티스토리 뷰

Debian 6 Samba Server Samba PDC#1


Samba PDC#1 - Configure Domain Controler

  Build Primary Domain Controller with Samba + OpenLDAP. LDAP Server is required to be running on your LAN and also the server you'd like to build as a PDC need to be a LDAP Client. 


1. Chane OpenLDAP server's settings.


root@master:~# aptitude -y install samba-doc 


root@master:~# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ 

root@master:~# gzip -d /etc/ldap/schema/samba.schema.gz 

root@master:~# vi schema_convert.conf 


# create new

include /etc/ldap/schema/core.schema

include /etc/ldap/schema/collective.schema

include /etc/ldap/schema/corba.schema

include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schema

include /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

include /etc/ldap/schema/samba.schema


root@master:~# mkdir -p ./tmp/ldif_output 

root@master:~# slapcat -f schema_convert.conf -F ./tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > ./tmp/cn=samba.ldif 

root@master:~# vi ./tmp/cn=samba.ldif 


# line 1,3: change ( remove "{12}" )

dn: cn=samba,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: samba


# remove these lines below ( placed at the bottom )

structuralObjectClass: olcSchemaConfig

entryUUID: bd8a7a82-3cb8-102f-8d5f-070b4e5d16f8

creatorsName: cn=config

createTimestamp: 20100815125953Z

entryCSN: 20100815125953.198505Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20100815125953Z


root@master:~# ldapadd -Y EXTERNAL -H ldapi:/// -f ./tmp/cn=samba.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=samba,cn=schema,cn=config"


root@master:~# vi samba_indexes.ldif 


# create new

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: uidNumber eq

olcDbIndex: gidNumber eq

olcDbIndex: loginShell eq

olcDbIndex: uid eq,pres,sub

olcDbIndex: memberUid eq,pres,sub

olcDbIndex: uniqueMember eq,pres

olcDbIndex: sambaSID eq

olcDbIndex: sambaPrimaryGroupSID eq

olcDbIndex: sambaGroupType eq

olcDbIndex: sambaSIDList eq

olcDbIndex: sambaDomainName eq

olcDbIndex: default sub


root@master:~# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_indexes.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "olcDatabase={1}hdb,cn=config"


root@master:~# /etc/init.d/slapd restart

Stopping OpenLDAP: slapd.

Starting OpenLDAP: slapd.




2. Change Samba's settings. Samba PDC is also a LDAP Client.


root@lan:~# aptitude -y install smbldap-tools 


root@lan:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak 

root@lan:~# cp /usr/share/doc/smbldap-tools/examples/smb.conf /etc/samba/smb.conf 

root@lan:~# vi /etc/samba/smb.conf 


# line 3: change workgroup name to any one you like

workgroup = ServerWorld


# line 12: make it comment

#min passwd length = 3


# line 22: change

ldap passwd sync = yes


# line 33,34: change

Dos charset = CP932

Unix charset = UTF-8


# line 47: specify ldap server

passdb backend = ldapsam:ldap://10.0.0.100/


# line 48: change LDAP admin DN (LDAP server's one)

ldap admin dn = cn=admin,dc=server,dc=world


# line 50: change LDAP suffix (LDAP server's one)

ldap suffix = dc=server,dc=world

ldap group suffix = ou=groups

ldap user suffix = ou=people


# line 60: uncomment

delete group script = /usr/sbin/smbldap-groupdel "%g"


# line 64: add (specify admin user), no SSL

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

admin users = domainadm

ldap ssl = no


root@lan:~# mkdir /home/netlogon 

root@lan:~# /etc/init.d/samba restart 

Stopping Samba daemons: nmbd smbd.

Starting Samba daemons: nmbd smbd.


root@lan:~# smbpasswd -W # add LDAP admin's password

Setting stored password for "cn=admin,dc=server,dc=world" in secrets.tdb

New SMB password:# LDAP admin password

Retype new SMB password: 


root@lan:~# gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz 

root@lan:~# perl /usr/share/doc/smbldap-tools/configure.pl 

$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

smbldap-tools script configuration

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Before starting, check

. if your samba controller is up and running.

. if the domain SID is defined (you can get it with the 'net getlocalsid')


. you can leave the configuration using the Crtl-c key combination

. empty value can be set with the "." character

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Looking for configuration files...


Samba Configuration File Path [/etc/samba/smb.conf] > # Enter


The default directory in which the smbldap configuration files are stored is shown.

If you need to change this, enter the full directory path, then press enter to continue.

Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >   # Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Let's start configuring the smbldap-tools scripts ...


. workgroup name: name of the domain Samba act as a PDC

workgroup name [ServerWorld] > # Enter

. netbios name: netbios name of the samba controler

netbios name [PDC-SRV] > # Enter

. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'

logon drive [H:] > # Enter

. logon home: home directory location (for Win95/98 or NT Workstation).

(use %U as username) Ex:'\\PDC-SRV\%U'

logon home (press the "." character if you don't want homeDirectory) [\\PDC-SRV\%U] > .   # input a period

. logon path: directory where roaming profiles are stored. Ex:'\\PDC-SRV\profiles\%U'

logon path (press the "." character if you don't want roaming profile) [\\PDC-SRV\profiles\%U] > .   # input a period

. home directory prefix (use %U as username) [/home/%U] > # Enter

. default users' homeDirectory mode [700] > # Enter

. default user netlogon script (use %U as username) [logon.bat] >   # Enter

default password validation time (time in days) [45] > # Enter

. ldap suffix [dc=server,dc=world] > # Enter

. ldap group suffix [ou=groups] > # Enter

. ldap user suffix [ou=people] > # Enter

. ldap machine suffix [ou=Computers] > # Enter

. Idmap suffix [ou=Idmap] > # Enter

. sambaUnixIdPooldn: object where you want to store the next uidNumber

and gidNumber available for new users and groups

sambaUnixIdPooldn object (relative to ) [sambaDomainName=ServerWorld] >   # Enter

. ldap master server: IP adress or DNS name of the master (writable) ldap server

ldap master server [10.0.0.100] > # Enter

. ldap master port [389] > # Enter

. ldap master bind dn [cn=admin,dc=server,dc=world] > # Enter

. ldap master bind password [] > # LDAP admin password

. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one

ldap slave server [10.0.0.100] > # specify LDAP slave's IP (Enter with empy if none)

. ldap slave port [389] > # Enter

. ldap slave bind dn [cn=admin,dc=server,dc=world] > # Enter

. ldap slave bind password [] > # Input if there is, if not input the same one with master

. ldap tls support (1/0) [0] > # Enter

. SID for domain SERVERWORLD: SID of the domain (can be obtained with 'net getlocalsid PDC-SRV')

SID for domain SERVERWORLD [S-1-5-21-2752024775-1437179205-4226352253] >   # Enter

. unix password encryption: encryption used for unix passwords

unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5   # MD5

. default user gidNumber [513] > # Enter

. default computer gidNumber [515] > # Enter

. default login shell [/bin/bash] > # Enter

. default skeleton directory [/etc/skel] > # Enter

. default domain name to append to mail adress [] > # Enter

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314, <STDIN> line 33.

backup old configuration files:

  /etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old

  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old

writing new configuration file:

  /etc/smbldap-tools/smbldap.conf done.

  /etc/smbldap-tools/smbldap_bind.conf done.

root@lan:~# smbldap-populate 

Populating LDAP directory for domain ServerWorld (S-1-5-21-2752024775-1437179205-4226352253)

(using builtin directory structure)


entry dc=server,dc=world already exist.

entry ou=people,dc=server,dc=world already exist.

entry ou=groups,dc=server,dc=world already exist.

adding new entry: ou=Computers,dc=server,dc=world

adding new entry: ou=Idmap,dc=server,dc=world

adding new entry: uid=root,ou=people,dc=server,dc=world

adding new entry: uid=nobody,ou=people,dc=server,dc=world

adding new entry: cn=Domain Admins,ou=groups,dc=server,dc=world

adding new entry: cn=Domain Users,ou=groups,dc=server,dc=world

adding new entry: cn=Domain Guests,ou=groups,dc=server,dc=world

adding new entry: cn=Domain Computers,ou=groups,dc=server,dc=world

adding new entry: cn=Administrators,ou=groups,dc=server,dc=world

adding new entry: cn=Account Operators,ou=groups,dc=server,dc=world

adding new entry: cn=Print Operators,ou=groups,dc=server,dc=world

adding new entry: cn=Backup Operators,ou=groups,dc=server,dc=world

adding new entry: cn=Replicators,ou=groups,dc=server,dc=world

entry sambaDomainName=ServerWorld,dc=server,dc=world already exist. Updating it...


Please provide a password for the domain root:

Changing UNIX and samba passwords for root

New password: # set root password

Retype new password: 


# add admin user that is define in smb.conf

root@lan:~# smbldap-groupadd -a domainadm 

root@lan:~# smbldap-useradd -am -g domainadm domainadm 

root@lan:~# smbldap-passwd domainadm 

Changing UNIX and samba passwords for domainadm

New password:

Retype new password:

root@lan:~# su - domainadm # try to switch to added user

domainadm@lan:/$ # done



※ Next manual


저작자 표시 비영리 변경 금지
신고
댓글