General Information
Build a Samba PDC on FreeBSD with a ldap backend. This will not let you authenticate ssh users just a plain samba server for your windows clients.
Requirements
Shell access is assumed. You should perform the following as root.
Installation
First we going to install all the required ports so make sure your ports tree is up to date.
The name of the server is serv01
The domain name is doublel.local
So the FQDN is serv01.smbdomain.local
Thus my /etc/hosts file looks like this
::1 localhost localhost.smbdomain.local 127.0.0.1 localhost localhost.smbdomain.local 192.168.50.195 serv01.smbdomain.local serv01 192.168.50.195 serv01.smbdomain.local.
We need to install the following ports:
- /net/openldap24-server
- /net/samba3 (should work with samba32-devel also)
- /net/nss_ldap
- /net/smbldap-tools
Openldap backend server
You can accept the default selected options
# cd /usr/ports/net/openldap24-server # make install clean
Samba
# cd /usr/ports/net/samba3 # make install clean
Select the setting below
+--------------------------------------------------------------------+ | Options for samba 3.0.32_1,1 | | +----------------------------------------------------------------+ | | | [X] LDAP With LDAP support | | | | [X] ADS With Active Directory support | | | | [X] CUPS With CUPS printing support | | | | [X] WINBIND With WinBIND support | | | | [X] ACL_SUPPORT With ACL support | | | | [X] AIO_SUPPORT With Asyncronous IO support | | | | [ ] FAM_SUPPORT With File Alteration Monitor | | | | [X] SYSLOG With Syslog support | | | | [X] QUOTAS With Disk quota support | | | | [X] UTMP With UTMP accounting support | | | | [ ] PAM_SMBPASS With PAM authentication vs passdb backends | | | | [ ] CLUSTER With experimental cluster support | | | | [ ] DNSUPDATE With dynamic DNS update(require ADS) | | | | [ ] EXP_MODULES With experimental modules | | | | [X] POPT With system-wide POPT library | | | | [X] PCH With precompiled headers optimization | | | | [ ] MAX_DEBUG With maximum debugging | | | | [ ] SMBTORTURE With smbtorture | | +-+----------------------------------------------------------------+-+ | [ OK ] Cancel | +--------------------------------------------------------------------+
Install nss_ldap
# cd /usr/ports/net/nss_ldap/ # make install clean
Install smbldap-tools
# cd /usr/ports/net/smbldap-tools # make install clean
Configuration
Prepare the openldap config file (/usr/local/etc/openldap/slapd.conf)
First we need to create a password for the openldap server
# slappasswd -s very-secure-password
{SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
Note: Copy the output!!
Open the /usr/local/etc/openldap/slapd.conf file and make sure it looks like the following
# vi /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/samba.schema
loglevel 256
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=smbdomain,dc=local"
rootdn "cn=Manager,dc=smbdomain,dc=local"
#rootpw = very-secure-password
rootpw {SSHA}2pCGrVMhMh3cC+LakUXApebb9jwICf5e
directory /usr/local/var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
Now we need to create and copy some files. First, we want to create the database dir of openldap. In this case this is /usr/local/var/db/openldap-data. If you want another location change the directory directive in the slapd.conf file. Also we set the right permissions on the directory and files of openldap.
# mkdir -p /usr/local/var/db/openldap-data # cp /usr/local/etc/openldap/DB_CONFIG.example /usr/local/var/db/openldap-data/DB_CONFIG # chown -R ldap:ldap /usr/local/var/db/openldap-data # chown -R ldap:ldap /usr/local/etc/openldap/ # chmod -R 0700 /usr/local/var/db/openldap-data # chmod 0400 /usr/local/etc/openldap/slapd.conf
Also we need to copy the samba schema to the final directory.
# cp /usr/local/share/examples/samba/LDAP/samba.schema /usr/local/etc/openldap/schema/
Then we want to make sure slapd logs to syslog. Add the lines to the file /etc/syslog.conf
# vi /etc/syslog.conf !slapd *.* /var/log/slapd.log
Now we create the log file and restart the syslog deamon
# touch /var/log/slapd.log # /etc/rc.d/syslogd restart
nss_ldap.conf
Make sure the file /usr/local/etc/nss_ldap.conf looks like the following
# vi /usr/local/etc/nss_ldap.conf base dc=smbdomain,dc=local bind_policy soft bind_timelimit 10 host localhost idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=smbdomain,dc=local?one nss_base_passwd ou=People,dc=smbdomain,dc=local?one nss_base_passwd ou=Computers,dc=smbdomain,dc=local?one nss_base_shadow ou=People,dc=smbdomain,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 scope one timelimit 30
Now we link the file /usr/local/etc/nss_ldap.conf to /usr/local/etc/openldap/ldap.conf
# rm -/usr/local/etc/openldap/ldap.conf # ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/openldap/ldap.conf # ln -s /usr/local/etc/nss_ldap.conf /usr/local/etc/ldap.conf
To make sure the slapd deamon (the openldap server) starts at a reboot we need to edit the /etc/rc.conf file.
# echo "#enable slapd" >>/etc/rc.conf # echo slapd_enable=\"YES\" >>/etc/rc.conf # echo slapd_flags='-h \"ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/ ldap://127.0.0.1/\"' >>/etc/rc.conf # echo slapd_sockets=\"/var/run/openldap/ldapi\" >>/etc/rc.conf
And we try to start it!
# /usr/local/etc/rc.d/slapd start Starting slapd. # ps ax | grep slap 11383 ?? Ss 0:00,01 /usr/local/libexec/slapd -h ldapi://%2fvar 11385 p2 S+ 0:00,00 grep slap
/etc/nsswitch.conf
Edit the /etc/nsswitch file and make sure to edit the group: and passwd: line, so change compat to files ldap. The file looks like this after editing
group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files
Samba
All my data (shares) and other samba related files like username are in /usr/local/samba. So first we create that dir
# mkdir /usr/local/samba
We also create a usermap file named usermap
# vi /usr/local/samba/usermap root = administrator
To create the following /usr/local/etc/smb.conf file, you must remove or empty the original one. Make sure you replace fxp0 for your own network interface, or comment out the line interfaces = and bind interfaces only =
# rm /usr/local/etc/smb.conf
# vi /usr/local/etc/smb.conf
# Global parameters
[global]
workgroup = SMBDOMAIN
server string = Samba Server
netbios name = serv01
hosts allow = 192.168.50. 127. 10.0.1.
interfaces = fxp0, lo
bind interfaces only = Yes
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://serv01.smbdomain.local/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 1
log file = /var/log/samba/%m
max log size = 50
syslog = 0
# Name resolution
name resolve order = wins bcast host
# misc
timeserver = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
deadtime = 120
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
# printers - configured to use CUPS and automatically load them
load printers = Yes
printcap name = CUPS
printing = cups
cups options = Raw
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
> add machine script = /usr/local/sbin/smbldap-useradd -w %m
# LDAP-iConfiguration
ldap delete dn = Yes
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=smbdomain,dc=local
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=smbdomain,dc=local
idmap backend = ldap:ldap://serv01.smbdomain.local
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script = logon.bat
logon path = \%Lprofiles%u
logon path =
logon home = \%L%U
logon drive = H:
# setting up as domain controller
username map = /usr/local/samba/usermap
preferred master = Yes
wins support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
os level = 64
map acl inherit = Yes
unix charset = UTF8
#============================ Share Definitions ==============================
[netlogon]
comment = Network Logon Service
path = /usr/local/etc/samba/netlogon
guest ok = yes
locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Profiles]
comment = Network Profiles Service
path = /usr/local/etc/samba/profiles
read only = No
profile acls = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
profile acls = Yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
[print$]
comment = Printer Drivers
path = /usr/local/samba/printer-drivers
browseable = yes
guest ok = no
read only = yes
write list = root
[data]
comment = Data Directory
path = /home/data
write list = @smbdomain
read only = No
create mask = 0777
directory mask = 0777
Create the following directories: netlogon, profiles, printer-drivers and the share data, and give them proper permissions.
# mkdir /usr/local/samba/netlogon # mkdir /usr/local/samba/profiles # mkdir /usr/local/samba/printer-drivers # mkdir /usr/local/samba/data # chmod 777 /usr/local/samba/profiles
Check the smb.conf file by doing a testparm
# testparm /usr/local/etc/smb.conf
You should see the following without errors
Load smb config files from /usr/local/etc/smb.conf Processing section "[netlogon]" Processing section "[homes]" Processing section "[Profiles]" Processing section "[printers]" Processing section "[print$]" Processing section "[data]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions
We need to store the password from the ldap server in the secret.tdb file of samba. First we stop the openldap server(also for later when we import the data)
# /usr/local/etc/rc.d/slapd stop Stopping slapd. Waiting for PIDS: 49851. # # smbpasswd ñw very-secure-password Setting stored password for "cn=Manager,dc=smbdomain,dc=local" in secrets.tdb
Make sure samba can start and will restart after a reboot
# echo "#enable Samba" >>/etc/rc.conf # echo nmbd_enable="YES" >>/etc/rc.conf # echo smbd_enable="YES" >>/etc/rc.conf # echo winbindd_enable="YES" >>/etc/rc.conf # echo cupsd_enable="YES" >>/etc/rc.conf
Now we start samba
# /usr/local/etc/rc.d/samba start Removing stale Samba tdb files: ....... done Starting nmbd. Starting smbd. Starting winbindd.
Test if samba has started.
# ps -ax | grep mdb 1093 ?? Ss 0:00.03 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf 1095 ?? I 0:00.00 /usr/local/sbin/nmbd -D -s /usr/local/etc/smb.conf 1100 ?? Ss 0:00.01 /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf
To make sure samba starts after the ldap server starts we need to edit the startup scrpit of samba. So we put slapd after cupsd at the second line starting with # REQUIRE:
# vi /usr/local/etc/rc.d/samba PROVIDE: nmbd smbd PROVIDE: winbindd REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv REQUIRE: cupsd slapd BEFORE: LOGIN KEYWORD: shutdown
smbldap-tools
If you run the script you must answer a few questions. I put [HIT ENTER] after the lines that need no change, behind the others I put [<--- NEEDS CHANGE]
After the question ldap tls support (1/0) [0] there is a little timeout, now the script try’s to get the SID and this can take a few seconds!
# /usr/local/share/examples/smbldap-tools/configure.pl
Use of $# is deprecated at /usr/local/share/examples/smbldap-tools/configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/usr/local/etc/smb.conf] [HIT ENTER]
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/opt/IDEALX/smbldap-tools/] /usr/local/etc/smbldap-tools [<--- NEEDS CHANGE]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [smbdomain] [HIT ENTER]
. netbios name: netbios name of the samba controler
netbios name [serv01] [HIT ENTER]
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [H:] [HIT ENTER]
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'\serv01%U'
logon home (press the "." character if you don't want homeDirectory) [\%L%U] [HIT ENTER]
. logon path: directory where roaming profiles are stored. Ex:'\serv01profiles%U'
logon path (press the "." character if you don't want roaming profile) [\serv01profiles%U] [HIT ENTER]
. home directory prefix (use %U as username) [/home/%U] [HIT ENTER]
. default users' homeDirectory mode [700] [HIT ENTER]
. default user netlogon script (use %U as username) [logon.bat] [HIT ENTER]
default password validation time (time in days) [45] 100000 [<--- NEEDS CHANGE]
. ldap suffix [dc=smbdomain,dc=local] [HIT ENTER]
. ldap group suffix [ou=Groups] [HIT ENTER]
. ldap user suffix [ou=People] [HIT ENTER]
. ldap machine suffix [ou=Computers] [HIT ENTER]
. Idmap suffix [ou=Idmap] [HIT ENTER]
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=smbdomain] [HIT ENTER]
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [serv01.smbdomain.local] [HIT ENTER]
. ldap master port [389] [HIT ENTER]
. ldap master bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
ldap master bind password [] very-secure-password
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [serv01.smbdomain.local] [HIT ENTER]
. ldap slave port [389] [HIT ENTER]
. ldap slave bind dn [cn=Manager,dc=smbdomain,dc=local] [HIT ENTER]
. ldap slave bind password [] very-secure-password
. ldap tls support (1/0) [0] [HIT ENTER]
. SID for domain smbdomain: SID of the domain (can be obtained with 'net getlocalsid serv01')
SID for domain smbdomain [S-1-5-21-2609998211-36760486-3473504348] [HIT ENTER]
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] [HIT ENTER]
. default user gidNumber [513] [HIT ENTER]
. default computer gidNumber [515] [HIT ENTER]
. default login shell [/bin/sh] [HIT ENTER]
. default skeleton directory [/etc/skel] [HIT ENTER]
. default domain name to append to mail adress [] [HIT ENTER]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value in concatenation (.) or string at /usr/local/share/examples/smbldap-tools/configure.pl line 314, /usr/local/etc/smbldap-tools/smbldap.conf.old
/usr/local/etc/smbldap-tools/smbldap_bind.conf->/usr/local/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/usr/local/etc/smbldap-tools/smbldap.conf done.
/usr/local/etc/smbldap-tools/smbldap_bind.conf done.
Now we start the ldap server again
# /usr/local/etc/rc.d/slapd start
And we populate the database
# smbldap-populate -u 10000 -g 10000 -r 10000 Populating LDAP directory for domain smbdomain (S-1-5-21-2609998211-36760486-3473504348) (using builtin directory structure) adding new entry: dc=smbdomain,dc=local adding new entry: ou=People,dc=smbdomain,dc=local adding new entry: ou=Groups,dc=smbdomain,dc=local adding new entry: ou=Computers,dc=smbdomain,dc=local adding new entry: ou=Idmap,dc=smbdomain,dc=local adding new entry: uid=root,ou=People,dc=smbdomain,dc=local adding new entry: uid=nobody,ou=People,dc=smbdomain,dc=local adding new entry: cn=Domain Admins,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Users,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Guests,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Domain Computers,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Administrators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Account Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Print Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Backup Operators,ou=Groups,dc=smbdomain,dc=local adding new entry: cn=Replicators,ou=Groups,dc=smbdomain,dc=local adding new entry: sambaDomainName=smbdomain,dc=smbdomain,dc=local Please provide a password for the domain root: Changing UNIX and samba passwords for root New password: Retype new password:
The password can be any password and does not have to be the ldap password ( very-secure-password). It is the root (administrator) password for samba. Now we need to configure winbind:
# net rpc join -S serv01 -Uroot password: joined domain smbdomain
For the administration of the server you can use USERMGR.exe from Microsoft. That is it!