Samba / OpenLDAP on CentOS

A lot of this taken from http://wiki.makethemove.net/index.php?title=LDAP-Samba

Samba will serve three main purposes:

• Act as a Primary Domain Controller for Windows clients
• Serve the network printers to Windows clients
• Serve files to Windows and Linux clients

To act as a primary domain controller, Samba needs to access LDAP as the central authentication database.

Install Samba
yum install samba nscd

Load the Samba schema file into LDAP on the LDAP server.

It is located at /usr/share/doc/samba-3.0.28/LDAP/samba.schema on the Samba server.

Configure LDAP for Samba

We need to create the default organisational units for Samba so while log into phpldapadmin (assumed already installed), expand the root node and then click on:
Create new entry here

Select Organisational Unit and click Proceed.

Enter the information:
Organisational Unit -> users

and click Proceed

• NOTE: If Proceed is still greyed out, hit the ‘Tab’ key.

Now select Create Object to finally create it.

Repeat these three steps to create another two organisational units called:
groups

and
machines

Configure Samba for LDAP

To tell Samba to use LDAP database back end:

Stop Samba:
service samba stop

Open up /etc/samba/smb.conf and search for:
passdb backend = tdbsam

Delete that line and replace with:
passdb backend = ldapsam:ldap://IP address of LDAP server
ldap suffix = dc=simonandkate,dc=lan
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=Manager,dc=simonandkate,dc=lan
ldap delete dn = no

Samba has now been told to use LDAP. Now we need to tell Samba to act as a primary domain controller.

Still in the /etc/samba/smb.conf file, ensure that the following are set:
wins support = yes
name resolve order = lmhosts host wins bcast
security = user
domain logons = yes
domain master = auto

Add the following items (you should check to make sure they are not already there):
ldap password sync = yes
enable privileges = yes
preferred master = auto
local master = yes

This tells Samba to act as the primary domain controller for the network.

Now we need to ensure other components of running a primary domain controller exist, such as the profiles shares and logon paths.

Ensure that the following are set (make sure the paths are exactly as specified):
logon path = \\%N\profiles
logon drive = H:
logon home = \\%N\%U\data
logon script = logon.bat

The value %N is the netbios name of the server, %U is the Windows username. This means the logon path will be set to the profiles share from the server. The profiles share from the server (as you will see shortly) is actually a directory under the user’s home location called the profiles (and thus unique for each user). Similarly, the H:\ will be automatically mapped to the data directory in the user’s home location. Later we will make sure that these folders exist on the server.

• NOTE: If you want to give users individual logon scripts you can do so by changing logon script to:

logon script = %S.bat

Next, make sure that the Samba shares are configured. Here, %S is the Unix account, so the home share is on the physical directory /home/[username]/data/ on the server (this is what the H:\ is mapped to above).

See http://oreilly.com/catalog/samba/chapter/book/ch06_06.html for useful information on Logon scripts.

Edit the shares to look like this (once again, make sure the paths are exactly as specified):
[homes]
comment = Home Directories
browseable = no
path = /home/%S/data
valid users = %S
writable = yes
create mask = 0600
directory mask = 0700

[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
guest ok = yes
writable = no
share modes = no
write list = @admins

[profiles]
comment = Users profiles
path = /home/%U/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700
writable = yes

We store each user’s profile and data under their home directory. All other group information and shares are stored under the /data/samba/ directory.

When you have finished, save and exit the file.

Samba should now be configured as a primary domain controller, set to use LDAP and has the required shares enabled.

Before we restart Samba, let’s check its configuration with
testparm

You should see output something like this
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

This (should) tell you there were no errors and that the server’s role is as primary domain controller.

Set Samba LDAP Admin Password

Very importantly, we need to tell Samba the password for our LDAP admin account so that it can do fancy stuff. It sets the password for the LDAP account specified above in the smb.conf (cn=Manager,dc=simonandkate,dc=lan), so make sure that’s all correct.

To set the password, simply run:
smbpasswd -w [ldap admin password]

You should see something like:
Setting stored password for "cn=Manager,dc=simonandkate,dc=lan" in secrets.tdb

Now start Samba:
service smb restart

Log back into (or hit the refresh option on the page under My LDAP Server) phpldapadmin and you should now see a second entry under the root dc, something like:
sambaDomainName=SIMONANDKATE

Click on it and you should see all the entries, like SambaSID. This means Samba is ready to work with LDAP.

Samba and IPTables

IPTables – On the samba server, allow 445/tcp, 139/tcp, 137/udp, and 138/udp.

Samba Group Population

Log back into phpldapadmin if you aren’t already.

Expand the root dc, then expand ou=groups.

Select Create new entry here.

From the list, select Samba3 Group Mapping and hit Proceed.

• NOTE: The “Samba SID” should be completed with the SID number and the domain in brackets (i.e. WB.LAN). YOURS WILL BE DIFFERENT. Simply enter the five hundred-something number.

Create the following four new entries with the settings specified
Container DN: ou=groups,dc=simonandkate,dc=lan
Group: admins
Windows Name: admins
GID Number: 20000
Samba SID: [S-1-5-21-.............................. (SIMONANDKATE)] 512
Samba Group Type: Domain Group
Users: [blank]

Container DN: ou=groups,dc=simonandkate,dc=lan
Group: users
Windows Name: users
GID Number: 20001
Samba SID: [S-1-5-21-.............................. (SIMONANDKATE)] 513
Samba Group Type: Domain Group
Users: [blank]

Container DN: ou=groups,dc=simonandkate,dc=lan
Group: guests
Windows Name: guests
GID Number: 20002
Samba SID: [S-1-5-21-............................... (SIMONANDKATE)] 514
Samba Group Type: Domain Group
Users: [blank]

Container DN: ou=groups,dc=simonandkate,dc=lan
Group: machines
Windows Name: machines
GID Number: 20003
Samba SID: [S-1-5-21-................................ (SIMONANDKATE)] 515
Samba Group Type: Domain Group
Users: [blank]

Once you’re done you should have four new entries under ou=groups in phpldapadmin; cn=admins, cn=guests, cn=machines and cn=users.

Create Users

Create the administrator account and then a user account, so go back into phpldapadmin.

Expand the root dn, then expand ou=users.

Click on Create new entry here, select Samba3 Account and hit Proceed.

Fill in the following information:
First name -> Domain
Last name -> Admin
Common name -> Domain Admin
User id -> administrator
UID Number -> 10000
Samba SID -> 21000
Password -> *****
Shell ->
GID Number -> admins
Primary Group ID -> (admins)
Home directory -> /home/administrator

Hit Create Object to add the entry.

Now make one for a test user (or yourself), incrementing the UID and SID like so:
First name -> Simon
Last name ->
Common name -> Simon
User id -> simon
UID Number -> 10001
Samba SID -> 21001
Password -> *****
Shell ->
GID Number -> users
Primary Group ID -> (users)
Home directory -> /home/simon

Create Users’ Directories

Create the locations specified in the shares including some changes to the skel (so that when new users are created they have everything they need in their home directory).

Run the following:
mkdir -p /etc/skel/{data,profiles}
chmod 700 /etc/skel/{data,profiles}
mkdir -p /mnt/data/samba/netlogon
chown nobody:admins /mnt/data/samba/netlogon
chmod 775 /mnt/data/samba/netlogon

Create the home directories for the new users you created:
cp -a /etc/skel /home/[username]
chown -R [username]:[group] /home/[username]

(Administrator should have group admins while normal users should have groups users.)

Test New Users

Verify the new users are in the database with:
getent passwd

You should see something like:
...
openldap:x:104:110:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
administrator:*:10000:20000:administrator:/home/administrator:
simon:*:10001:20001:Simon:/home/simon:

You should also be able to switch to these users:
su - simon
bash

Also try logging in via SSH.

Creating Extras for Users

If a user requires additional goodies such as a specific shell or to be part of a particular group, we can add these as additional attributes.

To do this, log into phpldapadmin (if you aren’t already), expand the root dn, then expand ou=users and select your user, i.e. cn=Domain Admin. This should bring up the set properties for this account.

In the top area of this section you should see a link to Add new attribute. Click this.

Now you can select additional attributes from the drop down list and add these for your user. Read on for some specific attributes you might require.

Shell

If a user will be connecting from a Linux client, or if your users require ssh access then now is the time to set the extras they will need, such as a shell.

From the Add new attribute drop down list, select loginShell. Now in the empty field next to the dropdown enter the shell you want this user to have (most likely /bin/bash).

Hit the Add button to finalise this attribute and now you should be back at the properties for the account. If you scroll down you should see the new loginShell attribute you just added.

Try logging in as that user and you should now have access to the bash shell automatically.

Windows XP as a Samba Client

http://www.math.temple.edu/computing/samba.html#xp

/etc/samba/smb.conf:

[global]
ldap ssl = start tls
name resolve order = lmhosts host wins bcast
enable privileges = yes
delete user from group script = /usr/sbin/userdel “%u” “%g”
netbios name = SERVER05
printing =
logon script = logon.bat
local master = yes
workgroup = SIMONANDKATE
ldap admin dn = cn=Manager,dc=simonandkate,dc=lan
printcap name = /etc/printcap
security = user
add machine script = /usr/sbin/useradd -n -c “Workstation (%u)” -M -d /nohome -s /bin/false “%u”
delete user script = /usr/sbin/userdel “%u”
load printers = no
ldap user suffix = ou=users
add group script = /usr/sbin/groupadd “%g”
delete group script = /usr/sbin/groupdel “%g”
ldap password sync = yes
logon drive = H:
domain master = auto
logon home = \\%N\%U
passdb backend = ldapsam:ldap://server01.simonandkate.lan:389
wins support = yes
ldap delete dn = no
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
server string = SimonandKate S05
ldap suffix = dc=simonandkate,dc=lan
logon path = \\%N\profiles\%U
add user script = /usr/sbin/useradd “%u” -n -g users
preferred master = auto
domain logons = yes

;       os level = 33

[homes]
browseable = no
writable = yes
path = /mnt/data/home/%S
comment = Home Directories
valid users = %S
read only = no
hide dot files = yes
veto files = /.*/

[netlogon]
comment = Network Logon Service
path = /mnt/data/samba/netlogon
guest ok = yes
writable = yes
share modes = no
write list = @admins

[profiles]
comment = Users profiles
path = /mnt/data/profiles
browseable = no
create mask = 0600
directory mask = 0700
writable = yes
profile acls = yes

[shared]
comment = Public Shared Folder
browseable = yes
guest only = yes
writable = yes
public = yes
path = /mnt/data/shared

[media]
comment = Media Share
writeable = yes
public = yes
create mode = 777
path = /mnt/data/media
directory mode = 777