OpenLDAP + Samba Domain Controller On Ubuntu 7.10 - Page 2

Step 5: Configure SAMBA

Now we need to configure SAMBA. This includes configuring the /etc/samba/smb.conf file.

# Open up the SAMBA directory.

cd /etc/samba/

# Backup the samba configuration file.

cp smb.conf smb.conf.original

# Open the samba configuration file for editing.

vim smb.conf

# Make the following changes throughout the file:

workgroup = EXAMPLE
security = user
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = no
#######################################################################
#COPY AND PASTE THE FOLLOWING UNDERNEATH "OBEY PAM RESTRICTIONS = NO"
#######################################################################
#
#	Begin: Custom LDAP Entries
#
ldap admin dn = cn=admin,dc=example,dc=local
ldap suffix = dc=example, dc=local
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
; Do ldap passwd sync
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
#
#	End: Custom LDAP Entries
#
#####################################################
#STOP COPYING HERE! 
#####################################################

# Comment out the line:

invalid users = root

# Add the following line:

logon path =

# Restart SAMBA.

/etc/init.d/samba restart

# Give SAMBA the "admin" password to the LDAP tree.

smbpasswd -w 12345

 

Step 6: Configure the SMBLDAP-TOOLS package.

We will be using the smbldap-tools package to populate our directory, add users, add workstations, etc... But, the tools need to be configured first!

# Open up the examples directory.

cd /usr/share/doc/smbldap-tools/examples/

# Copy the configuration files to /etc/smbldap-tools:

cp smbldap_bind.conf /etc/smbldap-tools/
cp smbldap.conf.gz /etc/smbldap-tools/

# Unzip the configuration file.

gzip -d /etc/smbldap-tools/smbldap.conf.gz

# Open up the /etc/smbldap-tools directory.

cd /etc/smbldap-tools/

# Get the SID (Security ID) for your SAMBA domain.

net getlocalsid

This results in (example): SID for domain DC01-UBUNTU is: S-1-5-21-949328747-3404738746-3052206637

# Open the /etc/smbldap-tools/smbldap.conf file for editing.

vim smbldap.conf

# Edit the file so that the following information is correct (according to your individual setup):

SID="S-1-5-21-949328747-3404738746-3052206637" ## This line must have the same SID as when you ran "net getlocalsid"
sambaDomain="EXAMPLE"
ldapTLS="0"
suffix="dc=example,dc=local"
sambaUnixIdPooldn="sambaDomainName=EXAMPLE,${suffix}"
userSmbHome=
userProfile=
userHomeDrive=
userScript=
mailDomain="example.local"

# Open the /etc/smbldap-tools/smbldap_bind.conf file for editing.

vim smbldap_bind.conf

# Edit the file so that the following information is correct (according to your individual setup):

slaveDN="cn=admin,dc=example,dc=local"
slavePw="12345"
masterDN="cn=admin,dc=example,dc=local"
masterPw="12345"

# Set the correct permissions on the above files:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

 

Step 7: Populate LDAP using smbldap-tools

Now we need to populate our LDAP directory with some necessary SAMBA and Windows entries.

# Execute the command to populate the directory.

smbldap-populate -u 30000 -g 30000

# At the password prompt assign your root password:

12345

# Verify that the directory has information in it by running the command:

ldapsearch -x -b dc=example,dc=local | less

 

Step 8: Add an LDAP user to the system

It is time for us to add an LDAP user. We will use this user account to verify that LDAP authentication is working.

# Add the user to LDAP

smbldap-useradd -a -m -M ricky -c "Richard M" ricky

# Here is an explanation of the command switches that we used.

-a allows Windows as well as Linux login
-m makes a home directory, leave this off if you do not need local access
-M sets up the username part of their email address
-c specifies their full name

# Set the password the new account.

smbldap-passwd ricky
# Password will be: 12345

 

Step 9: Configure the server to use LDAP authentication.

The basic steps for this section came from the Ubuntu Forums (http://ubuntuforums.org/showthread.php?t=597056). Thanks to all who contributed to that thread! Basically we need to tell our server to use LDAP authentication as one of its options. Be careful with this! It can cause your server to break! This is why we always have a backup around.

# Install the necessary software for this to work.

apt-get install auth-client-config libpam-ldap libnss-ldap

# Answer the prompts on your screen with the following:

Should debconf manage LDAP configuration?: Yes
LDAP server Uniform Resource Identifier: ldapi://127.0.0.1
Distinguished name of the search base: dc=example,dc=local
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root: cn=admin,dc=example,dc=local
LDAP root account password: 12345

# Open the /etc/ldap.conf file for editing.

vim /etc/ldap.conf

# Configure the following according to your setup:

host 127.0.0.1
base dc=example,dc=local
uri ldap://127.0.0.1/
rootbinddn cn=admin,dc=example,dc=local
bind_policy soft

# Copy the /etc/ldap.conf file to /etc/ldap/ldap.conf

cp /etc/ldap.conf /etc/ldap/ldap.conf

# Create a new file /etc/auth-client-config/profile.d/open_ldap:

vim /etc/auth-client-config/profile.d/open_ldap

# Insert the following into that new file:

[open_ldap]
nss_passwd=passwd: compat ldap
nss_group=group: compat ldap
nss_shadow=shadow: compat ldap
pam_auth=auth       required     pam_env.so
 auth       sufficient   pam_unix.so likeauth nullok
 auth       sufficient   pam_ldap.so use_first_pass
 auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
 account    sufficient   pam_ldap.so
 account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow use_authtok
 password   sufficient   pam_ldap.so use_first_pass
 password   required     pam_deny.so
pam_session=session    required     pam_limits.so
 session    required     pam_mkhomedir.so skel=/etc/skel/
 session    required     pam_unix.so
 session    optional     pam_ldap.so

# Backup the /etc/nsswitch.conf file:

cp /etc/nsswitch.conf /etc/nsswitch.conf.original

# Backup the /etc/pam.d/ files:

cd /etc/pam.d/
mkdir bkup
cp * bkup/

# Enable the new LDAP Authentication Profile by executing the following command:

auth-client-config -a -p open_ldap

# Reboot the server and test to ensure that you can still log in using SSH and LDAP.

reboot

Share this page:

39 Comment(s)

Add comment

Comments

From: at: 2008-01-04 23:21:08

This is the "how to" i´ve waiting for months/years... Congratulations rickyjones to make our life more easy!!!

From: at: 2008-02-21 08:37:05

Brilliant tutorial!  Thanks heaps  :)

Either there's a step missing though, or I'm doing something wrong (most likely), but I can't seem to get it work quite right.  I cannot seem to add Windows workstations to the domain, and using phpLDAPAdmin, I can only seem to access it in readonly mode.  Trying to use the LDAP Browser in Webmin also gives the following error: "The LDAP browser cannot be used : No user to login as was found in the LDAP server configuration".  I'm guessing it's all related to the same issue...

 Can anyone give me some tips?  Or suggest where I can get more info to provide?

 Cheers,

Japh 

From: at: 2008-03-22 11:38:33

First, I want to thank rickyjones for making this guide that's just work. I think you should have included roaming profile and home share settings in your guide though. Well, I managed to figure out that part anyway, so it's all good.

As for the one above me, you should have used the forum as asked to but oh well: you have to add your admin DN and password into LDAP server configuration in LDAP server module of webmin for it to work.

From: Tom at: 2008-11-23 17:36:38

How did you 'figure out' the roaming profiles? I really need to know this and dont have much experience with ubuntu server and openldap or samba!

From: Anonymous at: 2008-12-02 06:39:25

Hi Thuan,

 

How did you manage to get the roaming profile right?

From: Jack at: 2009-04-04 12:00:22

I have an auto installer for Ubuntu 8.1. You can download it from my website www.setschoolsfree.com. The installer may work with other debain versions of linux but I have not had the change to test it. The installer is intended for use by schools but anyone can use it including companies.

From: mauritaly at: 2009-06-29 15:46:02

Hi Jack

thank you to public your wizard. I will test it on a lenny VM

From: jordi at: 2008-12-25 23:10:47

The tutorial is great. At least about a great topic. I am surprised there are no easy alternatives to W2003 server.

 Anyway I had problems at step 4. The mentioned file (/etc/ldap/slapd.conf) is not on my Ubuntu system. I need to say that I am using the desktop edition, not the server, and I am using 8.10 and not 7.10. I followed all the prerequisites and steps before, I believe.

Because the file is not there, I tried skipping the step (I know this is not good). If skipping step 4, I get serious errors at step 7, as follows:

entry dc=codina,dc=local already exist.
adding new entry: ou=Users,dc=codina,dc=local
adding new entry: ou=Groups,dc=codina,dc=local
adding new entry: ou=Computers,dc=codina,dc=local
adding new entry: ou=Idmap,dc=codina,dc=local
adding new entry: uid=root,ou=Users,dc=codina,dc=local
failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 55.
adding new entry: uid=nobody,ou=Users,dc=codina,dc=local
failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 83.
adding new entry: cn=Domain Admins,ou=Groups,dc=codina,dc=local
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 95.
adding new entry: cn=Domain Users,ou=Groups,dc=codina,dc=local
failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 106.
... (a few more like this)

 Anyone experienced this?

From: darryl worley at: 2008-12-12 22:51:58

First of all, great how-to. Very straightforward and well-commented/explained.

However, I keep getting the same error message. I have tried running through the procedure thrice now, to make sure I haven't missed some 'critical' step or anything, but the same error:

"Use of uninitialized value in substitution (s///) at /usr/share/perl5/smbldap_tools.pm line 135, <CONFIGFILE> line 115"

I get this error msg at step 8 ("smbldap-useradd -a -m -M ricky -c "Richard M" ricky. I am running this after a fresh install of Ubuntu Server v.8.04.1. Any tips?

Thanks, -darryl

From: rickofborg at: 2009-01-27 19:43:39

If you are using Ubuntu Server 8.10 and you are missing slapd.conf at Step 4, it is because Ubuntu 8.10 version of Open LDAP utilizes a new configuration scheme.  There is no slapd.conf any more.  You have to create one from scratch and edit /etc/default/slapd to tell OpenLDAP where to find it.

Information about that is here: http://ubuntuforums.org/showthread.php?t=980713

 For this to work "out of the box", you'd better use Ubuntu 7.10.

 

From: Anonymous at: 2008-12-31 16:58:54

Step 4-Cannot find slapd.conf in /etc/ldap. I have installed Ubuntu Server 8.10 and also installed the desktop version so I have the GUI mode. I cannot find the file slapd.conf in my whole Ubuntu box after installing the mentioned package OpenLDAP and following all your steps. Please help.

From: Cybermeow at: 2009-02-02 10:00:52

Now that I have setup domain control with SAMBA and ldap, what is the right way to backup the system in case the server fail? How can I setup a BDC?

Also, in daily backup of config files and ldap user login information, what is the right way to do?

From: pixel::doc at: 2009-09-08 16:16:21

At Preface /etc/hosts should look like this:

127.0.0.1       localhost
192.168.0.60 dc01-ubuntu.example.local dc01-ubuntu

or

127.0.1.1         dc01-ubuntu.example.local    dc01-ubuntu

Otherwise good tutorial!

From: Jack at: 2010-05-10 16:04:48

Recently I installed samba PDC using following article. It really helps me, thanks a lot "universal"

From: at: 2008-05-26 18:05:16

It seems like there is a problem when trying to complete step 9 to configure the server to use LDAP authentication.

When running the command:
"apt-get install auth-client-config libpam-ldap libnss-ldap"

The following error is generated:
"Couldn't find package auth-client-config"

Based on doing some research it seems that auth-client-config is rather new and has not been included in many packages. Does anyone know where this could be found? Any help would be greatly appreciated.

Thanks,
Aaron

From: Anonymous at: 2008-11-05 19:07:04

Better yet would be how to set it up using the pam.d directory.

From: sony at: 2009-03-01 10:00:53

Hi,

 if you get something like this when adding groups etc. to ldap:

failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 499, <GEN1> line 55.

 --> new openldap has its config inside ldap for replication purpose

you have to backup your slapd.d directory, create a new one and execute:

 slaptest -f slapd.conf -F slapd.d
chown -R openldap:openldap slapd.d

 this will read the smb schemas and put it into config

greetz

sony

From: pebcomputing at: 2009-10-02 23:54:56

I am in the process of adapting this howto to debian lenny and ran into the same problem.  I fixed it by downloading the source from here: https://launchpad.net/auth-client-config/+distributions , untarring it, changing directory into the untarred package root, and running "./install.py --prefix=/usr --config-prefix=/etc" as was suggested in the package's README.

From: ilkay karadam at: 2008-11-12 11:17:06

i completed installation step by step but i cannot connect to samba domain from xp client. it s giving unknow user or password. (i am trying to connect with root acount and it s password). what is the problem.

 

From: Xavier Normand at: 2008-12-04 20:11:53

Same problem with me! i'm only getting access denied when trying to add client xp to domain.

 Please help.

From: at: 2009-09-16 15:32:08

Thank you for the excellent post. It was very useful. I already have the Samba and Ldap working together and I’m trying to make a slave server. The idea is have a second sever if my PDC server broke. I have search in many places and until now I did not find useful information. Have someone already did something like this or has any idea how i can do it.

Thanks a lot.

From: timjdavey at: 2010-05-18 10:25:29

Had some troubles with this In the instructions for step 9 it says DAP server Uniform Resource Identifier: ldapi://127.0.0.1 when it should be ldap://127.0.0.1/ Minor bug but thought I would flag it incase anyone else stumbled into this

From: at: 2008-03-13 13:18:40

I cannot thank you enough for this..
You have saved my sanity and my server....
I wish I could say more but I really don't know what to say execpt for a BIG HUGE THANK YOU...
Keep it up

Hannes

From: bi at: 2010-06-17 11:47:28

I try this tutorial and I get this result:

1. For some reason (that I dont know), Linux client can join domain without problem with net rpc join -S ipofserver -U root.

2. Windows client cannot join domain with following error: http://osvn.pastebin.com/QUpVVq5q

I tried many ways to fix it but it seems out of my knowledge.

DNS is working fine, nslookup with full domain name: dc.DOMAIN.com can find where is the domain controller and its IP address.

From: at: 2008-03-29 13:32:40

Hi all

this was amazing, in less than 2 hours i installed that stuff on a virtual ubuntu and bound XP on the domain. would be great to add dhcp and ldap-account-manager... very easy, i did it. shall i write how?

for the future would be great to add tsl="1"

thanks 4 this good tutorial, as usual at howtoforge

Maurizio, Zurich 

 

From: at: 2008-05-30 15:03:51

Does the DNS server have to run on the same physical box as OpenLDAP + Samba?

From: Anonymous at: 2008-11-18 08:52:23

no, just make sure you fill in your DNS correctly on your client and server.

From: at: 2008-07-06 17:18:14

is it neccessary to login to the controller with the root login? If I wanted a client to add themselves i'd rather not give out the root password. Also the possibility of a windows machine having the root login saved somewhere is a worrying thought.

From: Anonymous at: 2008-11-05 23:06:41

No you just have to make sure that he is a Domain Admin

From: Anonymous at: 2008-11-03 21:45:51

Perfect Tutorial. I have done it with a fresh-installed Ubuntu-8-Server. Worked perfect without any problems.

Thank you!

From: Anonymous at: 2008-11-18 08:57:08

Nice tutorial

but since you already installed webmin I don't recommend installalling PHPLDAPadmin.

 LDAP is perfectly managable through webmin.

From: tam at: 2008-12-04 21:43:08

hi,

I know that the topic specified Ubuntu 7.10 and XPpro, but i was able to install the server pieces on Ubuntu Hardy without having any problem.

my problem is it fails to join the domain.

the client box is Vista Ultimate and the error message is "the network path was not found" 

 i wonder has anyone able to make this work with Windows Vista?

 thanks in advance,

Tam

From: stefferd at: 2009-01-17 15:20:18

Have you tried using the ip adress instead of the hostname when connecting to the domain controller?

It could be that your windows-box doesn't have the right DNS server configured in it's ip-adress settings, that way it won't find the hostname. To resolve this, setup your DHCP-server to use the DNS-server adress of the DC, or reconfigure your windows box that it uses the dns-server installed on your

From: 02walshe at: 2009-02-17 22:49:09

Just wanted to say what a great topic this is! Got through it very quickly. Just one thing:

 when I log on to the domain, XP shows the 'loading your personal settings' screen, then after about 10 seconds, goes back to the 'press ctrl alt del' screen. very odd

 Thanks again for a good topic!

From: at: 2009-02-04 11:34:15

Thank you for your nice tutorial.

I've only one question: How can I change the password for the user sysadmin after I've completed the installation?

I've Ubuntu 8.04 Server 32 bit and I have this phenomenon:

$ passwd
Changing password for sysadmin.
(current) UNIX password:
passwd: Authentication token manipulation error
passwd: password unchanged


 

From: Anonymous at: 2009-01-26 04:37:43

Thanks so much worked first time!!!!!!!!!!!!

From: Mathias Mamsch at: 2009-06-02 14:58:40

Hi,

 I really enjoyed your tutorial. I just wanted to let you know that current versions of openldap will use runtime configuration, i.e. storing the ldap configuration in the /etc/ldap/slapd.d/ directory and by default ignoring a /etc/ldap/slapd.conf file. Users might experience several errors in this case:

1. There is no slapd.conf file where to add the include schemas, after installing openldap

2. When coming to the smbldap-populate command, the populating will fail (because the schemas will not be used in the configuration, even a slapd.conf file was created)

You might want to hint to that in the tutorial. In this case a search for "openldap runtime configuration" might turnout how to overcome those issues.

 Best regards, Mathias Mamsch

From: gabochiwas at: 2009-08-25 21:38:06

tanks men excelent how to...

 ust one cuestion i need to activate the movile profile can u tell to me how can i do that?

i appreciate very much if u can show to me...

From: Anonymous at: 2010-07-08 10:32:08

Awesome work here, I have been looking all over the web for these kind of details.

But I was wondering if I could join the domain on a Ubuntu Desktop distribution instead of Windows XP using something maybe similar to Likewise Open or some other kind of LDAP client for Linux and still be able to make the OS authenticate against the LDAP when logging on to the normal Ubuntu Desktop GUI login screen.

Don't worry about GPO or the mapping of drives, just authenticating logon

Thanks... again good work