Build a Samba PDC with LDAP backend

General Information

Build a Samba PDC on FreeBSD with a ldap backend. timberland pas cher This will not let you authenticate ssh users just a plain samba server for your windows clients.


Shell access is assumed. You should perform the following as root.


First we going to install all the required ports so make sure your ports tree is up to date.

The name of the server is serv01

The domain name is doublel.local

So the FQDN is serv01.smbdomain.local

Thus my /etc/hosts file looks like this

 ::1 localhost localhost.smbdomain.local localhost localhost.smbdomain.local serv01.smbdomain.local serv01 serv01.smbdomain.local. 

We need to install the following ports:

  1. /net/openldap24-server
  2. /net/samba3 (should work with samba32-devel also)
  3. /net/nss_ldap
  4. /net/smbldap-tools

Openldap backend server

You can accept the default selected options

 # cd /usr/ports/net/openldap24-server # make install clean 


 # cd /usr/ports/net/samba3 # make install clean 

Select the setting below

 +--------------------------------------------------------------------+ | Options for samba 3.0.32_1,1 | | +----------------------------------------------------------------+ | | | [X] LDAP With LDAP support | | | | [X] ADS With Active Directory support | | | | [X] CUPS With CUPS printing support | | | | [X] WINBIND With WinBIND support | | | | [X] ACL_SUPPORT With ACL support | | | | [X] AIO_SUPPORT With Asyncronous IO support | | | | [ ] FAM_SUPPORT With File Alteration Monitor | | | | [X] SYSLOG With Syslog support | | | | [X] QUOTAS With Disk quota support | | | | [X] UTMP With UTMP accounting support | | | | [ ] PAM_SMBPASS With PAM authentication vs passdb backends | | | | [ ] CLUSTER With experimental cluster support | | | | [ ] DNSUPDATE With dynamic DNS update(require ADS) | | | | [ ] EXP_MODULES With experimental modules | | | | [X] POPT With system-wide POPT library | | | | [X] PCH With precompiled headers optimization | | | | [ ] MAX_DEBUG With maximum debugging | | | | [ ] SMBTORTURE With smbtorture | | +-+----------------------------------------------------------------+-+ | [ OK ] Cancel | +--------------------------------------------------------------------+ 

Install nss_ldap

 # cd /usr/ports/net/nss_ldap/ # make install clean 

Install smbldap-tools

 # cd /usr/ports/net/smbldap-tools # make install clean 


Prepare the openldap config file (/usr/local/etc/openldap/slapd.conf)

First we need to create a password for the openldap server

 # slappasswd -s very-secure-password {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e 

Note: Copy the output!!

Open the /usr/local/etc/openldap/slapd.conf file and make sure it looks like the following

 # vi /usr/local/etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema loglevel 256 pidfile /var/run/openldap/ argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=smbdomain,dc=local" rootdn "cn=Manager,dc=smbdomain,dc=local" #rootpw = very-secure-password rootpw {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e directory /usr/local/var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub 

Now we need to create and copy some files. First, we want to create the database dir of openldap. In this case this is /usr/local/var/db/openldap-data. nike air max 90 If you want another location change the directory directive in the slapd.conf file. Also we set the right permissions on the directory and files of openldap.

 # mkdir -p /usr/local/var/db/openldap-data # cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG # chown -R ldap:ldap /usr/local/var/db/openldap-data # chown -R ldap:ldap /usr/local/etc/openldap/ # chmod -R 0700 /usr/local/var/db/openldap-data # chmod 0400 /usr/local/etc/openldap/slapd.conf 

Also we need to copy the samba schema to the final directory.

 # cp /usr/local/share/examples/samba/LDAP/samba.schema /usr/local/etc/openldap/schema/ 

Then we want to make sure slapd logs to syslog. nike air max thea louboutin soldes Add the lines to the file /etc/syslog.conf

 # vi /etc/syslog.conf !slapd *.* /var/log/slapd.log 

Now we create the log file and restart the syslog deamon

 # touch /var/log/slapd.log # /etc/rc.d/syslogd restart 


Make sure the file /usr/local/etc/nss_ldap.conf looks like the following

 # vi /usr/local/etc/nss_ldap.conf base dc=smbdomain,dc=local bind_policy soft bind_timelimit 10 host localhost idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=smbdomain,dc=local?one nss_base_passwd ou=People,dc=smbdomain,dc=local?one nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one nss_base_shadow ou=People,dc=smbdomain,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 scope one timelimit 30 

Now we link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf

 # rm -/usr/local/etc/openldap/ldap.conf # ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf # ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf 

To make sure the slapd deamon (the openldap server) starts at a reboot we need to edit the /etc/rc.conf file.

 # echo "#enable slapd" >>/etc/rc.conf # echo slapd_enable=\"YES\" >>/etc/rc.conf # echo slapd_flags='-h \"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:// ldap://\"' >>/etc/rc.conf # echo slapd_sockets=\"/var/run/openldap/ldapi\" >>/etc/rc.conf 

And we try to start it!

 # /usr/local/etc/rc.d/slapd start Starting slapd. # ps ax | grep slap 11383 ?? Ss 0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar 11385 p2 S+ 0:00,00 grep slap 


Edit the /etc/nsswitch file and make sure to edit the group: and passwd: line, so change compat to files ldap. asics gel lyte 5 The file looks like this after editing

 group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files 


All my data (shares) and other samba related files like username are in /usr/local/samba. So first we create that dir

 # mkdir /usr/local/samba 

We also create a usermap file named usermap

 # vi /usr/local/samba/usermap root = administrator 

To create the following /usr/local/etc/smb.conf file, you must remove or empty the original one. Make sure you replace fxp0 for your own network interface, or comment out the line interfaces = and bind interfaces only =

 # rm /usr/local/etc/smb.conf # vi /usr/local/etc/smb.conf # Global parameters [global] workgroup = SMBDOMAIN server string = Samba Server netbios name = serv01 hosts allow = 192.168.50. ugg homme 127.  asics gel lyte 3 christian louboutin ugg soldes 10.0.1. new balance 574 interfaces = fxp0, lo bind interfaces only = Yes # passwd backend encrypt passwords = yes passdb backend = ldapsam:ldap://serv01.smbdomain.local/ enable privileges = yes pam password change= Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes # Log options log level = 1 log file = /var/log/samba/%m max log size = 50 syslog = 0 # Name resolution name resolve order = wins bcast host # misc timeserver = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 use sendfile = yes veto files = /*.eml/*.nws/*.{*}/ veto oplock files = /*.doc/*.xls/*.mdb/ deadtime = 120 # Dos-Attribute map hidden = No map system = No map archive = No map read only = No store dos attributes = Yes # printers - configured to use CUPS and automatically load them load printers = Yes printcap name = CUPS printing = cups cups options = Raw show add printer wizard = No # scripts invoked by samba add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u > add machine script = /usr/local/sbin/smbldap-useradd -w %m # LDAP-iConfiguration ldap delete dn = Yes ldap ssl = off ldap passwd sync = Yes ldap suffix = dc=smbdomain,dc=local ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=smbdomain,dc=local idmap backend = ldap:ldap://serv01.smbdomain.local idmap uid = 10000-20000 idmap gid = 10000-20000 # logon options logon script = logon.bat logon path = \%Lprofiles%u logon path = logon home = \%L%U logon drive = H: # setting up as domain controller username map = /usr/local/samba/usermap preferred master = Yes wins support = Yes domain logons = Yes domain master = Yes local master = Yes os level = 64 map acl inherit = Yes unix charset = UTF8 #============================ Share Definitions ============================== [netlogon] comment = Network Logon Service path = /usr/local/etc/samba/netlogon guest ok = yes locking = no [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Network Profiles Service path = /usr/local/etc/samba/profiles read only = No profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ profile acls = Yes [printers] comment = All Printers path = /var/spool/samba browseable = No guest ok = Yes printable = Yes use client driver = Yes default devmode = Yes [print$] comment = Printer Drivers path = /usr/local/samba/printer-drivers browseable = yes guest ok = no read only = yes write list = root [data] comment = Data Directory path = /home/data write list = @smbdomain read only = No create mask = 0777 directory mask = 0777 

Create the following directories: netlogon, profiles, printer-drivers and the share data, and give them proper permissions.

 # mkdir /usr/local/samba/netlogon # mkdir /usr/local/samba/profiles # mkdir /usr/local/samba/printer-drivers # mkdir /usr/local/samba/data # chmod 777 /usr/local/samba/profiles 

Check the smb.conf file by doing a testparm

 # testparm /usr/local/etc/smb.conf 

You should see the following without errors

 Load smb config files from /usr/local/etc/smb.conf Processing section "[netlogon]" Processing section "[homes]" Processing section "[Profiles]" Processing section "[printers]" Processing section "[print$]" Processing section "[data]" Loaded services file OK. adidas superstar femme Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions 

We need to store the password from the ldap server in the secret.tdb file of samba. First we stop the openldap server(also for later when we import the data)

 # /usr/local/etc/rc.d/slapd stop Stopping slapd. Waiting for PIDS: 49851. # # smbpasswd ñw very-secure-password Setting stored password for "cn=Manager,dc=smbdomain,dc=local" in secrets.tdb 

Make sure samba can start and will restart after a reboot

 # echo "#enable Samba" >>/etc/rc.conf # echo nmbd_enable="YES" >>/etc/rc.conf # echo smbd_enable="YES" >>/etc/rc.conf # echo winbindd_enable="YES" >>/etc/rc.conf # echo cupsd_enable="YES" >>/etc/rc.conf 

Now we start samba

 # /usr/local/etc/rc.d/samba start Removing stale Samba tdb files: .......  cheap bns gold done Starting nmbd. Starting smbd. nike air max 90 homme Starting winbindd. 

Test if samba has started.

 # ps -ax | grep mdb 1093 ?? Ss 0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf 1095 ?? I 0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf 1100 ?? Ss 0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf 

To make sure samba starts after the ldap server starts we need to edit the startup scrpit of samba. So we put slapd after cupsd at the second line starting with # REQUIRE:

 # vi /usr/local/etc/rc.d/samba PROVIDE: nmbd smbd PROVIDE: winbindd REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv REQUIRE: cupsd slapd BEFORE: LOGIN KEYWORD: shutdown 


If you run the script you must answer a few questions. chaussure adidas zx flux I put [HIT ENTER] after the lines that need no change, behind the others I put [<--- NEEDS CHANGE]

After the question ldap tls support (1/0) [0] there is a little timeout, now the script try’s to get the SID and this can take a few seconds!

 # /usr/local/share/examples/smbldap-tools/ Use of $# is deprecated at /usr/local/share/examples/smbldap-tools/ line 314.  ugg boots bailey -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- smbldap-tools script configuration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before starting, check . nike air max tavas if your samba controller is up and running. . if the domain SID is defined (you can get it with the 'net getlocalsid') . you can leave the configuration using the Crtl-c key combination . empty value can be set with the "." character -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Looking for configuration files... adidas femme nike air max command soldes Samba Configuration File Path [/usr/local/etc/smb.conf] [HIT ENTER] The default directory in which the smbldap configuration files are stored is shown. nike blazer If you need to change this, enter the full directory path, then press enter to continue. asics chaussures Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] /usr/local/etc/smbldap-tools [<--- NEEDS CHANGE] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's start configuring the smbldap-tools scripts ...  ugg australia discount . air jordan future workgroup name: name of the domain Samba act as a PDC workgroup name [smbdomain] [HIT ENTER] . netbios name: netbios name of the samba controler netbios name [serv01] [HIT ENTER] . asics basket logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] [HIT ENTER] . logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\serv01%U' logon home (press the "." character if you don't want homeDirectory) [\%L%U] [HIT ENTER] . logon path: directory where roaming profiles are stored. Ex:'\serv01profiles%U' logon path (press the "." character if you don't want roaming profile) [\serv01profiles%U] [HIT ENTER] . home directory prefix (use %U as username) [/home/%U] [HIT ENTER] . default users' homeDirectory mode [700] [HIT ENTER] . nike internationalist default user netlogon script (use %U as username) [logon.bat] [HIT ENTER] default password validation time (time in days) [45] 100000 [<--- NEEDS CHANGE] . ldap suffix [dc=smbdomain,dc=local] [HIT ENTER] . Adidas Superstar ldap group suffix [ou=Groups] [HIT ENTER] . ldap user suffix [ou=People] [HIT ENTER] . new balance avis ldap machine suffix [ou=Computers] [HIT ENTER] . Idmap suffix [ou=Idmap] [HIT ENTER] . chaussure asics sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and groups sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=smbdomain] [HIT ENTER] .  air jordan future chaussures nike femme 2017 ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [serv01.smbdomain.local] [HIT ENTER] . ldap master port [389] [HIT ENTER] . ldap master bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER] ldap master bind password [] very-secure-password . ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one ldap slave server [serv01.smbdomain.local] [HIT ENTER] . ldap slave port [389] [HIT ENTER] . nike pas cher ldap slave bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER] . ldap slave bind password [] very-secure-password . air jordan en soldes adidas ldap tls support (1/0) [0] [HIT ENTER] . SID for domain smbdomain: SID of the domain (can be obtained with 'net getlocalsid serv01') SID for domain smbdomain [S-1-5-21-2609998211-36760486-3473504348] [HIT ENTER] . nike free trainer unix password encryption: encryption used for unix passwords unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] [HIT ENTER] . default user gidNumber [513] [HIT ENTER] . default computer gidNumber [515] [HIT ENTER] . default login shell [/bin/sh] [HIT ENTER] . default skeleton directory [/etc/skel] [HIT ENTER] . default domain name to append to mail adress [] [HIT ENTER] -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Use of uninitialized value in concatenation (.) or string at /usr/local/share/examples/smbldap-tools/ line 314, /usr/local/etc/smbldap-tools/smbldap.conf.old /usr/local/etc/smbldap-tools/smbldap_bind.conf->/usr/local/etc/smbldap-tools/smbldap_bind.conf.old writing new configuration file: /usr/local/etc/smbldap-tools/smbldap.conf done. /usr/local/etc/smbldap-tools/smbldap_bind.conf done. 

Now we start the ldap server again

 # /usr/local/etc/rc.d/slapd start 

And we populate the database

 # smbldap-populate -u 10000 -g 10000 -r 10000 Populating LDAP directory for domain smbdomain (S-1-5-21-2609998211-36760486-3473504348) (using builtin directory structure) adding new entry: dc=smbdomain,dc=local adding new entry: ou=People,dc=smbdomain,dc=local adding new entry: ou=Groups,dc=smbdomain,dc=local adding new entry: ou=Computers,dc=smbdomain,dc=local adding new entry: ou=Idmap,dc=smbdomain,dc=local adding new entry: uid=root,ou=People,dc=smbdomain,dc=local adding new entry: uid=nobody,ou=People,dc=smbdomain,dc=local adding new entry: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Users,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Guests,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Computers,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Administrators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Account Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Print Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Backup Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Replicators,ou=Groups,dc=smbdomain,dc=local adding new entry: sambaDomainName=smbdomain,dc=smbdomain,dc=local Please provide a password for the domain root: Changing UNIX and samba passwords for root New password: Retype new password: 

The password can be any password and does not have to be the ldap password ( very-secure-password). adidas yeezy boost It is the root (administrator) password for samba. Now we need to configure winbind:

 # net rpc join -S serv01 -Uroot password: joined domain smbdomain 

For the administration of the server you can use USERMGR.exe from Microsoft.

Speak Your Mind