CentOS 5.x Samba Domain Controller With LDAP Backend - Page 2
Setting up remote administration of the ldap directory
Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:
memory_limit = 32M
Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go To http://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:
mkdir /var/www/html/samba && cd /var/www/html/samba
Now edit ./pla/config/config.php and uncommment the following line:
$config->custom->jpeg['tmpdir'] = "/tmp";
Make newly setup software available
service httpd restart
Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):
#Allow Https:// -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #Allow samba: -A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT
Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Username cn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.
Integrate ldap and Samba
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
ldap ssl = off
cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.
Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.
Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.
chmod 644 /etc/smbldap-tools/smbldap.conf
Check that the output from authconfig-tui contains:
[ ] Local authorization is sufficient
Now test your samba config:
smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate will ask for the password, enter it.
Start the LDAP Samba installation up
Add users/groups, correlate between unix and ldap:
Get a picture of the UNIX groups that aren't there yet that LDAP assumes:
net groupmap list
Output is something like:
Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514 Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515 Administrators (S-1-5-32-544) -> 544 Account Operators (S-1-5-32-548) -> 548 Print Operators (S-1-5-32-550) -> 550 Backup Operators (S-1-5-32-551) -> 551 Replicators (S-1-5-32-552) -> 552
Add correlating groups to unix, using the suggested GIDs:
groupadd -g 514 samba_domain_guests
If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:
smbldap-groupadd -a "People In Our Office"
Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:
groupadd -g 1001 samba_people_in_our_office
Add users to LDAP groups via the web interface, then correlate in unix:
usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME
Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":
useradd -M -g 515 -s /bin/false officecomp1$
Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:
chkconfig ntpd off
(Optional) Upgrade Samba so Windows 7 computers can join the domain
Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).
We will get the newer samba RPMs built for CentOS from Sernet:
Your samba packages will update from the Sernet repo.
chkconfig --add smb
Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):
useradd -M -g `cat /etc/group|grep samba_domain_computers|cut -d: -f3` -s /bin/false win7-computername$
Now join your Windows 7 PC to the domain using this official Samba mini guide: