CentOS 5.x Samba Domain Controller With LDAP Backend

Want to support HowtoForge? Become a subscriber!
 
Submitted by galexander (Contact Author) (Forums) on Fri, 2009-11-06 17:18. :: CentOS | Samba | Storage

CentOS 5.x Samba Domain Controller With LDAP Backend

This will show you how to set up a Samba Domain Controller with a local LDAP backend, using CentOS 5.x (tested on 5.3, still successfully running on 5.4).  Includes a web-interface for managing LDAP users/groups/etc.

January 2010 -- Now with support for Windows 7 domain logins (see end of guide).  

 

Disable selinux:

It will only cause problems, I'm not going to mess with SELinux in this guide other than disabling it.

echo 0 >/selinux/enforce

Within /etc/sysconfig/selinux, set:
SELINUX=disabled

 

Install some tools

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum update
yum install openldap-servers nss_ldap samba httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common smbldap-tools

Installing smbldap-tools this way should install all the dependent perl modules, however the version available on yum has some bugs, so we'll upgrade to the latest version afterwards, keeping the dependencies, but overwriting the smbldap-tools package:

rpm -Uvh http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.5-1.noarch.rpm

 

Set up the hostname

For our purposes in this guide, we are calling the server's hostname "dc1" and the domain "DOMAINNAME". Note: If you want to use your fqdn for your Samba domain, wherever you see ,dc=DOMAINNAME below, replace it with ,dc=example,dc=com, assuming your fqdn is example.com. Also note that "root" will be the samba administrator username, if you don't like that, change it as well. Related lines are: cn=root and cn: root

Within /etc/hosts, add or replace your line (following the file's format, assuming 192.168.0.5 is your server's network-accessible IP):

192.168.0.5 dc1.DOMAINNAME dc1

Set your hostname on the command line:

hostname dc1.DOMAINNAME

 

Generate a master password and set up ldap

slappasswd

Note the output of slappasswd, you will insert it into slapd.conf in a minute.

mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist

Insert the following text into /etc/openldap/slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

database bdb
suffix "dc=DOMAINNAME"
rootdn "cn=root,dc=DOMAINNAME"
rootpw {SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD
password-hash {SSHA}
directory /var/lib/ldap

index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
index default sub

Note the rootpw line in the above text, that's where you paste your output from slappasswd.

cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG

Insert the following text into /etc/openldap/init.ldif:

dn: dc=DOMAINNAME
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectclass: organizationalRole
cn: root

slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*
slapcat

slapcat should produce something very similar to the following output:

dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
structuralObjectClass: organization
entryUUID: 717d1b1e-ce90-102d-88c3-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000000#00#000000
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: 71858556-ce90-102d-88c4-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000001#00#000000

service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=DOMAINNAME"

The output from ldapsearch should be very similar to the following:

# extended LDIF
#
# LDAPv3
# base <dc=domainname> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# DOMAINNAME
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
# root, DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
</dc=domainname>

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Rob Daglish (not registered) on Mon, 2011-08-01 14:06.

Hi,

Thanks for an excellent howto. Just a small point of clarification though:

 When setting up the init.ldif, I misunderstood the way that domains were created, so dived straight in with dc=location1,dc=company,dc=local, which meant I then struggled to create dc=location2,dc=company,dc=local, as I couldn't browse dc=company,dc=local or dc=local as I hadn't created them.

 Once I realised my mistake, I removed all the files from /var/lib/ldap and started again with a fresh init.ldif file, creating dc=local, then dc=company,dc=local, and finally dc=location1,dc=company,dc=local and dc=location2,dc=company,dc=local.

I know it's a small point, but for people like me coming from MS where AD will automatically create all the containers necessary, it took a little bit of figuring out.  Oh, and I managed to remiport all of the data I'd already input by doing slapcat -l /tmp/mydata.ldif and then doing a slapadd -l /tmp/mydata.ldif once I'd created dc= local and dc=company,dc=local.

 Now I've just got to master replication across servers!

Submitted by sportivo888 (registered user) on Fri, 2011-01-14 09:10.

I have managed create "ldif"

then i got stuck here when run "service ldap start'

 [root@homeshare openldap]# service ldap start
Checking configuration files for slapd:  bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)
                                                           [FAILED]
stale lock files may be present in /var/lib/ldap           [WARNING]

 

Any idea why i cannot start the service?

Cheers,

Submitted by MoChaMan (not registered) on Mon, 2011-07-18 22:29.

you might try rechecking the ownership and permissions on /var/lib/ldap and the files within . If you run 'chmod -R 600 /var/lib/ldap ' , for instance , you will prevent access to that directory since the directory must have 755 permissions even if the files have 600 permissions . This is easy to miss and actually cost me a couple of hours running 'strace / db_recover / chcon / etc.' when the solution was much easier . My correct directory listing is below .

 

[~] # ll /var/lib/ldap

total 88040

drwxr-xr-x  2 ldap ldap      4096 Jul 18 16:43 .

drwxr-xr-x 31 root root      4096 Jul 18 16:47 ..

-rw-------  1 ldap ldap      2048 Jul 18 17:18 alock

-rw-------  1 ldap ldap      8192 Jul 18 16:43 cn.bdb

-rw-------  1 ldap ldap     24576 Jul 18 17:18 __db.001

-rw-------  1 ldap ldap 104857600 Jul 18 17:18 __db.002

-rw-------  1 ldap ldap 335552512 Jul 18 17:18 __db.003

-rw-------  1 ldap ldap   2359296 Jul 18 17:18 __db.004

-rw-------  1 ldap ldap    557056 Jul 18 17:18 __db.005

-rw-------  1 ldap ldap     24576 Jul 18 17:18 __db.006

-rw-------  1 ldap ldap       921 Jul 18 16:34 DB_CONFIG

-rw-------  1 ldap ldap      8192 Jul 18 16:43 dn2id.bdb

-rw-------  1 ldap ldap     32768 Jul 18 16:43 id2entry.bdb

-rw-------  1 ldap ldap  10485760 Jul 18 16:43 log.0000000001

-rw-------  1 ldap ldap      8192 Jul 18 16:43 objectClass.bdb

[~] # 

Submitted by ryanez (not registered) on Tue, 2010-10-12 00:16.

meant to post this awhile back, not sure if everyone gets the same issue, but after running the yum installs on the first step. Some JCode and Map8, Strings, etc perl mods are needed for smbldap-tools.

If anyone experiences that you can make sure all the RPM are installed before smbldap-tools by doing :

yum install openldap openldap-clients openldap-servers nss_ldap samba samba-client httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common perl-LDAP smbldap-tools perl-Digest-SHA1 perl-Digest-SHA perl-Unicode-String perl-Unicode-Map8 perl-Unicode-Map perl-Unicode-MapUTF8 perl-Jcode screen systat dstat
 

the last three packages are for my monitoring the servers. Hope this helps any one.

Submitted by istvan550 (not registered) on Sat, 2011-02-26 15:29.

I was able to find most of the dependencies needed but the 2 below got me stumped.

I'm  installing "smbldap-tools-0.9.5-1.noarch.rpm"

 error: Failed dependencies:
        /usr/share/perl5/vendor_perl is needed by smbldap-tools-0.9.5-1.noarch
        rpmlib(PayloadIsLzma) <= 4.4.6-1 is needed by smbldap-tools-0.9.5-1.noarch

 

Thanks for any help or direction.

Submitted by istvan550 (not registered) on Sat, 2011-02-26 14:35.

Hi. I'm trying to work thru this tutorial and I'm getting stuck here. I'm using Centos5.5

---------------------------------------------------------------------------------------------------

 [root@myserver1 ~]# rpm -Uvh ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/3.0/PLD/noarch/RPMS/smbldap-tools-0.9.5-1.noarch.rpm
Retrieving ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/3.0/PLD/noarch/RPMS/smbldap-tools-0.9.5-1.noarch.rpm
warning: /var/tmp/rpm-xfer.1kSnFL: Header V3 DSA signature: NOKEY, key ID e4f1bc2d
error: Failed dependencies:
        /usr/share/perl5/vendor_perl is needed by smbldap-tools-0.9.5-1.noarch
        perl(Crypt::SmbHash) is needed by smbldap-tools-0.9.5-1.noarch
        perl(Unicode::MapUTF8) is needed by smbldap-tools-0.9.5-1.noarch
        rpmlib(PayloadIsLzma) <= 4.4.6-1 is needed by smbldap-tools-0.9.5-1.noarch

-------------------------------------------------------------------------------------------------

This may be an easy fix but I'm a newbie. I have found some of the dependencies but not sure
which versions to install. Thank you. 

Submitted by Anonymous (not registered) on Fri, 2010-08-27 23:04.

All -

 I'm starting to understand a lot more about LDAP. I would suggest that anyone who wants to implement a good solid PDC using Samba with an LDAP backend, first learn what LDAP is all about. Out of all the tutorials, including this one, I have seen, not much information is given about LDAP's inner workings. Go get yourself an LDAP book or better yet find one of the LinuxCBT tutorial videos on setting up LDAP. This is really the biggest part of the implementation and understanding it well will give you an edge on getting a PDC in the works. It will also give you a better background for troubleshooting and setting up nicer features to your PDC.

Submitted by Anonymous (not registered) on Thu, 2010-08-26 13:16.

it doesn't work. my init.ldif file's configuration is:

 

 dn: dc=youngasia,dc=tv
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: youngasia
dn: cn=root,dc=youngasia,dc=tv
objectClass: organizationalRole
cn: root
~                                                                               
~                 

ERROR is:

str2entry: entry -1 has multiple DNs "dc=youngasia,dc=tv" and "cn=root,dc=youngasia,dc=tv"
slapadd: could not parse entry (line=9)

If anyone can pls help me:

 

Submitted by Anonymous (not registered) on Mon, 2010-08-16 21:44.

I am attempting to make an LDAP Samba PDC for one of our groups here at the workplace. My hang up is when I follow the tutorial above I run into some issues.

I understand the structure, sort of, but when I try and extend it to my network, I get all sort of errors. My domain is the following: *.la.asu.edu and of course I have a server set up with its own domain name, lets call is domaincontroller. So my FQDN is: domaincontroller.la.asu.edu. Now, in the set up I would assume the following configuration would work:

[init.ldif]:

dn: dc=la,dc=asu,dc=edu
objectclass: dcObject
objectclass: organization
o: PGG Domain Controller
dc: la.asu.edu

dn: cn=root,dc=la,dc=asu,dc=edu
objectclass: organizationalRole
cn: root

However, it doesn't like that dc: la.asu.edu line. I see in the example that is should just be dc: la, but shouldn't this be the FQDN? I guess I'm having trouble understanding how to set up the config files for a PDC that will run on the domain *.la.asu.edu. Can anyone clear this up for me? I don't have a simple example.com domain, so this is where my problem lies. When I try and run the slapadd it complains about the dc: la.asu.edu line, if I chage it to simply, dc: la, slapadd works, but then when I try to start the ldap service, I get a warning and ldap won't start.

Any help? Thanks so much and also for the great tutorial!

 

Submitted by StinGer_ShoGuN (registered user) on Fri, 2010-07-09 16:55.

Thank you for this great Howto, I got it working finally.

However, there is now a big modification for CentOS 5.5 (maybe other releases, I don't know): you must not use the samba package, but the samba3x package. If samba is already installed, erase it and all its related packets and install samba3x.

Cheers !

Submitted by rdevries (not registered) on Fri, 2010-08-27 20:40.

can someone update the procedure with the samba3x info?

Trying to do a fresh install of Centos 5.5 and make it into the PDC

thanks

Submitted by David Gonzalez (not registered) on Thu, 2010-07-08 20:29.

Hey there, this tutorial is great, in fact howtoforge rocks, I've learned so much by reading here.

 Although I've stup my Samba to vbe PDC and works, when I try to implement instructions to use LDAP, at this step:

<code> slapadd -l /etc/openldap/init.ldif </code>

 I get

<code>

[root@dbserver samba]# slapadd -l /etc/openldap/init.ldif
bdb(dc=DGHVOIP,dc=lan): no absolute path for the current directory: No such file or directory
bdb_db_open: Database cannot be opened, err 2. Restore from backup!
bdb(dc=DGHVOIP,dc=lan): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem
bdb(dc=DGHVOIP,dc=lan): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: txn_checkpoint failed: Invalid argument (22)
backend_startup_one: bi_db_open failed! (2)
slap_startup failed
</code>

Dinda stuck here as server won't start or anything, I followed the tutorial but as you see I changed EXAMPLE for dc=DGHVOIP,dc=lan

Again GREAT tutorial.

Any hints would be appreciated.

Thanks

Submitted by Anonymous (not registered) on Wed, 2010-02-10 17:03.

Thanks, New Tuto en Frech for CentOS 5.4 :

http://reazy64.blogspot.com/

Submitted by nani (not registered) on Fri, 2010-01-15 06:43.

Great tutorial.Needs explanation on smb.conf, logon scripts adding users via ldap admin that will help more.

 Thank you a lot.You made my life simpler. 

 

Submitted by Anonymous (not registered) on Wed, 2009-12-30 19:52.

I have this problem.

 I have exactly same init.ldif file as in tutorial.

 any help?

Thanks!

 slapadd -l /etc/openldap/init.ldif

<rootpw> can only be set when rootdn is under suffix

 slapadd: bad configuration file!

Submitted by binaryrogue (registered user) on Fri, 2009-11-13 08:05.

[root@centos openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=example,dc=com" and "cn=admin,dc=example,dc=com"
slapadd: could not parse entry (line=9)

 

I'm stuck here. Please advise.

Submitted by Anonymous (not registered) on Sun, 2009-11-15 16:52.

I have a same problem.

 I have exactly same init.ldif file as in tutorial.

 any help?

Thanks! H.

Submitted by galexander (registered user) on Fri, 2009-11-13 18:06.
What does your /etc/openldap/init.ldif look like?
Submitted by Anonymous (not registered) on Mon, 2009-11-16 13:41.

I get the error:

[root@linuxdc openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=kaldom.local" and "cn=root,dc=kaldom.local"
slapadd: could not parse entry (line=9)

I have also tried with your example, and gets the answer.

My ldif file is as follows:

dn: dc=kaldom.local
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: kaldom.local
dn: cn=root,dc=kaldom.local
objectclass: organizationalRole
cn: root

Some help here would be very appreciated.

Submitted by Oscar Soares (not registered) on Fri, 2010-04-30 13:47.

Hello boss,

You need an space throw lines 5 and 6, like this:

dn: dc=kaldom.local
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: kaldom.local


dn: cn=root,dc=kaldom.local
objectclass: organizationalRole
cn: root

 

Thats all...Ozkr

Submitted by galexander (registered user) on Mon, 2009-12-07 06:22.

as "pierre73" suggest below, read more closely.

dn: dc=kaldom.local

and

dn: cn=root,dc=kaldom.local

 need to be:

dn: dc=kaldom,dc=local

dn: cn=root,dc=kaldom,dc=local

Submitted by Fabrício Lima (not registered) on Thu, 2010-01-14 21:34.

#domain -> domain.com

dn: dc=domain,dc=com
objectclass: dcObject
objectclass: organization
o: Domain Server
dc: domain

dn: cn=root,dc=domain,dc=com
objectclass: organizationalRole
cn: root

Submitted by tsakf (not registered) on Sat, 2009-11-07 21:02.

I liked the article very much, so it's already added to my library.
 

Submitted by pierre73 (not registered) on Wed, 2009-11-18 11:18.

You should pay attention to line spacing among LDAP entries in init.ldif.

The following init.ldif file worked for me:

dn: dc=EXAMPLE,dc=COM
objectclass: dcObject
objectclass: organization
o: EXAMPLE
dc: EXAMPLE

dn: cn=root,dc=EXAMPLE,dc=COM
objectclass: organizationalRole
cn: root

Cheers,

Submitted by atul (not registered) on Thu, 2010-02-25 10:09.

Thanks mate it worked... i was gettingthe error message below str2entry: entry -1 has multiple DNs "dc=logicalsteps,dc=net" and "cn=root,dc=logicalsteps,dc=net"
slapadd: could not parse entry (line=9)
 

fixed it by following ur suggestion.

 My init.ldif looks like this. I have added line number for reference

 

  1 dn: dc=domainname,dc=net
  2 objectclass: dcObject
  3 objectclass: organization
  4 o: domainname
  5 dc: domainname
  6
  7 dn: cn=root,dc=domainname,dc=net
  8 objectclass: organizationalRole
  9 cn: root

Submitted by mike@Philippines (not registered) on Fri, 2009-12-11 03:10.

Hi!

I followed the instructions above. But, somehow i'm stuck like them...

 

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit.com
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

 

I already installed Centos 3 times  (from the scratch) but still i'm stuck on this section.

 

Please help.. :(

Submitted by AlittleHelp (not registered) on Mon, 2009-12-14 22:48.

Hi,

This is how your setup is currently configured.

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit.com
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

Should be setup like this.

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

Hope that helps you out, DC should just be HIT not HIT.Com

Submitted by Gene Poole (not registered) on Wed, 2010-04-21 22:27.

Here's my ldif:

 [root@jpdsys3 ~]# cat /etc/openldap/init.ldif
dn: dc=jpdesignsinc,dc=com
objectclass: dcObject
objectclass: organization
o: jpdesignsinc
dc: jpdesignsinc

dn: cn=root,dc=jpdesignsinc,dc=com
objectclass: organizationalRole
cn: root

The message I'm getting is:

 [root@jpdsys3 ~]# slapadd -l /etc/openldap/init.ldif
slapadd: line 6: database (dc=jpdesignsinc) not configured to hold "dc=jpdesignsinc,dc=com"
slapadd: line 6: database (dc=jpdesignsinc) not configured to hold "dc=jpdesignsinc,dc=com"
[root@jpdsys3 ~]#

Submitted by Snacho (not registered) on Sat, 2010-01-23 07:00.

I figured it out... there must a blank line between dn entries. So the right form is:

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit


dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

Submitted by fredy_ruiz (registered user) on Thu, 2010-03-04 16:44.

this is my file init.ldif

dn: dc=dominio,dc=com
objectclass: dcObject
objectclass: organization
o: PDC
dc: dominio
dn: cn=admin,dc=dominio,dc=com
objectclass: organizationalRole
cn: admin

when i run

# slapadd -l /etc/openldap/init.ldif

get the following error

str2entry: entry -l has multiple DNs "dc=dominio,dc=com" and "cn=admin,dc=dominio,dc=com"

slapadd: could not parse entry ( line=9 )

 

help!!!

Submitted by Anonymous (not registered) on Tue, 2010-06-08 15:43.
Put a blank line before the dn: cn=admin,dc=dominio,dc=com line, otherwise slapadd thinks the entire block is one ldif entry when you really have two.
Submitted by ken (not registered) on Fri, 2010-04-02 03:11.

i have the same problem :|

i tried to do follow this: http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend

Submitted by Ken Han (not registered) on Tue, 2010-03-16 02:13.

Please put a blank line after "dc: dominio " and "cn: admin" and try.

 

--------------------------------------------------

dn: dc=dominio,dc=com
objectclass: dcObject
objectclass: organization
o: PDC
dc: dominio


dn: cn=admin,dc=dominio,dc=com
objectclass: organizationalRole
cn: admin

 

--------------------------------------------------

Submitted by galexander (registered user) on Thu, 2010-03-11 17:58.

check the reply right above you???

"there must a blank line between dn entries."