CentOS 5.x Samba Domain Controller With LDAP Backend
This will show you how to set up a Samba Domain Controller with a local LDAP backend, using CentOS 5.x (tested on 5.3, still successfully running on 5.4). Includes a web-interface for managing LDAP users/groups/etc.
January 2010 -- Now with support for Windows 7 domain logins (see end of guide).
Disable selinux:
It will only cause problems, I'm not going to mess with SELinux in this guide other than disabling it.
echo 0 >/selinux/enforce
Within /etc/sysconfig/selinux, set:
SELINUX=disabled
Install some tools
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum update
yum install openldap-servers nss_ldap samba httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common smbldap-tools
Installing smbldap-tools this way should install all the dependent perl modules, however the version available on yum has some bugs, so we'll upgrade to the latest version afterwards, keeping the dependencies, but overwriting the smbldap-tools package:
rpm -Uvh http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.5-1.noarch.rpm
Set up the hostname
For our purposes in this guide, we are calling the server's hostname "dc1" and the domain "DOMAINNAME". Note: If you want to use your fqdn for your Samba domain, wherever you see ,dc=DOMAINNAME below, replace it with ,dc=example,dc=com, assuming your fqdn is example.com. Also note that "root" will be the samba administrator username, if you don't like that, change it as well. Related lines are: cn=root and cn: root
Within /etc/hosts, add or replace your line (following the file's format, assuming 192.168.0.5 is your server's network-accessible IP):
192.168.0.5 dc1.DOMAINNAME dc1
Set your hostname on the command line:
hostname dc1.DOMAINNAME
Generate a master password and set up ldap
slappasswd
Note the output of slappasswd, you will insert it into slapd.conf in a minute.
mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist
Insert the following text into /etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=DOMAINNAME"
rootdn "cn=root,dc=DOMAINNAME"
rootpw {SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD
password-hash {SSHA}
directory /var/lib/ldap
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
index default sub
Note the rootpw line in the above text, that's where you paste your output from slappasswd.
cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG
Insert the following text into /etc/openldap/init.ldif:
dn: dc=DOMAINNAME objectclass: dcObject objectclass: organization o: CentOS Directory Server dc: DOMAINNAME dn: cn=root,dc=DOMAINNAME objectclass: organizationalRole cn: root
slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*
slapcat
slapcat should produce something very similar to the following output:
dn: dc=DOMAINNAME objectClass: dcObject objectClass: organization o: CentOS Directory Server dc: DOMAINNAME structuralObjectClass: organization entryUUID: 717d1b1e-ce90-102d-88c3-df22563ebfee creatorsName: cn=root,dc=DOMAINNAME modifiersName: cn=root,dc=DOMAINNAME createTimestamp: 20090506134920Z modifyTimestamp: 20090506134920Z entryCSN: 20090506134920Z#000000#00#000000 dn: cn=root,dc=DOMAINNAME objectClass: organizationalRole cn: root structuralObjectClass: organizationalRole entryUUID: 71858556-ce90-102d-88c4-df22563ebfee creatorsName: cn=root,dc=DOMAINNAME modifiersName: cn=root,dc=DOMAINNAME createTimestamp: 20090506134920Z modifyTimestamp: 20090506134920Z entryCSN: 20090506134920Z#000001#00#000000
service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=DOMAINNAME"
The output from ldapsearch should be very similar to the following:
# extended LDIF # # LDAPv3 # base <dc=domainname> with scope subtree # filter: (objectclass=*) # requesting: ALL # # DOMAINNAME dn: dc=DOMAINNAME objectClass: dcObject objectClass: organization o: CentOS Directory Server dc: DOMAINNAME # root, DOMAINNAME dn: cn=root,dc=DOMAINNAME objectClass: organizationalRole cn: root # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 </dc=domainname>