Samba/LDAP How-To using Samba v. 3

By

David Trask

Technology Coordinator/Computer Teacher

Vassalboro Community School

Vassalboro, Maine USA

 

smbldap-installer

by

Matt Oquist

Software Engineering Consultant

[@more@]

Download the smbldap-installer script here:

http://web.vcs.u52.k12.me.us/linux/smbldap/smbldap-installer-1.2.1.tgz

or here....

http://technology.sau16.k12.nh.us/opnsrc

Better yet....

Get the very latest version on Matt's page (new versions always show up here first....recommended download

http://majen.net/smbldap/

smbldap-installer script and files:

 

This document has undergone a major transformation (1/05) to reflect the introduction of a new script to automate much of what is described below.  I do recommend reading this how-to so you can understand what is going on and then pick up at Step 18 to continue after running the script.

 

Pre-installation notes:  (Installing the OS)

 

For optimum results with the script and with this how-to I highly recommend installing this on either Fedora Core 3 or K12LTSP 4.2 (based on Fedora Core 3).  The K12LTSP distribution can be found at http://www.k12ltsp.org/.  This distribution is basically FC3 with some extra installation options such as LTSP server.  One thing I have found is that Eric Harrison, the maintainer and primary developer of K12LTSP, has done a superb job of including all the necessary files in the K12LTSP distribution thus making it more likely that you’ll have what you need for this installation.  You will also find that all the necessary files for Samba/LDAP have been included in this script package and your choice of answers in the steps asked by the script will determine what packages and versions are installed.  For your own purposes you’ll want to be sure to select all the samba packages and the NFS packages during your initial OS installation.  When in doubt…select “Everything” and then remove what you don’t need.

 

First download the file smbldap-installer-(version number here).tgz     (You may already have it if you are reading this)

 

cd to the directory you downloaded it to and expand it

 

tar –xzvf smbldap-installer-(version number here).tgz

 

This will expand everything into a directory called  smbldap-installer

 

cd smbldap-installer

 

to run the script…type

 

./smb-ldap.pl

 

The following is what you’ll see:

 

1)

###########################################################

Starting SAMBA-LDAP Config: Fri Jan 14 10:00:07 2005

This script will only work [well] for versions of distributions of GNU/Linux that have been entered in distro_data.pm.  Feel free to add new versions/distros and share your updated distro_data.pm file!

 

Note that in many cases the default answers for the following questions will work.

 

Please select your Linux distribution from the following options: [k12ltsp-4.2]

        fedora-core-3

        k12ltsp-4.2

       

 

2) Please enter your domain name: [(none)] test.org

 

3) Please enter your windows domain (workgroup) name: [TESTORG]

 

4) Please enter your LDAP password:  secret

 

5) Please enter the drive letter of user spaces in Windows: [X] F

 

6) Please enter the maximum password age (in days) for your network: [999]

 

7) (note: some folks may have more than one interface connected to the server…they should be reflected below…my example shows two interfaces)

 

Example of comma separated list:  eth0,eth1,eth2

 

Your system has the following network interfaces.

eth0: static, 192.168.0.254, start on boot

eth1: dhcp, 10.0.14.162, start on boot 

 

Please enter a comma-separated list of the interfaces

        connected to your Windows/SAMBA network: [eth0]

 

8) (this is cool….it will set up an NFS export of /home so you can mount it on other servers such as a K12LTSP server)

 

Will other Linux machines need to access home directories  

stored on this server? [y/N] y

 

Please enter the network you wish to allow access to /home on this system.

Here is a guess based on your current network configuration:

10.0.14.162/255.255.240.0

10.0.0.0/255.255.240.0  (obviously you should enter your own info here)

 

 

9) (note:  you may not see all the stuff listed below….this is what you would see if you already had smb-ldap installed and were reconfiguring it….this way I can show you all of it…otherwise…skip down a bit past the “backing up” stuff)…But note that the script backs up all the config files it touches.  That way you can always use 'locate' to find all the backups from a particular day, so you can revert to a previous state of your configuration if you need to.  Hopefully you don't need to.  :-)

 

Gathering system information...

Backing up "/etc/openldap/ldap.conf" at "/etc/openldap/ldap.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/openldap/schema/samba.schema" at "/etc/openldap/schema/samba.schema-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/samba/smbusers" at "/etc/samba/smbusers-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/openldap/slapd.conf" at "/etc/openldap/slapd.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/ldap.conf" at "/etc/ldap.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/samba/smb.conf" at "/etc/samba/smb.conf-Fri_Jan_14_10_00_07_2005.bak"

Restarting the ldap service...

Setting ldap service to start during system boot...Success!

Setting the manager smbpasswd...

Grabbing local SID...success!

Backing up "/etc/openldap/ldap.conf" at "/etc/openldap/ldap.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/openldap/schema/samba.schema" at "/etc/openldap/schema/samba.schema-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/samba/smbusers" at "/etc/samba/smbusers-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/pam.d/system-auth" at "/etc/pam.d/system-auth-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/openldap/slapd.conf" at "/etc/openldap/slapd.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/pam_smb.conf" at "/etc/pam_smb.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/smbldap-tools/smbldap_bind.conf" at "/etc/smbldap-tools/smbldap_bind.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/ldap.conf" at "/etc/ldap.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/sysconfig/authconfig" at "/etc/sysconfig/authconfig-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/smbldap-tools/smbldap.conf" at "/etc/smbldap-tools/smbldap.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/nsswitch.conf" at "/etc/nsswitch.conf-Fri_Jan_14_10_00_07_2005.bak"

Backing up "/etc/samba/smb.conf" at "/etc/samba/smb.conf-Fri_Jan_14_10_00_07_2005.bak"

Running smbldap-populate...success.

I need you to help me set the Administrator's Samba password.

Please type the password when prompted, and REMEMBER IT!

New SMB password: secret

Retype new SMB password: secret

 

10) Restarting the smb service...

Setting smb service to start during system boot...Success!

Restarting the nscd service...

Setting nscd service to start during system boot...Success!

Creating the /opt/samba/profiles directory...

Setting permissions for /opt/samba/profiles...

Creating the /opt/samba/netlogon directory...

Creating sample startup.bat file...

Backing up "/opt/samba/netlogon/startup.bat" at "/opt/samba/netlogon/startup.bat-Fri_Jan_14_10_00_07_2005.bak"

Munging /opt/samba/netlogon/startup.bat to DOS format...

 

 

This script has appended its output to /root/smbldap-installer/smb-ldap.log.

Removing my temporary directory /tmp/.Fri_Jan_14_10_00_07_2005-3302...

Congratulations!  It looks like we've succeeded.

You can run this script again if you want to overwrite your configuration.

Please note your LDAP base: dc=test,dc=org

Bye-bye.

 

That’s IT!  Pretty easy huh?  Ok…sure, there’s a bit more…skip down to Step 18 and begin configuring the remainder of your set up.

##########################################################################################

 

What this document is…

This is a how-to for setting up a simple Samba/LDAP server for your network as a means of providing centralized authentication and home directories. If it is done correctly you can provide one common logon for all platforms...Windows, Linux, and Mac OS X. This is exactly what I do in my own school. You can also host a common home directory for all users and export via NFS as necessary. This method does not incorporate the many security features that can be employed to better enhance network security. If you'd like more information on that please take a look at the how-to's located in the Samba Projects section at http://www.idealx.org/prj/samba/index.en.html .

My test environment: I chose Fedora Core 2 as my base OS for the server install. I chose to install “everything” in terms of packages to make sure I got what I needed....this can obviously be tweaked greatly. My Windows network is made up of WinXP Pro machines....I have not been able to test on anything else, but there's no reason it should not work. The packages I used for configuring Samba/LDAP can be downloaded from http://www.idealx.org/prj/samba/dist/ . I downloaded the latest RedHat 9 rpm....version 0.8.4 I believe.  (the script above is based on 0.8.5)

 

 

 

NOTE:  Be aware that in many of the configuration files I used bogus domain names, passwords, etc.  (one example is dc=vcs,dc=org)  Substitute your own values where appropriate.

 

Ok...let's get started!

 

(NOTE: the next couple steps MAY not be necessary for your setup. In some cases it may be

prudent, but I have found recently with Fedora Core 2 and 3...if you install “everything” you'll have

what you need with regard to LDAP stuff...you can skip to Step 3 if you wish)

 

Step 1: Installing Apt (make sure you're connected to the Internet)

 

(assuming you have loaded your server and set it up) Let's take care of a few housekeeping items to get

our server ready for any updates and stuff we may need in the future....not all of this is necessary but it

is prudent. Let's set up apt. Go to http://www.fedora.us/wiki/FedoraHOWTO and download the latest

apt rpm package. Get the version for Fedora 2 if you're using that. Here's the link:

http://download.fedora.us/fedora/fedora/2/i386/RPMS.stable/apt-0.5.15cnc6-0.fdr.11.2.i386.rpm

 

(Visit the site to get the latest version)

 

Using the terminal...let's install the rpm (go to the directory you downloaded it to...I usually work as

root..so that's where it is... /root)

 

rpm -Uhv apt-0.5.15cnc6-0.fdr.11.2.i386.rpm

 

Good! Now that we have that installed...let's stay in terminal and get apt configured.

 

apt-get update

 

follow the prompts and set it up....I chose everything.

This will take a few minutes....so relax. Once this part finishes we should make sure it's all set by running

 

apt-get -f install

 

this will make sure the newest packages are in place. Answer “yes” and let it go. Once it's done we

can move on.

 

Step 2: Installing CPAN bundles

 

Now we need to make sure our perl modules are all there and up to date. We can do this easily by

Running

 

perl -MCPAN -e –shell

 

Let it run. Answer “no” when it asks about Manual configuration.

Once it stops you'll be at the cpan prompt....type

 

install Bundle::CPAN

 

this will install many perl modules for you. Answer “yes” to any dependency questions. When you get

to the question about “libnet”....answer “no”. Once you are finished...hit “enter” to exit....it'll run for a

few seconds more and then bring you back to the cpan prompt. For good measure let's type

 

install Net::LDAP  (it should be up to date)

 

now let's type

 

install Unicode::MapUTF8

 

Answer “yes” to any dependency questions. This module will be necessary if you ever choose to use

the idxldapaccounts webmin module.

Now let's check a couple other things to be safe.

Type

 

install Crypt::SmbHash (and install it)

 

then type

 

install Convert::BER

 

Once that's done we're ready to move on! Type exit to quit from the cpan prompt.

 

Step 3: Installing the smbldap-tools

 

Now we need to install the smbldap-tools. If you have not already done so....download the tools from

idealx.

The packages I used for configuring Samba/LDAP can be downloaded from

http://www.idealx.org/prj/samba/dist . I downloaded the latest RedHat 9 rpm....version 0.8.4 I believe.

(get the i386 version) As of this writing…(2/8/05) smbldap-tools version 0.8.6 is the latest.

 

Install it by typing in terminal....

 

rpm -Uhv smbldap-tools-0.8.4-1.i386.rpm (substitute any newer version #'s)

 

*Note: if you skipped the steps above (naughty you!) then this may not work as it depends on

Net::LDAP. In my experience in using Fedora Core 2 you should be all set if you paid attention to

what was installed.

 

Step 4: Edit the file /etc/ldap.conf to reflect your own search base...see below....

 

#The distinguished name of the search base.

base dc=vcs,dc=org

 

Step 5: Copying the samba.schema file

 

(helpful step: If you have not done it yet you may want to run updatedb so you can locate files

more quickly...this command takes a few minutes to run so be patient....once it's done you can locate

files by typing locate filename ex: locate samba.schema )

 

On your system you'll need to locate the samba.schema file. On my system it is located at

/usr/share/doc/samba-3.0.3/LDAP/samba.schema

so let's go to that directory and copy the samba.schema file to /etc/openldap/schema

 

cd /usr/share/doc/samba-3.0.3/LDAP/

 

and then copy the file

 

cp samba.schema /etc/openldap/schema

 

Step 6: Editing the Openldap files

 

Now we need to edit the files located in /etc/openldap

Let's go there

 

cd /etc/openldap

Now type ls and let's see what's in there.

Type

 

gedit slapd.conf

 

there are many things to change in here...see my sample below for more...

 

Sample /etc/openldap/slapd.conf file

 

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/samba.schema

 

# Allow LDAPv2 client connections. This is NOT the default.

#allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

pidfile /var/run/slapd.pid

#argsfile //var/run/slapd.args

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database ldbm

suffix "dc=vcs,dc=org"

rootdn "cn=Manager,dc=vcs,dc=org"

# Cleartext passwords, especially for the rootdn, should

# be avoided. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw secret

# rootpw {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory /var/lib/ldap

# Indices to maintain for this database

#index objectClass eq,pres

#index ou,cn,mail,surname,givenname eq,pres,sub

#index uidNumber,gidNumber,loginShell eq,pres

#index uid,memberUid eq,pres,sub

#index nisMapName,nisMapEntry eq,pres,sub

index objectClass eq

index cn pres,sub,eq

index sn pres,sub,eq

index uid pres,sub,eq

index displayName pres,sub,eq

index uidNumber eq

index gidNumber eq

index memberUID eq

index sambaSID eq

index sambaPrimaryGroupSID eq

index sambaDomainName eq

index default sub

 

I've highlighted most of what needs to be changed....the default file has a lot more in it....feel free to cut

and paste with your own values....in the end it should look almost exactly like mine. Pay particular

attention to the password....remember that you need to substitute 'secret' with the password you entered

earlier in the smbldap_bind.conf file. Remember? I told you that you'd need to remember it.

 

Now we need to edit the other file....ldap.conf

Type

 

gedit ldap.conf

 

This one is easy....just put in your values....see my example below.

 

Sample /etc/openldap/ldap.conf

 

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example, dc=com

#URI ldap://ldap.example.com ldap://ldap-master.example.com:606

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

HOST 127.0.0.1

BASE dc=vcs,dc=org

 

Step 7: Starting the LDAP service

 

If everything is done correctly we can now start the LDAP server. Simply type

 

service ldap start

 

If everything works....you're ready to move on...if not...you need to recheck your steps.

 

Step 8: Configuring Samba

 

Now we need to configure Samba. More specifically the file /etc/samba/smb.conf You may need to

refer back to some of the values you entered in the Samba section of the file /etc/smbldaptools/

smbldap.conf . I have include my own smb.conf file for you to follow and or copy.

 

Sample /etc/samba/smb.conf

 

# Global parameters

 

[global]

workgroup = MIDNIGHT

netbios name = MIDNIGHT-PDC

#(make sure this next line reflects the NIC connected to the Samba network!)

interfaces = eth0, lo

username map = /etc/samba/smbusers

#admin users= @"Domain Admins"

server string = Samba Server %v

security = user

encrypt passwords = Yes

min passwd length = 3

obey pam restrictions = No

unix password sync = Yes

#passwd program = /usr/local/sbin/smbldap-passwd -u %u

#passwd chat = "Changing password for*nNew password*" %nn "*Retype new password*" %nn"

ldap passwd sync = Yes

log level = 0

syslog = 0

log file = /var/log/samba/log.%m

max log size = 100000

time server = Yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

mangling method = hash2

Dos charset = 850

Unix charset = ISO8859-1

 

logon script = startup.bat

logon drive = F:

logon home =

logon path =

 

domain logons = Yes

os level = 65

preferred master = Yes

domain master = Yes

wins support = Yes

passdb backend = ldapsam:ldap://127.0.0.1/

# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"

# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))

ldap admin dn = cn=Manager,dc=vcs,dc=org

ldap suffix = dc=vcs,dc=org

ldap group suffix = ou=Groups

ldap user suffix = ou=Users

ldap machine suffix = ou=Computers

ldap idmap suffix = ou=Users

#ldap ssl = start tls

add user script = /usr/local/sbin/smbldap-useradd -m "%u"

ldap delete dn = Yes

#delete user script = /usr/local/sbin/smbldap-userdel "%u"

add machine script = /usr/local/sbin/smbldap-useradd -w "%u"

add group script = /usr/local/sbin/smbldap-groupadd -p "%g"

#delete group script = /usr/local/sbin/smbldap-groupdel "%g"

add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"

delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"

set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

 

#BIG NOTE:  In the newest version (0.8.6 as of this writing)…the above paths have changed!

#They are no longer /usr/local/sbin/, but rather /opt/IDEALX/sbin/   Change above where

#necessary.

 

[homes]

comment = Home Directories

valid users = %S

writeable = yes

create mask = 0664

directory mask = 0775

browseable = Yes

 

[netlogon]

comment = Network Logon Service

path = /opt/samba/netlogon

 

[profiles]

path = /opt/samba/profiles

writeable = yes

writeable = yes

browseable = yes

create mode = 0644

directory mode = 0755

 

[printers]

comment = All Printers

path = /var/spool/samba

printable = Yes

browseable = No

 

#[tmp]

# comment = Temporary file sadd user script=/usr/local/sbin/smbldap-useradd.plpace

# path = /tmp

# writeable = yes

# guest ok = Yes

 

[whole_linux_server]

comment = whole_linux_box

path = /

valid users = admin root dtrask

admin users = admin root dtrask

write list = admin root dtrask

public = no

writable = yes

 

(This last share is not wise unless you are in a secure situation and know your users!  Share only what you need to)

 

I highlighted in yellow the things that you'll need to change according to the values you put into

smbldap.conf earlier. The stuff in green is some stuff you should pay attention to as you'll need it to be functional. *Note: the profiles share is only if you are going to be using roaming profiles in a Windows environment....(I do hence the reason it's there). Again...feel free to cut and paste.

(Don't start Samba yet...we'll do that in a few minutes)

 

 

 

Step 9: Setting the Manager password

 

Now we need to set the password for the Manager account that we specified in many of our

configuration files. To do this....type

 

smbpasswd -w secret (where 'secret' is the password you specified in the config files earlier)

 

You'll see:

 

Setting stored password for “cn=Manager,dc=vcs,dc=org” in secrets.tdb (with your values of course)

 

Step 10: Get the local SID...

 

First we need to get the local SID from the system....so in the terminal type

 

net getlocalsid

 

then copy the SID (copy command in terminal....so you can paste in a few mins)

 

Step 11: Configuring the smbldap-tools

 

Now we need to configure the smbldap-tools you installed earlier. Smbldap-tools does come bundled

with Samba, but the newest version we just downloaded is much easier to use....so....

Now we need to edit the files in /etc/smbldap-tools...so type

 

cd /etc/smbldap-tools

 

type

 

ls

 

to see what's in there

Now type

 

gedit smbldap.conf

 

this will open up the file in a nice GUI based text editor that we can edit the file as well as do search

and replace. (if you are a veteran Linux user...feel free to use your favorite text editor)

Edit the values for your system....I have included my own file below for your reference....feel free to

simply cut and paste and insert your own information.

 

My sample /etc/smbldap-tools/smbldap.conf

 

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $

# $Id: smbldap.conf,v 1.6 2004/02/07 16:58:52 jtournier Exp $

#

# smbldap-tools.conf : Q & D configuration file for smbldap-tools

# This code was developped by IDEALX (http://IDEALX.org/) and

# contributors (their names can be found in the CONTRIBUTORS file).

#

# Copyright (C) 2001-2002 IDEALX

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,

# USA.

# Purpose :

# . be the configuration file for all smbldap-tools scripts

##############################################################################

#

# General Configuration

#

##############################################################################

# UID and GID starting at...

UID_START="1000"

GID_START="1000"

# Put your own SID

# to obtain this number do: net getlocalsid see Step 10

SID="S-1-5-21-272829073-2839789003-218174137"

##############################################################################

#

# LDAP Configuration

#

##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch

# Samba with the dual-head patch from IDEALX. If not using this patch

# just use the same server for slaveLDAP and masterLDAP.

# Those two servers declarations can also be used when you have

# . one master LDAP server where all writing operations must be done

# . one slave LDAP server where all reading operations must be done

# (typically a replication directory)

 

# Ex: slaveLDAP=127.0.0.1

slaveLDAP="127.0.0.1"

slavePort="389"

 

# Master LDAP : needed for write operations

# Ex: masterLDAP=127.0.0.1

masterLDAP="127.0.0.1"

masterPort="389"

ldapTLS="0"

 

# LDAP Suffix

# Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=vcs,dc=org"

 

# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"

usersdn="ou=Users,dc=vcs,dc=org"

 

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"

computersdn="ou=Computers,dc=vcs,dc=org"

 

# Where are stored Groups

# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"

groupsdn="ou=Groups,dc=vcs,dc=org"

 

# Default scope Used

scope="sub"

 

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)

hash_encrypt="SSHA"

 

##############################################################################

#

# Unix Accounts Configuration

#

##############################################################################

 

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

 

# Home directory prefix (without username)

# Ex: userHomePrefix="/home/"

userHomePrefix="/home/"

 

# Gecos

userGecos="System User"

 

# Default User (POSIX and Samba) GID

defaultUserGid="513"

 

# Default Computer (Samba) GID

defaultComputerGid="553"

 

# Skel dir

skeletonDir="/etc/skel"

 

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

#defaultMaxPasswordAge="55"

 

##############################################################################

#

# SAMBA Configuration

#

##############################################################################

 

# The UNC path to home drives location without the username last extension

# (will be dynamically prepended)

# Ex: My-PDC-netbios-namehomes

# Just set it to a null string if you want to use the smb.conf 'logon home'

# directive and/or desabling roaming profiles

userSmbHome=MIDNIGHT-PDChomes  

 

####Note: (NOTE: if you are using a later version of smbldap-tools…this line changes a little####

#userSmbHome=MIDNIGHT-PDChomes%U

####End Note####

 

# The UNC path to profiles locations without the username last extension

# (will be dynamically prepended)

# Ex: My-PDC-netbios-nameprofiles

# Just set it to a null string if you want to use the smb.conf 'logon path'

# directive and/or desabling roaming profiles

userProfile=MIDNIGHT-PDCprofiles

 

####Note: (NOTE: if you are using a later version of smbldap-tools…this line changes a little####

#userSmbHome=MIDNIGHT-PDCprofiles%U

####End Note####

 

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: q(U:) for U:

userHomeDrive="F:"

 

# The default user netlogon script name

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

userScript="startup.bat"

 

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer mkntpwd... most of the time, it's a wise choice :-)

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

mk_ntpasswd="/usr/local/sbin/mkntpwd"

 

 

Now we need to configure smbldap_bind.conf

so type

 

gedit smbldap_bind.conf

 

Edit the information for your site. My example is below...

 

Sample /etc/smbldap-tools/smbldap_bind.conf

 

############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)

slaveDN="cn=Manager,dc=vcs,dc=org"

slavePw="secret"

masterDN="cn=Manager,dc=vcs,dc=org"

masterPw="secret"

 

*Note: “secret” is where you put your own password....remember it as you'll be using it again.

 

Step 12: Populating the database

 

Now we need to populate the data (ldif). This is easy to do....simply type

 

smbldap-populate

 

Note:  In later versions of smbldap-tools the preferred method is to run

 

smbldap-populate –a root

 

Note:  if you do this…skip Step 13 and proceed to Step 13a

 

this will run a script that will populate the database with a built-in directory structure. It should just

run....any errors and something is amiss.....check your stuff from previous steps.

 

Step 13: Setting the Administrator password...

 

We also need to set a password and make a tweak for a “special” account... Administrator This account

was created when you ran smbldap-populate. It is vital as it is the account that will be used to join

Windows machines to the Samba Domain. It must have a uid of “0”. One very important thing we

need to do is comment out a line in the /etc/samba/smbusers file. To do this let's go to the directory...

 

cd /etc/samba

 

and then edit

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/83980/viewspace-795043/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/83980/viewspace-795043/