the hostname of the computer that you will be adding to the domain.
This must be very specific!
# Notes
Please note that this is basic authentication right now. You're on your own if you wish to add
logon scripts, mapped drives, etc...
# Add the following line to the top of the file. This prevents an annoying error message from
Apache2.
ServerName dc01-ubuntu.example.local
# Restart Apache2
/etc/init.d/apache2 restart
# Copy the PHPLDAPAdmin folder into the main web site directory. This is the lazy way of
doing things. This way we don't need to create a virtual server, we just access PHPLDAPAdmin
by going to: http://192.168.0.60/phpldapadmin/
cp -R /usr/share/phpldapadmin/ /var/www/phpldapadmin
There you have it! A full Ubuntu LDAP and SAMBA Domain Controller in 15 easy steps.