Setting up a Samba PDC setup using OpenLDAP on CentOS

This document describes setting up a Samba PDC on CentOS Linux 5.4 using OpenLDAP to store Samba's user information. Using LDAP as Samba's back end to store information adds a level of complexity, but allows for scalability and flexibility.

Note: This how-to will work with CentOS 5.5 if you use the standard Samba packages.

We'll be using the following setup:

• CentOS Linux 5.4 with Samba and OpenLDAP.
• Samba will use the users' Linux home directory Samba Home share (this is the default).
• Domain users' profiles will be stored stored in /var/lib/samba/profiles.
• Net logon scripts will be stored in /var/lib/samba/netlogon.
• OpenLDAP will be used to hold the passwords and account information.
• Printer support is not covered.
• DHCP and DNS support is not covered.

The /home and /var/lib/samba/profiles directories use the most space, so you may want to do some quick calculations to make sure you don't run out down the road.

Install CentOS as you see fit, taking note of the following.

1. /homes and /var/lib/samba are givien enough space.
2. Use a static IP address.
3. Install the package groups you like. I generally perform a minimalist install, deselecting all the package groups and then installing the packages I need after the OS install is complete.
4. If you do not install Samba during the OS install, install it using:

   # yum groupinstall 'Windows File Server'
   or 
   # yum install samba samba-client samba-common

The first command will install Samba and CentOS's GUI based configuration tools. The second command will install only Samba.

1. If you did not install OpenLDAP and the nssldap packages during the installation, install them now using:

   yum install openldap openldap-clients openldap-servers nss_ldap

2. Make sure the system is update by installing any outstanding updates.

   # yum check-update
   # yum upgrade

If the kernel or glibc are upgraded, you should reboot the system.

For our example I'm installing CentOS as follows:

1. A basic install, accepting the preselected package groups.
2. A static IP of 192.168.0.200/24
3. Hostname of ldappdc.mydomain.com

1. Copy the Samba LDAP schema file, samba.schema, to the openldap schema directory.

   # cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/

2. Open /etc/openldap/slapd.conf for editing.
3. Add the samba.schema to the imported schema list by adding the following line after the other include lines at the beginning of slapd.conf.

   include         /etc/openldap/schema/samba.schema

4. Move to the database section at the end of file.
5. Configure the suffix, rootdn and rootpw entries values to your liking. For our example well be using the following values:

   suffix		"dc=ldappdc,dc=mydomain,dc=com"
   rootdn		"cn=Manager,dc=ldappdc,dc=mydomain,dc=com"

6. Use the slappasswd utility to generate a password. Use the result of the slappasswd as the rootpw value.

   rootpw		{SSHA}eA5sNKUH3yw9koafpgviZoI1cOfmavlT

7. Save the file and exit it.
8. Restart the OpenLDAP server so the new settings take affect.

   # service ldap restart

9. Make sure OpenLDAP starts at system start.

   # chkconfig ldap on

One point of confusion is that the Linux authentication and smbldap-tools disagree on what the different elements of the LDAP database should be named. One tool uses “Group”, the other “Groups”. Seeing as it's easier to adjust the smbldap configuration, we'll base our setup on the Linux authentication setup.

The OpenLDAP migration tools include a script to create the LDAP layout. The difference is, the migration script creates branches for other items, such as services, that we don't need. So, instead we'll use our own initialization script.

Save the following to /etc/openldap/setup.ldif.

# -- Start of file --
# Define the top level organization
dn: dc=ldappdc,dc=mydomain,dc=com
objectClass: dcObject
objectClass: organization
dc: ldappdc
o: Mydomain
description: Example Corporation

# Create the organizational unit to hold users
dn: ou=People,dc=ldappdc,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: People

# Create the organizational unit to hold groups
dn: ou=Group,dc=ldappdc,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: Group

# Create the organizational units to hold machines
dn: ou=Hosts,dc=ldappdc,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: Hosts

# Create the organizational unit to hold id mapping
dn: ou=Idmap,dc=ldappdc,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: Idmap
# -- End of file --

- Load the ldif file we saved in the previous step into the ldap database by running the following command.

# ldapadd -v -D "cn=Manager,dc=ldappdc,dc=mydomain,dc=com" -x -w password -f /etc/openldap/setup.ldif

Next we configure Linux to look at LDAP for user information and authentication.

On RHEL/CentOS there are two ways to configure Linux to use LDAP for NSS. You can use the authconfig-tui utility, or if your in X windows, the system-config-authentication utility. I'll describe both ways.

1. If it's not already installed, install the authconfig package.

   # yum install authconfig

2. At the command line, run

   /usr/sbin/authconfig-tui

3. Optional: Select Cache Information
4. Under User Information, select Use LDAP
5. Under Authentication, select Use LDAP Authentication
6. Select Next
7. Leave the Use TLS and Server values at their default.
8. Update the Base DN value to match the suffix value in slapd.conf. In our example that is:

   dc=ldappdc,dc=mydomain,dc=com

9. Click OK

(Note, this is an X application.)

1. If system-config-authentication is not installed, you need to install the authconfig-gtk package.

   # yum install authconfig-gtk

2. Launch the system-config-authentication utility:

   # system-config-authentication

3. On the “User Information” tab, check off “Enable LDAP Support”.
4. Click the “Configure LDAP” button to open the LDAP configuration dialog.
5. Update the “LDAP Search Base DN” with our value: dc=ldappdc,dc=mydomain,dc=com
6. Leave the “LDAP Server” value untouched unless your LDAP server is on another host.
7. Click OK to save the settings.
8. Click on the “Authentication” tab.
9. Check off “Enable LDAP Support”
10. Click the “Configure LDAP” button to open the LDAP configuration dialog.
11. Update the “LDAP Search Base DN” with our value: dc=ldappdc,dc=mydomain,dc=com
12. Leave the “LDAP Server” value untouched unless your LDAP server is on another host.
13. Click OK to save the settings.
14. Click OK to exit the system-config-authentication utility.

Note

1. “User Information” affects the /etc/ldap.conf, /etc/openldap/ldap.conf and /etc/nsswitch.conf files.
2. “Authentication” affects the /etc/pam.d/system-auth-ac file.

Below is the Samba configuration file to be used. Backup the existing /etc/smb.conf file and replace it with the following one.

# --------- smb.conf start ---------
[global]
workgroup = MYDOMAIN
netbios name = LDAPPDC
passdb backend = ldapsam:ldap://127.0.0.1
printcap name = cups
printing = cups
security = user
log level = 3

ldap ssl = off
ldap admin dn = cn=Manager,dc=ldappdc,dc=mydomain,dc=com
ldap suffix = dc=ldappdc,dc=mydomain,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Hosts

ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"

logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
#logon script = %U.bat
logon script = logon.bat

domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes

idmap uid = 15000-20000
idmap gid = 15000-20000

passwd program = /usr/bin/passwd '%u'
unix password sync = yes
passwd chat = "*New UNIX password*" %n\n "*Retype new UNIX password*" %n\n "*updated successfully*"
enable privileges = yes
username map = /etc/samba/smbusers
wins support = Yes

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root
guest ok = Yes
browseable = No
admin users = Administrator
valid users = %U

[Profiles]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
create mask = 0600
directory mask = 0700
# --------- smb.conf end --------- 

Next replace or update the default /etc/samba/smbusers file to include the following.

# --------- smbusers start --------- 
root = administrator Administrator admin
nobody = guest pcguest smbguest
# --------- smbusers end --------- 

This file maps unix user names to windows user names. Both are case sensitive.

1. Set Samba's LDAP password so it can update the LDAP database.

   # smbpasswd -w password
   Setting stored password for "cn=Manager,dc=ldappdc,dc=mydomain,dc=com" in secrets.tdb

2. Now restart Samba so we're sure if picks up all the changes.

   # service smb restart
   # service winbind restart

3. Now make sure Samba starts at system start.

   # chkconfig smb on
   # chkconfig winbind on

At this step you may want to check your configuration to make sure everything is still OK.

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

The smbldap-tools are a set of scripts used to maintain the LDAP database by/for Samba. We'll pull the version from RPMForge instead of installing from source. Note that numerous Perl modules will also be installed along with the smbldap-tools package.

1. Add the RPMForge repository* to the list of repositories to gain access to the smbldap tools and it's dependancies.

   # wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.$dist.rf.$arch.rpm
   # rpm -Uhv rpmforge-release-0.5.1-1.$dist.rf.$arch.rpm

   RPMForge enables itself by default. If you don't want that, edit the file /etc/yum.repos.d/rpmforge.repo file and set enabled to 0.

2. Install the Samba LDAP tools and it's depenancies.

   # yum --enablerepo=rpmforge install smbldap-tools

The next step is to configure the smbldap tools to use our LDAP server and match the setting used by Linux for LDAP authentication.

1. Open /etc/smbldap-tools/smbldap.conf for editing.
2. Set the SID value to the result of the net getlocalsid command.
3. Set sambaDomain to the same value as the workgroup option in the smb.conf file. In our examples case, this will be MYDOMAIN.
4. Set slaveLDAP to 127.0.0.1.
5. Set masterLDAP to 127.0.0.1.
6. Our example does not use TLS, so set ldapTLS to 0.
7. Set suffix to our ldap suffix value, dc=ldappdc,dc=mydomain,dc=com.
8. Update usersdn to People instead of Users.
9. Update computersdn to Hosts instead of Computers.
10. Update groupsdn to Group instead of Groups.
11. Update userSmbHome to “\\%L\%U”. (The same value used in smb.conf).
12. Update userProfile to “\\%L\Profiles\%U”
13. Update mailDomain to “mydomain.com”.
14. Save and close the file.
15. Open the file /etc/smbldap-tools/smbldap_bind.conf for editing.
16. Set slaveDN and masterDN to the same value we used for the rootdn in /etc/openldap/slapd.conf. In our example this value is cn=Manager,dc=ldappdc,dc=mydomain,dc=com.
17. Set the slavePw and masterPw to the password you used for LDAPs rootpw. Use the plain text version, not the encrypted.
18. Save and close the file.
19. Make sure the file is only readable by root.

    # chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Run the smbldap-populate to update the LDAP database with the required Samba values.

 # smbldap-populate -l 99
   
 Populating LDAP directory for domain MYDOMAIN (S-1-5-21-538294940-1321954592-4157842710)
 (using builtin directory structure)
 
 entry dc=ldappdc,dc=mydomain,dc=com already exist.
 entry ou=People,dc=ldappdc,dc=mydomain,dc=com already exist.
 entry ou=Group,dc=ldappdc,dc=mydomain,dc=com already exist.
 entry ou=Hosts,dc=ldappdc,dc=mydomain,dc=com already exist.
 entry ou=Idmap,dc=ldappdc,dc=mydomain,dc=com already exist.
 entry uid=root,ou=People,dc=ldappdc,dc=mydomain,dc=com already exist.
 adding new entry: uid=nobody,ou=People,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Domain Admins,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Domain Users,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Domain Guests,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Domain Computers,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Administrators,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Account Operators,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Print Operators,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Backup Operators,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 adding new entry: cn=Replicators,ou=Group,dc=ldappdc,dc=mydomain,dc=com
 entry sambaDomainName=MYDOMAIN,dc=ldappdc,dc=mydomain,dc=com already exist. Updating it...
 
 Please provide a password for the domain root:
 Changing UNIX password for root
 New password:
 Retype new password:

You can see that the smbldap-populate script creates a number of users and groups. Some of these are of particular interest.

-l 99 tells the script to use 99 for the nobody group id, which matches CentOS's default value.

Domain Users is the default user group for new accounts added using the smbldap tools. It's group id is 513, the value assigned to defaultUserGid in /etc/smbldap.conf.

Domain Computers is the default user group for new machines added using the smbldap tools. It's group id is 515, the value assigned to defaultComputerGid in /etc/smbldap.conf.

Now create the directories that to be use by Samba for the netlogon and user profiles.

# mkdir -p /var/lib/samba/netlogon
# mkdir /var/lib/samba/profiles
# chmod 2775 /var/lib/samba/profiles
# chgrp 'Domain Users' /var/lib/samba/profiles

Now to test the smbldap setup. We'll run each of the smldap commands then search the ldap DB for the changes.

• Add user script

  # /usr/sbin/smbldap-useradd -a -m "testuser"
  # ldapsearch -b "ou=People,dc=ldappdc,dc=mydomain,dc=com" -x "(uid=testuser)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=People,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (uid=testuser)
  # requesting: ALL
  #
  
  # testuser, People, pdc.mydomain.com
  dn: uid=testuser,ou=People,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  cn: testuser
  sn: testuser
  givenName: testuser
  uid: testuser
  uidNumber: 1000
  gidNumber: 513
  homeDirectory: /home/testuser
  loginShell: /bin/bash
  gecos: System User
  userPassword:: e2NyeXB0fXg=
  
  # search result
  search: 2
  result: 0 Success
    
  # numResponses: 2
  # numEntries: 1
  

• Add machine script

  # /usr/sbin/smbldap-useradd -w "testmachine"
  # ldapsearch -b "ou=Hosts,dc=ldappdc,dc=mydomain,dc=com" -x "(uid=testmachine$)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=Hosts,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (uid=testmachine$)
  # requesting: ALL
  #
  
  # testmachine$, Hosts, pdc.mydomain.com
  dn: uid=testmachine$,ou=Hosts,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: account
  objectClass: posixAccount
  cn: testmachine$
  uid: testmachine$
  uidNumber: 1001
  gidNumber: 515
  homeDirectory: /dev/null
  loginShell: /bin/false
  description: Computer
  gecos: Computer
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 2
  # numEntries: 1
  

• Add group script

  # /usr/sbin/smbldap-groupadd -p "testgroup"
  # ldapsearch -b "ou=Group,dc=ldappdc,dc=mydomain,dc=com" -x "(cn=testgroup)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=Group,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (cn=testgroup)
  # requesting: ALL
  #
  
  # testgroup, Group, pdc.mydomain.com
  dn: cn=testgroup,ou=Group,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: posixGroup
  cn: testgroup
  gidNumber: 1002
  
  # search result
  search: 2
  result: 0 Success
    
  # numResponses: 2
  # numEntries: 1
  

• Add user to group script

  # /usr/sbin/smbldap-groupmod -m "testuser" "testgroup"
  # ldapsearch -b "ou=Group,dc=ldappdc,dc=mydomain,dc=com" -x "(cn=testgroup)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=Group,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (cn=testgroup)
  # requesting: ALL
  #
  
  # testgroup, Group, pdc.mydomain.com
  dn: cn=testgroup,ou=Group,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: posixGroup
  cn: testgroup
  gidNumber: 1002
  memberUid: testuser
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 2
  # numEntries: 1
  

• Delete user from group script

  # /usr/sbin/smbldap-groupmod -x "testuser" "testgroup"
  deleting user testuser from group testgroup

  # ldapsearch -b "ou=Group,dc=ldappdc,dc=mydomain,dc=com" -x "(cn=testgroup)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=Group,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (cn=testgroup)
  # requesting: ALL
  #
  
  # testgroup, Group, pdc.mydomain.com
  dn: cn=testgroup,ou=Group,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: posixGroup
  cn: testgroup
  gidNumber: 1002
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 2
   # numEntries: 1
  

• Set primary group script

  # /usr/sbin/smbldap-usermod -g "nobody" "testuser"
  # ldapsearch -b "ou=People,dc=ldappdc,dc=mydomain,dc=com" -x "(uid=testuser)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=People,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (uid=testuser)
  # requesting: ALL
  #
  
  # testuser, People, pdc.mydomain.com
  dn: uid=testuser,ou=People,dc=ldappdc,dc=mydomain,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: posixAccount
  objectClass: shadowAccount
  cn: testuser
  sn: testuser
  givenName: testuser
  uid: testuser
  uidNumber: 1000
  homeDirectory: /home/testuser
  loginShell: /bin/bash
  gecos: System User
  userPassword:: e2NyeXB0fXg=
  gidNumber: 99
  
  # search result
  search: 2
  result: 0 Success
  # numResponses: 2
  # numEntries: 1
  

• Delete user script

  # /usr/sbin/smbldap-userdel "testuser"
  # ldapsearch -b "ou=People,dc=ldappdc,dc=mydomain,dc=com" -x "(uid=testuser)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=People,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (uid=testuser)
  # requesting: ALL
  #
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 1
  

• Delete group script

  # /usr/sbin/smbldap-groupdel "testgroup"
  # ldapsearch -b "ou=Group,dc=ldappdc,dc=mydomain,dc=com" -x "(cn=testgroup)"

  # extended LDIF
  #
  # LDAPv3
  # base <ou=Group,dc=ldappdc,dc=mydomain,dc=com> with scope subtree
  # filter: (cn=testgroup)
  # requesting: ALL
  #
  
  # search result
  search: 2
  result: 0 Success
  
  # numResponses: 1
  

#!/bin/bash
# pdc-useradd.sh 
if [[ $# -ne 2 ]]
then
  echo "`basename $0` username password"
  exit 2
fi

UN=$1
PW=$2

/usr/sbin/smbldap-useradd -a -m ${UN}
(echo "${PW}" ; echo "${PW}") | /usr/sbin/smbldap-passwd ${UN}
mkdir /var/lib/samba/profiles/${UN}
chown ${UN}:'Domain Users' /var/lib/samba/profiles/${UN}
chmod 0775 /var/lib/samba/profiles/${UN}
exit $?

• Error:

  Checking configuration files for slapd:  bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
  Expect poor performance for suffix dc=ldappdc,dc=mydomain,dc=com.

• Fix:

• Error:

  Could not find base dn, to get next uidNumber at /usr/sbin//smbldap_tools.pm line 1179.

• Fix:

The LDAP entry for the domain is broken. Try rerunning the smbldap-populate command. It will recreate any missing entries or values.

• Error:

  # net getlocalsid
  [2009/11/04 21:37:27, 0] lib/smbldap_util.c:smbldap_search_domain_info(286)
    smbldap_search_domain_info: Adding domain info for MYDOMAIN failed with NT_STATUS_UNSUCCESSFUL
  SID for domain PDC is: S-1-5-21-527054781-4018017732-713285490

• Fix:

1. Delete the /etc/samba/secrets.tdb
2. Reassign the LDAP password with “smbpasswd -w password”

• Error: When I try to login to my domain, Windows complains it cannot find my profile and reports

  The network path not found

  .

• Fix:

This is a DNS/Netbios problem. I don't have a silver bullet for this yet. The easiest fix is to update your smb.conf and smbldap.conf files. Go through the two files and replace '%L' with the IP address of your Samba PDC server.

Back to rainingpackets.com