CentOS 5.x Samba Domain Controller With LDAP Backend - Page 2

Setting up remote administration of the ldap directory

Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:

memory_limit = 32M

Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go To http://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:

mkdir /var/www/html/samba && cd /var/www/html/samba
wget http://softlayer.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz
tar zxf phpldapadmin-1.1.0.7.tar.gz
ln -s phpldapadmin-1.1.0.7 pla
cp pla/config/config.php.example pla/config/config.php

Now edit ./pla/config/config.php and uncommment the following line:

$config->custom->jpeg['tmpdir'] = "/tmp";

 

Make newly setup software available

service httpd restart
chkconfig httpd on

Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):

#Allow Https://
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#Allow samba:
-A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT

Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Username cn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.

 

Integrate ldap and Samba

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf

Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
Under [global], you will need to add these three settings not there by default:

ldap ssl = off
nt acl support = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
net getlocalsid

Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.

Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.

Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.

chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
authconfig-tui

Check that the output from authconfig-tui contains:

[ ] Local authorization is sufficient

Now test your samba config:

testparm
smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate

smbldap-populate will ask for the password, enter it.

 

Start the LDAP Samba installation up

/etc/init.d/smb start
chkconfig smb on

Add users/groups, correlate between unix and ldap:

useradd user1
smbldap-useradd -a -G 'Domain Users' -m -s /bin/bash -d /home/user2 -F "" -P user1

Get a picture of the UNIX groups that aren't there yet that LDAP assumes:

net groupmap list

Output is something like:

Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins
Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users
Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514
Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

Add correlating groups to unix, using the suggested GIDs:

groupadd -g 514 samba_domain_guests
groupadd -g 515 samba_domain_computers
groupadd -g 544 samba_administrator
groupadd -g 548 samba_account_operators
groupadd -g 550 samba_print_operators
groupadd -g 551 samba_backup_operators
groupadd -g 552 samba_replicators

If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:

smbldap-groupadd -a "People In Our Office"

Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:

groupadd -g 1001 samba_people_in_our_office

Add users to LDAP groups via the web interface, then correlate in unix:

usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME

Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":

useradd -M -g 515 -s /bin/false officecomp1$

Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:

chkconfig ntpd off
chkconfig bluetooth off
chkconfig xinetd off
chkconfig smartd off
chkconfig yum-updatesd off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig restorecond off
chkconfig portmap off
chkconfig pcscd off
chkconfig nfslock off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig irqbalance off
chkconfig kudzu off
chkconfig ip6tables off
chkconfig hidd off
chkconfig gpm off
chkconfig haldaemon off
chkconfig autofs off
chkconfig avahi-daemon off
service ntpd stop
service bluetooth stop
service xinetd stop
service smartd stop
service yum-updatesd stop
service rpcidmapd stop
service rpcgssd stop
service restorecond stop
service portmap stop
service pcscd stop
service nfslock stop
service mcstrans stop
service mdmonitor stop
service irqbalance stop
service kudzu stop
service ip6tables stop
service hidd stop
service gpm stop
service haldaemon stop
service autofs stop
service avahi-daemon stop

(Optional) Upgrade Samba so Windows 7 computers can join the domain

Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).

We will get the newer samba RPMs built for CentOS from Sernet:

cd /etc/yum.repos.d/
wget http://ftp.sernet.de/pub/samba/3.3/centos/5/sernet-samba.repo
yum update

Your samba packages will update from the Sernet repo.
Since the upgrade, our CentOS service for samba disappeared; let's re-add it:

chkconfig --add smb
chkconfig smb on

Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):

useradd -M -g `cat /etc/group|grep samba_domain_computers|cut -d: -f3` -s /bin/false win7-computername$
usermod -a -G samba_domain_computers win7-computername$

Now join your Windows 7 PC to the domain using this official Samba mini guide:
http://wiki.samba.org/index.php/Windows7

Share this page:

30 Comment(s)