LDAP Samba PDC
Build and install Samba
First make sure that a samba rpm is not installed on your system.
root@ldap > rpm -qa | grep samba
This should come back as a blank line. If there is an installation, uninstall it. You may want to make a copy of
smb.conf just in case something goes horribly wrong :-).
root@ldap > rpm -e samba
Download the latest version of Samba (2.2.8a) from http://www.samba.org/.
Then install it. Ensure that gcc is installed and correctly configured on your machine.
root@ldap > gunzip samba-2.2.8a.tar.gz
root@ldap > tar -xvf samba-2.2.8a.tar
root@ldap > cd samba-2.2.8a/source/
root@ldap > ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --with-ldapsam --with-ssl --with-pam --with-pam_smbpass
root@ldap > make
root@ldap > make install
NOTE: If you need to go back and do this again, remove
config.cache. It may save you some headaches.
Set your LDAP administrator's password
The samba PDC requires write access to your LDAP server (for example to create trust accounts).
The encrypted password is held in the file
To place your password in the file (after you have configure your LDAP administrator in
smb.conf - see below) as root type in:
root@ldap > smbpasswd -w your_password
smb.confis located in
libdirectory of your samba installation e.g.
/usr/local/samba/lib/smb.conf. This requires some careful configuration to get things to work. Let's consider some of the essential settings.
[global] workgroup = workgroupname server string = LDAP server running samba %v netbios name = directory # Windows administrators # You can add users or groups (prefix groups with a '@') domain admin group = l.rathbone c.evans @domadm # SAMBA-LDAP declarations ldap suffix = dc=your,dc=site,dc=com # User with write access to the LDAP directory ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com ldap port = 389 ldap server = ldap.your.site.com ldap ssl = start tls # Create machine trust accounts automatically add user script = /usr/local/sbin/smbldap-useradd.pl -w %u # this tells Samba to use a separate log file for each machine # that connects log file = /usr/local/samba/var/log.%m # How much information do you want to see in the logs? # default (1) is only to log critical messages log level = 2 # Put a capping on the size of the log files (in Kb). max log size = 50 # MUST be security = user for PDC security = user # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value (20) should be reasonable os level = 90 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = yes # I have stuck this in because it was in a HOWTO but I have no idea what it does - but it does not sound good null passwords = Yes # You MUST use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. encrypt passwords = yes passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u # When using encrypted passwords, Samba can synchronize the local # UNIX password as well. You will also need the "passwd chat" parameters unix password sync = yes # how should smbd talk to the local system when changing a UNIX # password? See smb.conf(5) for details passwd chat = *new*password* %n\n *new*password* %n\n *successfully* # Enable this if you want Samba act as a domain controller. domain logons = yes # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # This refers to the [profiles] share below # The permissions on the profiles directory should be # chmod 1757 /usr/local/samba/profiles # drwxr-xrwt 5 root root 4096 May 1 08:43 profiles logon path = \\%L\profiles\%u # UNC path specifying the network location of the user's home directory # only used when acting as a DC for WinNT/2k/XP. Ignored by Win9x clients logon home = \\%L\%U # What drive should the "logon home" be mounted at upon login ? # only used when acting as a DC for WinNT/2k/XP. Ignored by Win9x clients logon drive = Z:
[homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] ; comment = Network Logon Service path = /usr/local/samba/lib/netlogon read only = yes write list = ntadmin locking = no guest ok = yes ; writable = no ; share modes = no # Provide a specific roving profile share # the default is to use the user's home directory # The permissions on the profiles directory should be # chmod 1757 /usr/local/samba/profiles # drwxr-xrwt 5 root root 4096 May 1 08:43 profiles [profiles] path = /usr/local/samba/profiles read only = no create mask = 0600 directory mask = 0700 writable = yes ; browseable = no ; guest ok = yes
Install Samba-LDAP tools
IDEALX (http://www.idealx.org/index.en.html) provide some very useful perl scripts that can be configured to suit your set up. The current file
smbldap-tools-0.7.tgz can be downloaded from http://www.idealx.org/prj/samba/index.en.html
These need to be unpacked and copied to
I had difficulty with one of the functions in this suite -
add_samba_machine_mkntpwd. This is used to set up trust accounts between the PDC and the client windows machine.
This function throws an error unless you make some changes.
The simplest solution is to edit the file
Go to the function
$tmpldif needs, in addition to the attributes supplied,
objectClass: person and
sn: Computer. (The value for
sn could be anything you want.)