# Gentoo 2008 Samba dc Ldap HowTo - (Français/English)

## christophe_y2k

Bonjour à tous, 

Mon objectif est de proposer une méthode fonctionnelle et utilisable pour configurer un serveur Linux Gentoo 2008.0 en contrôleur de domaine(PDC) Samba avec une gestion centralisée des Users avec OpenLDAP.

Je poste ici mes fichiers de configuration au fur et à mesure.

Bien sur mes sources sont celles des howto Gentoo et Wiki sur le sujet j'en remercie tous les auteurs & contributeurs

L'objectif est de manager entre 100 et 200 PC sous Microsoft Windows XP PRO avec environ 500 utilisateurs.

Merci de votre aide

Hello , (Sorry fr my English ... but I'm French)

The objective of this topic is to purpose an valid method to configure an Gentoo 2008.0 Linux server in Samba PDC with centralized users management by OpenLDAP.

I send my script and method here day after days.

I use the informations available on the Gentoo and Wiki documentations about this subject and i profit to say thank you to authors and contributors.

The objective is to manage 100~200 Microsoft Windows XP PRO computers and about 500 users.

Thanks you for your help

Architecture matériel: 

Server Hardware:

Mon pseudo serveur est un vieux PC i925X P4 Série 6xx 3.0Ghz EM64T 4x1024Mo DDR2 3xHDD SATA le tout installé a partir install-amd64-minimal-20090108 - de base et en RAID5 software(MDADM) et XFS et UTF8 unicode plus un compte dyndns.org fonctionnel (accès via gentoo.cannet.dyndns.org)

My computer is an older Intel i925X PC Pentium4 EM64T 6xx serie 3.0Ghz with 4x1024Mo DDR2 installed with Gentoo install-amd64-minimal-20090108 - Basic install with software RAID5 (MDADM) and XFS with UTF8 unicode with link by dyndns.org account (access by gentoo.cannet.dyndns.org)

```
# nano -w /etc/make.conf

#VERSION 0.3 du Dimanche 1 Février 2009 17h50

CFLAGS="-O2 -march=nocona -pipe"

CHOST="x86_64-pc-linux-gnu" 

CXXFLAGS="${CFLAGS}"

MAKEOPTS="-j3"

USE="acl apache2 bcmath branding bzip2 cgi cli crypt ctype cups curl curlwrappers exif gd hash iconv imap innodb ipv6 jpeg jpeg2k kerberos ldap ldap-sasl libwww mmx mysql mysqli nas ncurses nls nntp oav openssl pam pcre pdf perl php png python quotas raw readline reflection samba sasl sendmail session simplexml spl sse sse2 ssl syslog tcpd tiff truetype unicode usb vhosts xfs xinetd xml xmlreader xmlrpc xmlwriter zip zlib"

LINGUAS="fr fr_FR"
```

Configuration du réseau

Network configuration

```
# nano -w /etc/conf.d/net

nis_domain_lo="HARDWORKERS"

config_eth0=( "192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255" )

routes_eth0=( "default via 192.168.1.1" )

mtu_eth0="1500"
```

Pour démarrer l'interface réseau au boot

Start network device at boot

```
# rc-update add net.eth0 default
```

```
# nano -w /etc/hosts

# VERSION 0.3 du Lundi 11 Août 2008 15h47

127.0.0.1    gentoo.cannet.dyndns.org   gentoo     localhost

::1      localhost

```

Pour commencer installation des logiciels

For start install software pack

```
# emerge --sync

# emerge -av samba openldap nss_ldap pam_ldap smbldap-tools

# emerge webmin

# emerge --update --deep --newuse world

# emerge --depclean

# revdep-rebuild 
```

J'utilise le programme WEBMIN il est pratique pour editer les fichiers de configurations, via une

interface web et son explorateur de fichiers

J'utilise aussi SSH pour me connecter depuis un pc Windows avec le client ssh PUTTY

I use the WEBMIN software because it's easy to edit configuration files by web interface and the

integrated files explorer

I use ssh for connecting to linux server via my windows computer with PUTTY a client SSH

```
# whereis webmin

webmin: /etc/webmin /usr/libexec/webmin

# /usr/libexec/webmin/changepass.pl /etc/webmin root "Passwordxxxx"

# rc-update add webmin default

# /etc/init.d/sshd start
```

Pour accéder à webmin:

For webmin access:

```
https://gentoo:10000

Login="root" Password="Passwordxxxx"
```

Puis paramétrage des fichiers de configuration .conf des différents services

Files server configuration

```
# nano -w /etc/openldap/slapd.conf

#VERSION 0.1 du Jeudi 7 Aout 2008 16h23

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/samba.schema

password-hash {SSHA}

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap/openldap

moduleload back_hdb.so

# BDB database definitions #

database hdb

suffix "dc=cannet,dc=dyndns,dc=org"

checkpoint 32 30

rootdn "cn=Manager,dc=cannet,dc=dyndns,dc=org"

rootpw {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG

directory /var/lib/openldap-data

index sambaSID eq

index sambaPrimaryGroupSID eq

index sambaDomainName eq

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname eq,subinitial
```

NOTE:

Pour obtenir le mot de passe {SSHA}xxxxx sur la ligne: rootpw  {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG

du fichier de configuration précédent il faut utiliser la commande suivante

To obtain the {SSHA]xxxxx password for the line  rootpw {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG 

of precedent configuration file use this command

```
# slappasswd

New password: mon_mot_de_passe

Re-enter new password: mon_mot_de_passe

{SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG
```

```
# nano -w /etc/openldap/ldap.conf

#VERSION 0.2 du Lundi 11 Août 2008 16h55

BASE   dc=cannet,dc=dyndns,dc=org

HOST   127.0.0.1

```

```
# nano -w /etc/conf.d/sldapd

#VERSION 0.2 du Jeudi 7 Aout 2008 17h20

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
```

Copier le fichier suivant en modifiant son nom puis preserver le USER=ldap et GROUP=ldap

Copy this file and change this name and  preserve USER=ldap and GROUP =ldap

/var/lib/openldap-data/DB_CONFIG.exemple --> /var/lib/openldap-data/DB_CONFIG

```
# cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG

# chown -R ldap:ldap /var/lib/openldap-*
```

Tester le fichier de configuration du serveur OpenLDAP

Test the OpenLDAP server file configuration

```
# slaptest -u

config file testing succeeded
```

Puis démarrer le serveur

Start the service

```
# /etc/init.d/slapd start

* Caching service dependencies ...[ ok ]

* Starting ldap-server ...[ ok ]
```

Maintenant le début de la strcture de la base de données LDAP est crée dans /var/lib/openldap-data

The Beggining Structure files of OpenLDAP database in /var/lib/openldap-data

```
# ls -l /var/lib/openldap-data

total 5320

-rw-r--r-- 1 ldap ldap      2048 fév  1 17:55 alock

-rw------- 1 ldap ldap     24576 fév  1 17:55 __db.001

-rw------- 1 ldap ldap   4276224 fév  1 17:55 __db.002

-rw------- 1 ldap ldap 335552512 fév  1 17:55 __db.003

-rw------- 1 ldap ldap   2359296 fév  1 17:55 __db.004

-rw------- 1 ldap ldap    557056 fév  1 17:55 __db.005

-rw------- 1 ldap ldap     24576 fév  1 17:55 __db.006

-rw------- 1 ldap ldap       921 fév  1 16:50 DB_CONFIG

-rw------- 2 ldap ldap       921 fév  1 16:50 DB_CONFIG.example

-rw------- 1 ldap ldap      8192 fév  1 17:55 dn2id.bdb

-rw------- 1 ldap ldap     32768 fév  1 17:55 id2entry.bdb

-rw------- 1 ldap ldap  10485760 fév  1 17:55 log.0000000001

```

Pour que le service LDAP se lance automatiquement au démarrage du serveur

For start the LDAP service at boot server

```
# rc-update add slapd default

* slapd added to runlevel default

```

Mise en place de la gestion de l'authentification du système par LDAP

Authentication of system by LDAP service

```
# nano -w /etc/pam.d/system-auth

# Version 0.3 Du Dimanche 8 Février 2009 11h50

auth      required   pam_env.so

auth      sufficient   pam_unix.so      likeauth nullok # required<--sufficient & remove try_first_pass

#----Add\

auth      sufficient   pam_ldap.so      use_first_pass

auth      required   pam_deny.so

#----End/

account   sufficient   pam_unix.so      # required<--sufficient

#----Add\

account   sufficient   pam_ldap.so      use_first_pass

account   required   pam_deny.so

#----End/

password   required   pam_cracklib.so   difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so      try_first_pass use_authtok nullok md5 shadow   # required<--sufficient

#----Add\

password   sufficient   pam_ldap.so      use_authtok 

password   required   pam_deny.so

#----End/

session   required   pam_limits.so 

session   required   pam_env.so 

session   required   pam_unix.so 

#----Add\

session   optional   pam_ldap.so

#----End/

```

```
# nano -w /etc/nsswitch.conf

# VERSION 0.2 du Dimanche 1 Février 2009 18h30

# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      compat ldap #<-- We add ldap here

shadow:      compat ldap #<-- We add ldap here

group:       compat ldap #<-- We add ldap here

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

```
# nano -w /etc/ldap.conf

# @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $

#VERSION 0.3 du Lundi 11 Août 2008 16h57

BASE   dc=cannet,dc=dyndns,dc=org

HOST   127.0.0.1

ldap_version 3

rootbinddn cn=Manager,dc=cannet,dc=dyndns,dc=org

scope sub

bind_policy soft

pam_filter objectclass=posixaccount

pam_login_attribute uid

pam_check_host_attr no

pam_member_attribute memberUid

pam_password exop

nss_base_passwd ou=Computers,dc=cannet,dc=dyndns,dc=org?sub

nss_base_passwd ou=Users,dc=cannet,dc=dyndns,dc=org?sub

nss_base_shadow ou=Users,dc=cannet,dc=dyndns,dc=org?sub

nss_base_group ou=Group,dc=cannet,dc=dyndns,dc=org?one

# For Gentoo's distribution of nss_ldap, as of 250-r1, we use these values

# (The hardwired constants in the code are changed to them as well):

nss_reconnect_tries 4      # number of times to double the sleep time

nss_reconnect_sleeptime 1      # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2   # how many tries before sleeping
```

Voici le fichier de configuration de SAMBA

This is the SAMBA configuration file 

```
# nano -w /etc/samba/smb.conf

#

# Fichier /etc/samba/smb.conf

# VERSION 1.0 Du Dimanche 01 Février 2009 18h51

#

[global]

#

workgroup = HARDWORKERS

netbios name = GENTOO

server string = Serveur Linux Gentoo64

#

log file = /var/log/samba/log.%m

max log size = 1024

syslog = 0

#

security = user

encrypt passwords = yes

null passwords = no

guest account = nobody

#

# Support des Acls

#nt acl support = yes

# Gestion des profils pour 2000/XP

#profile acls = yes

#

# Corbeille

#vfs objects = recycle

#recycle:versions = true

#

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

#

domain logons = yes

domain master = yes

preferred master = yes

os level = 66

local master = yes

#

#printing = cups

#printcap name = cups

#

name resolve order = wins lmhosts host bcast

wins support = yes

wins proxy = yes

dns proxy = no

#

display charset = ISO8859-15

unix charset = utf8

dos charset = 850

#

hide dot files = yes

hide unreadable = yes

time server = yes

#

# Respect des noms de fichiers et de leur casse

preserve case = yes

short preserve case = yes

#

logon script = startup.cmd %U %L

logon path = \\%L\profiles\%U

logon drive = H:

logon home = \\%L\%U

#

#option LDAP

#

winbind nested groups = no

passdb backend = ldapsam:ldap://127.0.0.1/

#

ldap suffix = dc=cannet,dc=dyndns,dc=org

ldap admin dn = cn=Manager,dc=cannet,dc=dyndns,dc=org

ldap group suffix = ou=Groups

ldap user suffix = ou=Users

ldap machine suffix = ou=Computers

ldap idmap suffix = ou=Idmap

#ldap delete dn = yes

ldap passwd sync = yes

#

#SMBLDAP-TOOLS

#

add user script = /usr/sbin/smbldap-useradd -m "%u"

add machine script = /usr/sbin/smbldap-useradd -w "%u"

add group script = /usr/sbin/smbldap-groupadd -p "%g"

add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

delete user script = /usr/sbin/smbldap-userdel "%u"

delete group script = /usr/sbin/smbldap-groupdel "%g"

delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

#passwd program = /usr/sbin/smbldap-passwd -u %u

#

[homes]

   comment = Repertoire personnel de %U

   path = /home/%U

   valid users = %U

   browseable = no

   hide dot files = yes

   guest ok = no

   create mask = 0600

   directory mask = 0700

   writable = yes

#NB: I use veto files directive for antivirus workaround (clamwin doesn't work)

   veto files = /autorun.inf/Boot.exe/Recycled/lost+found/.recycle/

   hide files = /desktop.ini/

[COMMUN]

   comment = Espace commun

   path = /home/COMMUN

   valid users = %U

   browseable = yes

   hide dot files = yes

   guest ok = no

   create mask = 0640

   directory mask = 1755

   writable = yes

   veto files = /autorun.inf/Boot.exe/Recycled/lost+found/.recycle/

   hide files = /desktop.ini/

[netlogon]

   comment = Service de Login du reseau

   path = /var/lib/samba/netlogon/

   browseable = no

   read only = yes

   public = no

   writable = no

   locking = no

[profiles]

   path = /var/lib/samba/profiles

   browseable = no

   write list = @smbusers @root

   create mask = 0600

   directory mask = 0700

   read only = no

   writable = yes

   csc policy = disable

#[printers]

#   comment = Network Printers

#   path = /home/spool/

#   guest ok = Yes

#   printable = Yes

#   browseable = No

#

#[print$]

#   path = /var/lib/samba/printers

#   valid users = "@Print Operators"

#   write list = "@Print Operators"

#   create mask = 0664

#   directory mask = 0775

```

Création du mot de passe administrateur pour SAMBA

Create root password for SAMBA

```
# smbpasswd -w mon_mot_de_passe

Setting stored password for "cn=Manager,dc=cannet,dc=dyndns,dc=org" in secrets.tdb
```

Pour tester le fichier de configuration de SAMBA

For test the SAMBA configuration file

```
# testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[COMMUN]"

Processing section "[netlogon]"

Processing section "[profiles]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions
```

Ajouter le service SAMBA au démarrage

Add SAMBA service to bootstart

```
# rc-update add samba default

 * samba added to runlevel default
```

Lancement du service SAMBA

Starting SAMBA service

```
 # /etc/init.d/samba start

 * samba -> start: smbd ...[ ok ]

 * samba -> start: nmbd ...[ ok ]
```

Récupération du SID pour le domaine

For get the SID of the domain 

```
# net getlocalsid

SID for domain GENTOO is: S-1-5-21-3186872377-437259626-3819519935
```

```
# nano -w /etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $

# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $

# Fichier /etcsmbldap-tools/smbldap.conf

# VERSION 0.5 du Dimanche 1 Février 2009 19h42

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $

# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $

# General Configuration

# Put your own SID. To obtain this number do: "net getlocalsid".

# If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-3186872377-437259626-3819519935"

sambaDomain=""

# LDAP Configuration

masterLDAP="127.0.0.1"

masterPort="389"

ldapTLS="0"

verify="none"

suffix="dc=cannet,dc=dyndns,dc=org"

usersdn="ou=Users,${suffix}"

computersdn="ou=Computers,${suffix}"

groupsdn="ou=Groups,${suffix}"

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups

# If not defined, entries are stored in sambaDomainName object.

# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

#sambaUnixIdPooldn="sambaDomainName=HARDWORKERS,${suffix}" 

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

# Unix Accounts Configuration

userLoginShell="/bin/bash"

userHome="/home/%U"

userHomeDirectoryMode="700"

userGecos="System User"

defaultUserGid="513"

defaultComputerGid="515"

skeletonDir="/etc/skel"

defaultMaxPasswordAge="365"

# SAMBA Configuration

userSmbHome=""

userProfile=""

userHomeDrive=""

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript=""

mailDomain="cannet.dyndns.org"

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"
```

```
# nano -w /etc/smbldap-tools/smbldap_bind.conf

# VERSION 0.1 du Vendredi 8 Août 2008 15h44

# Credential Configuration #

masterDN="cn=Manager,dc=cannet,dc=dyndns,dc=org"

masterPw="mon_mot_de_passe"
```

```
# /etc/init.d/nscd start

 * Starting Name Service Cache Daemon ...
```

```
# rc-update add nscd default

 * nscd added to runlevel default
```

```
 # smbldap-populate

 Populating LDAP directory for domain HARDWORKERS (S-1-5-21-3186872377-437259626-3819519935)

(using builtin directory structure)

adding new entry: dc=cannet,dc=dyndns,dc=org

adding new entry: ou=Users,dc=cannet,dc=dyndns,dc=org

adding new entry: ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: ou=Computers,dc=cannet,dc=dyndns,dc=org

adding new entry: ou=Idmap,dc=cannet,dc=dyndns,dc=org

adding new entry: uid=root,ou=Users,dc=cannet,dc=dyndns,dc=org

adding new entry: uid=nobody,ou=Users,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Domain Admins,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Domain Users,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Domain Guests,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Domain Computers,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Administrators,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Account Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Print Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Backup Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: cn=Replicators,ou=Groups,dc=cannet,dc=dyndns,dc=org

adding new entry: sambaDomainName=HARDWORKERS,dc=cannet,dc=dyndns,dc=org

Please provide a password for the domain root:

Changing UNIX and samba passwords for root

New password:

Retype new password:
```

Premier test de recherche dans l'annuaire LDAP

First test , try to search Manager user in LDAP 

```
# ldapsearch -D "cn=Manager,dc=cannet,dc=dyndns,dc=org" -x -W

Enter LDAP Password:mon_mot_de_passe

# extended LDIF

#

# LDAPv3

# base <> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# cannet.dyndns.org

dn: dc=cannet,dc=dyndns,dc=org

objectClass: dcObject

objectClass: organization

o: cannet

dc: cannet

# Users, cannet.dyndns.org

dn: ou=Users,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: organizationalUnit

ou: Users

# Groups, cannet.dyndns.org

dn: ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: organizationalUnit

ou: Groups

# Computers, cannet.dyndns.org

dn: ou=Computers,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: organizationalUnit

ou: Computers

# Idmap, cannet.dyndns.org

dn: ou=Idmap,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: organizationalUnit

ou: Idmap

# root, Users, cannet.dyndns.org

dn: uid=root,ou=Users,dc=cannet,dc=dyndns,dc=org

cn: root

sn: root

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 0

uid: root

uidNumber: 0

homeDirectory: /home/root

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPrimaryGroupSID: S-1-5-21-3186872377-437259626-3819519935-512

sambaSID: S-1-5-21-3186872377-437259626-3819519935-500

loginShell: /bin/false

gecos: Netbios Domain Administrator

sambaLMPassword: BC8DF733E8DA0A1F511A02B6CACB6D18

sambaAcctFlags: [U]

sambaNTPassword: 7459BFEF7DCB7C2A72CBFB01D6A8D4F8

sambaPwdLastSet: 1233514448

sambaPwdMustChange: 1265050448

userPassword:: e1NTSEF9dEhGNUlDUkR3aTJIUmxaQ2hUR0Nrc05KV3AxTUxtbDE=

shadowLastChange: 14276

shadowMax: 365

# nobody, Users, cannet.dyndns.org

dn: uid=nobody,ou=Users,dc=cannet,dc=dyndns,dc=org

cn: nobody

sn: nobody

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 514

uid: nobody

uidNumber: 999

homeDirectory: /dev/null

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaPrimaryGroupSID: S-1-5-21-3186872377-437259626-3819519935-514

sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaAcctFlags: [NUD        ]

sambaSID: S-1-5-21-3186872377-437259626-3819519935-2998

loginShell: /bin/false

# Domain Admins, Groups, cannet.dyndns.org

dn: cn=Domain Admins,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 512

cn: Domain Admins

memberUid: root

description: Netbios Domain Administrators

sambaSID: S-1-5-21-3186872377-437259626-3819519935-512

sambaGroupType: 2

displayName: Domain Admins

# Domain Users, Groups, cannet.dyndns.org

dn: cn=Domain Users,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 513

cn: Domain Users

description: Netbios Domain Users

sambaSID: S-1-5-21-3186872377-437259626-3819519935-513

sambaGroupType: 2

displayName: Domain Users

# Domain Guests, Groups, cannet.dyndns.org

dn: cn=Domain Guests,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 514

cn: Domain Guests

description: Netbios Domain Guests Users

sambaSID: S-1-5-21-3186872377-437259626-3819519935-514

sambaGroupType: 2

displayName: Domain Guests

# Domain Computers, Groups, cannet.dyndns.org

dn: cn=Domain Computers,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 515

cn: Domain Computers

description: Netbios Domain Computers accounts

sambaSID: S-1-5-21-3186872377-437259626-3819519935-515

sambaGroupType: 2

displayName: Domain Computers

# Administrators, Groups, cannet.dyndns.org

dn: cn=Administrators,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 544

cn: Administrators

description: Netbios Domain Members can fully administer the computer/sambaDom

 ainName

sambaSID: S-1-5-32-544

sambaGroupType: 5

displayName: Administrators

# Account Operators, Groups, cannet.dyndns.org

dn: cn=Account Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 548

cn: Account Operators

description: Netbios Domain Users to manipulate users accounts

sambaSID: S-1-5-32-548

sambaGroupType: 5

displayName: Account Operators

# Print Operators, Groups, cannet.dyndns.org

dn: cn=Print Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 550

cn: Print Operators

description: Netbios Domain Print Operators

sambaSID: S-1-5-32-550

sambaGroupType: 5

displayName: Print Operators

# Backup Operators, Groups, cannet.dyndns.org

dn: cn=Backup Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 551

cn: Backup Operators

description: Netbios Domain Members can bypass file security to back up files

sambaSID: S-1-5-32-551

sambaGroupType: 5

displayName: Backup Operators

# Replicators, Groups, cannet.dyndns.org

dn: cn=Replicators,ou=Groups,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 552

cn: Replicators

description: Netbios Domain Supports file replication in a sambaDomainName

sambaSID: S-1-5-32-552

sambaGroupType: 5

displayName: Replicators

# HARDWORKERS, cannet.dyndns.org

dn: sambaDomainName=HARDWORKERS,dc=cannet,dc=dyndns,dc=org

objectClass: top

objectClass: sambaDomain

objectClass: sambaUnixIdPool

sambaDomainName: HARDWORKERS

sambaSID: S-1-5-21-3186872377-437259626-3819519935

uidNumber: 1000

gidNumber: 1000

sambaNextRid: 1000

sambaPwdHistoryLength: 0

# search result

search: 2

result: 0 Success

# numResponses: 18

# numEntries: 17

```

Modification des droits sur les répertoires:

Modify the owner and right of the folders:

/home: User=root Group=root Droits: User=[Read Write List] Group=[Read List] Other=[Read List]

/home/COMMUN: User=root Group=513 Droits:User=[Read Write List] Group=[Read Write List] Other=[Read List]  [Sticky set]

/home/COMMUN/xxx: User=xxx Group=513 Droits:User=[Read Write List] Group=[Read  List] Other=[Read List]  [Sticky set]

/var/lib/samba/profiles: User=root Group=root Droits:User=[Read Write List] Group=[Read List] Other=[Read Write List] [Sticky set]

```
# chmod -R 1757 /var/lib/samba/profiles

# chmod -R 0755 /home

# chmod -R 1755 /home/COMMUN

# chmod 1775 /home/COMMUN

# chown -R root:513 /home/COMMUN

```

Pour ajouter un utilisateur (LINUX et SAMBA)

Attention le nom d'utilisateur doit être en minuscules et sans accents ni espaces

For add user (LINUX and SAMBA)

The username must be in lower case with no special char & accents

```
# smbldap-useradd -a -m -P dapremont.christophe

Changing password for dapremont.christophe

New password : xxxxxxxxxx

Retype new password : xxxxxxxxxx
```

Pour ajouter une liste d'utilisateurs via un script (LINUX et SAMBA)

For add many users with a script (LINUX and SAMBA)

```
# nano -w addusers.sh

echo -e "password1\npassword1\n" | smbldap-useradd -a -m -P lastname1.firstname1

echo -e "password2\npassword2\n" | smbldap-useradd -a -m -P lastname2.firstname2

echo -e "password3\npassword3\n" | smbldap-useradd -a -m -P lastname3.firstname3

echo -e "password4\npassword4\n" | smbldap-useradd -a -m -P lastname4.firstname4

```

Ne pas oublier de rendre executable le script

Do not forget to modify the executable switch on the script

```
# chmod +x addusers.sh
```

Pour afficher tous les utiisateurs

For list all users

```
# pdbedit -L

root:0:root

nobody:65534:nobody

dapremont.christophe:1000:dapremont.christophe
```

Pour afficher les informations d'un utilisateur particulier

For print informations of one user

```
# pdbedit -Lv dapremont.christophe

Unix username:        dapremont.christophe

NT username:          dapremont.christophe

Account Flags:        [U          ]

User SID:             S-1-5-21-3186872377-437259626-3819519935-3000

Primary Group SID:    S-1-5-21-3186872377-437259626-3819519935-513

Full Name:            dapremont.christophe

Home Directory:       \\gentoo\dapremont.christophe

HomeDir Drive:        H:

Logon Script:         startup.cmd dapremont.christophe gentoo

Profile Path:         \\gentoo\profiles\dapremont.christophe

Domain:               HARDWORKERS

Account desc:

Workstations:

Munged dial:

Logon time:           0

Logoff time:          Tue, 19 Jan 2038 04:14:07 CET

Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET

Password last set:    Mon, 02 Feb 2009 13:23:19 CET

Password can change:  Mon, 02 Feb 2009 13:23:19 CET

Password must change: never

Last bad password   : 0

Bad password count  : 0

Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

```

Pour vérifier que l'utilisateur est valide pour linux

For test the validity of linux user account

```
# ssh dapremont.christophe@gentoo

Password:xxxxxxxxxx

christophe@gentoo / $exit
```

Verifier que le répertoire est bien crée sous home

The folder of new user under /home is ok?

```
# ls -l /home

total 0

drwxrwxr-t 2 root                 513 26 fév  2 13:21 COMMUN

drwx------ 3 dapremont.christophe 513 70 fév  2 13:23 dapremont.christophe

```

Pour supprimer un utilisateur et son répertoire home/xxx et son profile

For delete an user with /home/xxx and profile folder

```
# smbldap-userdel -r dapremont.christophe

# rm -r /var/lib/samba/profiles/dapremont.christophe
```

Editer le fichier startup.cmd qui sera lancé par chaque utilisateur du domaine au démarrage 

Edit the file: startup.cmd this file start at login by domain user

```
# nano -w /var/lib/samba/netlogon/startup.cmd

@ECHO OFF

TITLE STARTUP.CMD V0.5 du Samedi 16 Aout 2008 17h15

ECHO Variable envoyee par le serveur : Utilisateur= %1

ECHO Variable envoyee par le serveur : Nom du serveur= %2

ECHO .

ECHO Bonjour %USERNAME%

ECHO Vous etes connecte sur le serveur %2

ECHO controleur du domaine %USERDOMAIN%

ECHO Depuis le poste %COMPUTERNAME%

ECHO .

ECHO Connection au partage reseau COMMUN associe au lecteur X:

NET USE X: \\gentoo\COMMUN /PERSISTENT:NO

EXIT
```

Maintenant il faut connecter un PC windows dans le domaine

It's time to enter in our windows domain

Un clic droit sur l'icone "poste de travail" puis choisir "propriétés" puis aller dans "Nom de l'ordinateur"

puis cliquer sur "Modifier"

entrer le nom de domaine ici "HARDWORKERS" puis vous serez invité à entrer un nom d'utilisateur autorisé, ici c'est "root" avec le mot de passe "mon_mot_de_passe" quand vous aurez validé il fauda entrer dans le domaine avec l'utilisateur normal crée ici "christophe" ne pas oublier de choisir le domaine ne pas laisser le nom du pc qui est affiché par défault

Right Click on My Computer. Click on properties. Select the Network Identification tab. Click on Properties. 

In the Member of field, select Domain and enter HARDWORKERS in the text field. 

Click OK. A user name and password box will appear. Enter for login root and password mon_mot_de_passe

Click OK to close window, and reboot

After reboot you use your normal user login christophe and password xxxxxxxxxx you must select to the valid domain HARDWORKERS not the local name of your computer

 Construction en cours...

 Under construction ...Last edited by christophe_y2k on Tue Jul 07, 2009 9:43 pm; edited 132 times in total

----------

## alex.blackbit

that's nice, but the article would be more useful if it had been written in english.

----------

## bunder

Moved from Networking & Security to Documentation, Tips & Tricks.

----------

## clauc

Hi Christophe,

I just created an account on this forum only to say THANK YOU for this excelent tutorial. Good work!

Claudiu

----------

## christophe_y2k

 :Wink: 

----------

## lelik

Hi Christophe,

Excellent tutorial. 

I have a few questions though. If you could answer them it will be very much appreciated.

1. When 

```
smbldap-populate
```

I got

```
failed to add entry: attribute 'sambaNextRid' not allowed at /usr/sbin/smbldap-populate line 499, <GEN1> line 235. 
```

I had to change smbldap-tools/smbldap.conf  to get rid of the error

Old line: 

```
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 
```

New line:

```
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
```

Have the original sambaUnixIdPooldn worked for you?

2. I got really confused with your Linux and Windows domain names. My understanding that your Linux domain is cannet.dyndns.org and your Windows domain is HARDWORKERS. Is this correct? Before I realized that I made a few typing mistakes and had to wipe out all the entries I made and repopulate dbs.

```
kilall -INT slapd; \

rm -r /var/lib/openldap-data/*; \

/usr/lib/openldap/slapd 
```

Would you suggest a more cleaner way of doing it? Have I cleaned all the entries? How to check?

3. The last, but not the least is the most important question I have. 

I have a small network with W2K server as a PDC  and a few WinXps desktops as clients. 

PDC is technically is not the right name as it's referencing a NT server, but we all understand what it is. W2K AD domain controllers split up the master operations roles. Active Directory will manage which domain controller ( DC ) has which master operations role. There are five master controller roles. By default, they are on the first domain controller in the domain. 

I installed a new Gentoo machine following your guide with the intention to use as a PDC (first domain controller and probably only one DC). Old W2K server is to be put off-line as soon as I synchronize the global catalog and replicate existing users profiles. How to do that? I try to google it, but all I  got is ideas for the old NT domain. 

Mostly, it was pretty straightforward though: put PDC off-line, hack registry entries making it BDC, put it back on-line. But for W2K? Nothing.

Any tips? I am sure quite a few chaps will use your guide to transit existing AD rather then creating new network from scratch.

Merci, Merci et encore Merci

----------

## christophe_y2k

sorry but i need to sync my config files...

look i sync /etc/smbldap-tools/smbldap.conf

that certainly correct smbldap-populate

i'm remenber , have the same prob than you .... 

And yes have samba workgroup name different with linux 

i precice this config work now (with another domain name .... cannet.dyndns.org is my home server but now offline i need to remplace my older hdd)

on the other working domain  have 120 windows computer and 600 potential users (300 user connected for 1 or + time)

it's ok with this config files

a need to increase security (tls ssl .... i need time)

in next days (little time per day) i complete this topics

but i spent more time this three weeks for this and i'm so so tired

i try to help you in the next days now i need to go to sleep!!!

----------

## lelik

Will wait.

Prenez votre temps.

Merci et Bonne Chance.

----------

## steveL

This is an excellent post, and I've bookmarked and recommended it to others; it's now in our bot in #friendly-coders as !samba. Well done, Christophe and take as much time as you need to rest. You've done a great job :-)

----------

## lelik

Any tips on how to copy current user accounts /profiles from the existing AD and tell the W2K that is not a master anymore?

Thanks.

----------

## christophe_y2k

hello

I see this official topic for migration

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2655715

----------

## lelik

Thanks. It answered first part of my question.

By still how to demote an existing W2K computer and promote a newly created Linux machine  to be a master controller for the existing AD?

Thanks.

----------

## aiezue

merci beaucoup. nice post

----------

## adrs0061

thanks a lot for your hard work  :Very Happy: 

----------

