# Samba LDAP PDC Howto

## nabbed

I am trying to get my configuration for an LDAP PDC together.

I am on a w2k pro client and trying to join the domain and after i type in the Administrator password and hit enter, a dialog box is displayed which says the user cannot be found.

i cant make ssh Administrator@localhost work either.

I am a bit confused about whether or not i have to smbldap-passwd Administrator because it maps to root.

If someone who has an LDAP PDC working could make sure the content of my files is OK that would be great as well as telling how to join a w2k pro client to the domain.

Anyway here is what i have done so far using these 3 links as guides

http://www.idealx.org/prj/samba/smbldap-howto.en.html

http://www.gentoo.org/doc/en/ldap-howto.xml

http://samba.org/samba/docs/man/Samba-Guide/happy.html

Execute the following command without the -vp

```

USE="acl cups doc kerberos ldap libclamav oav pam python quotas readline samba xml2" emerge -vp nss_ldap pam_ldap migrationtools openldap
```

Install prerequisites without the ACCEPT_KEYWORDS="~x86" and then execute command again without -vp

```
ACCEPT_KEYWORDS="~x86" emerge -vp smbldap-tools samba
```

I wanted samba 3.0.13. Not for any particular reason either, i just wanted to get the latest instead of 3.0.10.

vi /etc/openldap/schema/kerberosobject.schema

```
# Depends upon core.schema and cosine.schema

# OID Base is 1.3.6.1.4.1.2312.4

#

# Attribute types are under 1.3.6.1.4.1.2312.4.1

# Object classes are under 1.3.6.1.4.1.2312.4.2

# Syntaxes are under 1.3.6.1.4.1.2312.4.3

# Attribute Type Definitions

attributetype ( 1.3.6.1.4.1.250.1.32

        NAME ( 'krbName' 'kerberosName' )

        DESC 'Kerberos Name'

        EQUALITY caseIgnoreIA5Match

        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

        SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.2312.4.2.4 NAME 'kerberosSecurityObject' SUP top AUXILIARY

    DESC 'A uid with an associated Kerberos principal'

    MUST ( krbName ) )
```

vi /etc/openldap/slapd.conf

```
include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/kerberosobject.schema

include /etc/openldap/schema/misc.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/samba.schema

password-hash {crypt}

TLSCertificateFile      /etc/ssl/ldap.pem

TLSCertificateKeyFile   /etc/openldap/ssl/ldap.pem

TLSCACertificateFile    /etc/ssl/ldap.pem

pidfile     /var/run/openldap/slapd.pid

argsfile    /var/run/openldap/slapd.args

access to attrs=userPassword,sambaLMPassword,sambaNTPassword

      by self write

      by anonymous auth

      by * none

access to *

      by * read

database    ldbm

suffix      "dc=idealx,dc=local"

rootdn      "cn=Manager,dc=idealx,dc=local"

#rootpw     not24get

rootpw      {MD5}JgvK206vBL63cXPVhWP5cA==

directory   /var/lib/openldap-ldbm

index objectClass           eq

index cn                    pres,sub,eq

index sn                    pres,sub,eq

index uid                   pres,sub,eq

index displayName           pres,sub,eq

index uidNumber             eq

index gidNumber             eq

index memberUID             eq

index sambaSID              eq

index sambaPrimaryGroupSID  eq

index sambaDomainName       eq

index default               sub
```

vi /etc/openldap/ldap.conf

```
BASE        dc=idealx,dc=local

URI         ldaps://auth.idealx.local:636/

TLS_REQCERT allow
```

vi /etc/conf.d/slapd

```
# conf.d file for the openldap-2.1 series

#

# To enable both the standard unciphered server and the ssl encrypted

# one uncomment this line or set any other server starting options

# you may desire.

#

# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

vi /usr/share/migrationtools/migrate_common.ph

```
...

} else {

    $NAMINGCONTEXT{'aliases'}           = "ou=Aliases";

    $NAMINGCONTEXT{'fstab'}             = "ou=Mounts";

    $NAMINGCONTEXT{'passwd'}            = "ou=Users";

    $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser";

    $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost";

    $NAMINGCONTEXT{'group'}             = "ou=Groups";

    $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup";

    $NAMINGCONTEXT{'hosts'}             = "ou=Hosts";

    $NAMINGCONTEXT{'networks'}          = "ou=Networks";

    $NAMINGCONTEXT{'protocols'}         = "ou=Protocols";

    $NAMINGCONTEXT{'rpc'}               = "ou=Rpc";

    $NAMINGCONTEXT{'services'}          = "ou=Services";

}

# Default DNS domain

$DEFAULT_MAIL_DOMAIN = "idealx.local";

# Default base

$DEFAULT_BASE = "dc=idealx,dc=local";

# Turn this on for inetLocalMailReceipient

# sendmail support; add the following to

# sendmail.mc (thanks to Petr@Kristof.CZ):

##### CUT HERE #####

#define(`confLDAP_DEFAULT_SPEC',`-h "ldap.padl.com"')dnl

#LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl

#FEATURE(ldap_routing)dnl

##### CUT HERE #####

# where /etc/mail/ldapdomains contains names of ldap_routed

# domains (similiar to MASQUERADE_DOMAIN_FILE).

$DEFAULT_MAIL_HOST = "mail.idealx.local";

# turn this on to support more general object clases

# such as person.

$EXTENDED_SCHEMA = 1;

...
```

vi /etc/pam.d/system-auth

```
auth        required    /lib/security/pam_env.so

auth        sufficient  /lib/security/pam_unix.so likeauth nullok shadow

auth        sufficient  /lib/security/pam_ldap.so use_first_pass

auth        required    /lib/security/pam_deny.so

account     sufficient  /lib/security/pam_unix.so

account     sufficient  /lib/security/pam_ldap.so

account     required    /lib/security/pam_deny.so

password    required    /lib/security/pam_cracklib.so retry=3

password    sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok

password    sufficient  /lib/security/pam_ldap.so use_authtok

password    required    /lib/security/pam_deny.so

session     required    /lib/security/pam_limits.so

session     required    /lib/security/pam_unix.so

session     required    /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0

session     optional    /lib/security/pam_ldap.so
```

vi /etc/nsswitch.conf

```
# /etc/nsswitch.conf:

# $Header: /var/www/twiki/data/IT/LDAPSambaPDC.txt,v 1.14 2005/04/09 13:55:55 ben Exp nobody $

#passwd:      compat

#shadow:      compat

#group:       compat

passwd:     files ldap

shadow:     files ldap

group:      files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

vi /etc/ldap.conf

```
ssl start_tls

ssl on

suffix "dc=idealx,dc=local"

uri ldaps://auth.idealx.local/

pam_password crypt

ldap_version 3

#pam_filter objectclass=posixAccount

#pam_login_attribute uid

#pam_member_attribute memberuid

nss_base_passwd ou=People,dc=idealx,dc=local

nss_base_shadow ou=People,dc=idealx,dc=local

nss_base_group  ou=Group,dc=idealx,dc=local

nss_base_hosts  ou=Hosts,dc=idealx,dc=local

scope one
```

vi /root/smbldap-dsa

```

:

suffix="dc=idealx,dc=local"

ldapadd -x -h localhost -D "cn=Manager,$suffix" -w not24get <<HERE

dn: ou=DSA,$suffix

objectClass: top

objectClass: organizationalUnit

ou: DSA

description: security accounts for LDAP clients

dn: cn=samba,ou=DSA,$suffix

objectclass: organizationalRole

objectClass: top

objectClass: simpleSecurityObject

userPassword: sambasecretpwd

cn: samba

dn: cn=nssldap,ou=DSA,$suffix

objectclass: organizationalRole

objectClass: top

objectClass: simpleSecurityObject

userPassword: nssldapsecretpwd

cn: nssldap

dn: cn=smbldap-tools,ou=DSA,$suffix

objectclass: organizationalRole

objectClass: top

objectClass: simpleSecurityObject

userPassword: smbldapsecretpwd

cn: smbldap-tools

HERE

ldappasswd -x -h localhost -D "cn=Manager,$suffix" -s not24get -w not24get "cn=samba,ou=DSA,$suffix"

ldappasswd -x -h localhost -D "cn=Manager,$suffix" -s not24get -w not24get "cn=nssldap,ou=DSA,$suffix"

ldappasswd -x -h localhost -D "cn=Manager,$suffix" -s not24get -w not24get "cn=smbldap-tools,ou=DSA,$suffix"

```

vi /etc/opt/IDEALX/smbldap-tools/smbldap.conf

```
# $Source: /var/www/twiki/data/IT/LDAPSambaPDC.txt,v $

# $Id: LDAPSambaPDC.txt,v 1.14 2005/04/09 13:55:55 ben Exp nobody $

#

# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and

#  contributors (their names can be found in the CONTRIBUTORS file).

#

#                 Copyright (C) 2001-2002 IDEALX

#

#  This program is free software; you can redistribute it and/or

#  modify it under the terms of the GNU General Public License

#  as published by the Free Software Foundation; either version 2

#  of the License, or (at your option) any later version.

#

#  This program is distributed in the hope that it will be useful,

#  but WITHOUT ANY WARRANTY; without even the implied warranty of

#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#  GNU General Public License for more details.

#

#  You should have received a copy of the GNU General Public License

#  along with this program; if not, write to the Free Software

#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,

#  USA.

#  Purpose :

#       . be the configuration file for all smbldap-tools scripts

##############################################################################

#

# General Configuration

#

##############################################################################

# Put your own SID

# to obtain this number start samba and then do: net getlocalsid

#SID="S-1-5-21-2139989288-483860436-2398042574"

SID="S-1-5-21-4146402878-1729303586-3485869732"

##############################################################################

#

# LDAP Configuration

#

##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch

# Samba with the dual-head patch from IDEALX. If not using this patch

# just use the same server for slaveLDAP and masterLDAP.

# Those two servers declarations can also be used when you have

# . one master LDAP server where all writing operations must be done

# . one slave LDAP server where all reading operations must be done

#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1

slaveLDAP="127.0.0.1"

slavePort="389"

# Master LDAP : needed for write operations

# Ex: masterLDAP=127.0.0.1

masterLDAP="127.0.0.1"

masterPort="389"

# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection

# (you should also used the port 389)

ldapTLS="0"

# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details

verify="require"

# CA certificate

# see "man Net::LDAP" in start_tls section for more details

cafile="/etc/ssl/ldap.pem"

# certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientcert="/etc/ssl/ldap.pem"

# key certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientkey="/etc/openldap/ssl/ldap.pem"

# LDAP Suffix

# Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=idealx,dc=local"

# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"

usersdn="ou=Users,${suffix}"

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"

computersdn="ou=Users,${suffix}"

# Where are stored Groups

# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"

groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)

# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available

sambaUnixIdPooldn="sambaDomainName=IDEALX,${suffix}"

# Default scope Used

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################

#

# Unix Accounts Configuration

#

##############################################################################

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

# Home directory

# Ex: userHome="/home/%U"

userHome="/home/%U"

# Gecos

userGecos="System User"

# Default User (POSIX and Samba) GID

defaultUserGid="513"

# Default Computer (Samba) GID

defaultComputerGid="515"

# Skel dir

skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="99"

##############################################################################

#

# SAMBA Configuration

#

##############################################################################

# The UNC path to home drives location (%U username substitution)

# Ex: \\My-PDC-netbios-name\homes\%U

# Just set it to a null string if you want to use the smb.conf 'logon home'

# directive and/or disable roaming profiles

userSmbHome="\\S010\homes\%U"

# The UNC path to profiles locations (%U username substitution)

# Ex: \\My-PDC-netbios-name\profiles\%U

# Just set it to a null string if you want to use the smb.conf 'logon path'

# directive and/or disable roaming profiles

userProfile="\\S010\profiles\%U"

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: H: for H:

userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: %U.cmd

# userScript="startup.cmd" # make sure script file is edited under dos

userScript="%U.cmd"

# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used

mailDomain="idealx.local"

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer Crypt::SmbHash library

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"
```

vi /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf

```
############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)

slaveDN="cn=Manager,dc=idealx,dc=local"

slavePw="not24get"

masterDN="cn=Manager,dc=idealx,dc=local"

masterPw="not24get"
```

Execute the following commands:

```
cd /etc/ssl

openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out ldap.pem -keyout /etc/openldap/ssl/ldap.pem -days 999999

/etc/init.d/slapd start

/etc/init.d/samba start

export ETC_SHADOW=/etc/shadow

cd /usr/share/migrationtools

./migrate_base.pl > /tmp/base.ldif

./migrate_group.pl /etc/group /tmp/group.ldif

./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif

./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

ldapadd -D "cn=Manager,dc=idealx,dc=local" -w not24get -f /tmp/base.ldif

ldapadd -D "cn=Manager,dc=idealx,dc=local" -w not24get -f /tmp/group.ldif

ldapadd -D "cn=Manager,dc=idealx,dc=local" -w not24get -f /tmp/passwd.ldif

ldapadd -D "cn=Manager,dc=idealx,dc=local" -w not24get -f /tmp/hosts.ldif

cd

chmod +x smbldap-dsa

./smbldap-dsa

rc-update add slapd default

rc-update add samba default
```

Last edited by nabbed on Sun Apr 10, 2005 7:10 am; edited 2 times in total

----------

## nabbed

Here is my smb.conf so far

vi /etc/samba/smb.conf

```
# Global parameters

[global]

        dos charset = 850

        unix charset = ISO8859-1

        workgroup = EWIDE

        server string = Samba LDAP PDC Server %v

        interfaces = 192.168.1.10

        min password length = 3

        map to guest = Bad User

        passdb backend = ldapsam:ldap://127.0.0.1/

        enable privileges = Yes

        username map = /etc/samba/smbusers

        syslog = 0

        log file = /var/log/samba/log.%m

        max log size = 100000

        time server = Yes

        deadtime = 10

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        printcap name = cups

        add user script = /usr/sbin/smbldap-useradd -m "%u"

        add group script = /usr/sbin/smbldap-groupadd -p "%g"

        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        add machine script = /usr/sbin/smbldap-useradd -w "%u"

        logon script = logon.bat

        logon path =

        logon drive = H:

        logon home =

        domain logons = Yes

        os level = 65

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        ldap admin dn = cn=Manager,dc=idealx,dc=local

        ldap delete dn = Yes

        ldap group suffix = ou=Group

        ldap idmap suffix = ou=People

        ldap machine suffix = ou=People

        ldap passwd sync = Yes

        ldap suffix = dc=idealx,dc=local

        ldap ssl = start tls

        ldap user suffix = ou=People

        printer admin = "@Print Operators"

        create mask = 0640

        directory mask = 0750

        nt acl support = No

        case sensitive = No

        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]

        comment = Home Directories %U, %u

        valid users = %U

        read only = No

        create mask = 0644

        directory mask = 0775

        browseable = No

[netlogon]

        path = /var/lib/samba/netlogon/

        browseable = No

[doc]

        path = /usr/share/doc

        read only = No

        create mask = 0750

        guest ok = Yes

[profiles]

        path = /var/lib/samba/profiles

        valid users = %U, "@Domain Admins"

        force user = %U

        read only = No

        create mask = 0600

        directory mask = 0700

        guest ok = Yes

        profile acls = Yes

        browseable = No

        csc policy = disable

[printers]

        comment = Network Printers

        path = /home/spool/

        guest ok = Yes

        printable = Yes

        print command = /usr/bin/lpr -P%p -r %s

        lpq command = /usr/bin/lpq -P%p

        lprm command = /usr/bin/lprm -P%p %j

        browseable = No

[print$]

        path = /var/lib/samba/printers

        valid users = "@Print Operators"

        write list = "@Print Operators"

        create mask = 0664

        directory mask = 0775

[public]

        comment = Repertoire public

        path = /home/public

        read only = No

        create mask = 0664

        directory mask = 0775

        guest ok = Yes

```

----------

## Fr0d083

Have you gotten this working? 

I have been trying to do this for a while and you have posted the most info I have seen yet.

----------

## nabbed

Not yet. The stuff I have posted is gentoo ldap howto stuff with idealx stuff done after that.

I have decided to follow idealx and do gentoo ldap howto stuff after if needed.

If i ever complete the steps then I will post them here.

----------

## clockwise

currently trying to do the same thing, would be grateful to see if you got any further - or if you have any ideas on my current problem: https://forums.gentoo.org/viewtopic-t-333467.html.

----------

## GuN_jAcK

MigrationTools not exist in portage tree... where is?   :Shocked: 

----------

## depontius

 *GuN_jAcK wrote:*   

> MigrationTools not exist in portage tree... where is?  

 

I remember seeing it get yanked a bit back. But the original is at: http://www.padl.com/OSS/MigrationTools.html

Along this line, before putting a group of machines onto ldap, it's a good idea to have their passwd and group files matched. Most of this is easy, but I have some group mismatches that I need to take care of. Is anyone aware of a tool to help with this, or is it time to rtfm for "find"?

----------

## overkll

 *GuN_jAcK wrote:*   

> MigrationTools not exist in portage tree... where is?  

 

FYI, anytime an ebuild is removed from the portage tree, you can always find it in and download it from CVS.  Then just create your overlay and emerge.

Gentoo CVS can be accessed from the "www.gentoo.org" main page under "view our CVS" in the left column/frame.  Then browse through the tree to find your category and app.

You'll have to click "show dead files" to find ebuilds that have been removed from the portage tree.

----------

## depontius

Thanks for the pointer, and here's another one... You can have multiple portage overlays. Some people where I work have put together a portage overlay of company software, normally distributed as rpms. I have my own overlay of stuff I've picked up. You can have:

```
PORTDIR_OVERLAY="/usr/local/portage/mine /usr/local/portage/employer"
```

----------

