PDC server:
OS: CentOS5.4
IP: 192.168.141.130
All characters after // mean a description, just for you to understand why need do this.
All xxx mean’s you need change or check to your server version
The red color is command out put or in a file you need add or modify
Line only ‘…’ mean here several lines skip
Any error about samba or domain, you can check the log file /var/log/samba/smbd.log, this is very important
1. Package install
You need install below package, all this can find in CentOS iso or CD
openldap-xxx
openldap-servers-xxx
openldap-clients-xxx
openldap-devel-xxx
samba-xxx
perl-LDAP-xxx
You need download below package and install
perl-Crypt-SmbHash-xxx
perl-Digest-xxx
perl-Digest-MD4-xxx
perl-Jcode-xxx
perl-Unicode-Map-xxx
perl-Unicode-Map8-xxx
perl-Unicode-MapUTF8-xxx
perl-Unicode-String-xxx
smbldap-tools-xxx
2. Modify hostname
#vim /etc/sysconfig/network //modify HOSTNAME
HOSTNAME=ldapdomain //you can use any name you like, I used ldapdomain
#vim /etc/hosts //if you have DNS server, you can add in DNS, I don’t have DNS server, so modify hosts
127.0.0.1 localhost.localdomain localhost
192.168.141.130 ldapdomain.esa.com ldapdomain
192.168.141.140 fedora12.esa.com fedora12 // the linux client
192.168.141.131 xp.esa.com xp //the windows client
#service network restart //restart network, make the changes working
Close all terminal and open new one check the name is the same as HOSTNAME you setting
3. Setup Openldap
#cp /usr/share/doc/samba-xxx/LDAP/samba.schema /etc/openldap/schema //copy samba.schama to openldap
#slappasswd //create a password with SSHA encrypt, it will ask you to input the password. Here I use “secret123”, you can change to what you like, then it will show the SSHA encrypt password
{SSHA}5G5g4xyAfrKrOPzRU7tUiXBHSRttiMhD
#vim /etc/openldap/slapd.conf //modify slapd.conf
…
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema //add this line
…
access to attrs=userPassword,sambaLMPassword,sambaNTPassword //add access method
by self write
by anonymous auth
by * none
access to *
by * read
…
database bdb // the database ldap using
suffix "dc=esa,dc=com" //I use esa.com as domain, you can change to other
rootdn "cn=Manager,dc=esa,dc=com" //the rootdn, you can change to other
…
rootpw {SSHA}5G5g4xyAfrKrOPzRU7tUiXBHSRttiMhD //the password which using SSHA create, here you also can use “rootpw secret123” though it is not security
…
#vim /etc/openldap/ldap.conf //modify ldap.conf
BASE dc=esa,dc=com
URI ldap://127.0.0.1/
#TLS_CACERTDIR /etc/openldap/cacerts //here disable TLS
#vim /etc/ldap.conf
….
base dc=esa,dc=com
rootbinddn cn=Manager,dc=esa,dc=com
…
nss_base_passwd ou=Users,dc=esa,dc=com?one //the ou will create by smbldap
nss_base_passwd ou=Computers,dc=esa,dc=com?one
nss_base_shadow ou=Users,dc=esa,dc=com?one
nss_base_group ou=Groups,dc=esa,dc=com?one
…
uri ldap://127.0.0.1/
ssl no
#tls_cacertdir /etc/openldap/cacerts
pam_password md5
…
#echo secret123 > /etc/ldap.secret //add ldap.secret
#chmod 600 /etc/ldap.secret //modify authority about ldap.secret
#service ldap start
# telnet localhost 389 //test ldap port
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
^] //inport ctrl + ]
telnet> quit
Connection closed.
4. Setup samba
#vim /etc/samba/smb.conf
[global] //delete all other setting in global, only remain or add below
workgroup = esa.com
server string = ldap and domain server
netbios name = domainserver
security = user
encrypt passwords = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap suffix = dc=esa,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=Manager,dc=esa,dc=com
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
ldap passwd sync = yes
domain master = yes
domain logons = yes
preferred master = yes
ldap ssl = off
winbind use default domain = yes
winbind nested groups = no
…
[public] //create a share fold for future, If you don’t need, also can delete this session
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
#mkdir /home/samba //create the share fold, if you don’t set in smb.conf, ignore this
#chmod 777 /home/samba //chmod the share fold, if you don’t set in smb.conf, ignore this
# testparm //test smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC //here mean you are a PDC server
Press enter to see a dump of your service definitions //press enter
#service smb restart
#smbpasswd -w secret123 //set smb dn admin password, need the same as rootpw in sldap.conf , here is secret123
# net getlocalsid //make sure you can get sid
SID for domain DOMAINSERVER is: S-1-5-21-3456266429-2160885202-3924598192
#tdbdump /etc/samba/secrets.tdb //you can use this command check the key exsit
4. Create ldap data using smbldap-tool
# /usr/share/doc/smbldap-tools-0.9.5/configure.pl
Use of $# is deprecated at ./configure.pl line 314.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] > // press Enter
The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] > // press Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts ...
. workgroup name: name of the domain Samba act as a PDC
workgroup name [esa.com] > // press Enter
. netbios name: netbios name of the samba controler
netbios name [domainserver] > // press Enter
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [] > Z: //input Z: or you can input '.' ignore
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'//ldapdomain/%U'
logon home (press the "." character if you don't want homeDirectory) [//ldapdomain/%U] > //ldapdomain/public //the samba share fold, you can change to your setting
. logon path: directory where roaming profiles are stored. Ex:'//ldapdomain/profiles/%U'
logon path (press the "." character if you don't want roaming profile) [//ldapdomain/profiles/%U] > . //I don't set profile so input '.' ignore
. home directory prefix (use %U as username) [/home/%U] > // press Enter
. default users' homeDirectory mode [700] > //press Enter
. default user netlogon script (use %U as username) [] > //press Enter
default password validation time (time in days) [45] > //press Enter
. ldap suffix [dc=esa,dc=com] > // press Enter
. ldap group suffix [ou=Groups] > // press Enter
. ldap user suffix [ou=Users] > // press Enter
. ldap machine suffix [ou=Computers] > // press Enter
. Idmap suffix [ou=Idmap] > // press Enter
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=esa.com] > // press Enter
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [127.0.0.1] > // press Enter
. ldap master port [389] > // press Enter
. ldap master bind dn [cn=Manager,dc=esa,dc=com] > // press Enter
. ldap master bind password [] > Warning: You really need to set this parameter...
ldap master bind password [] > secret123 //the rootpw in slapd.conf
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [127.0.0.1] > // press Enter
. ldap slave port [389] > // press Enter
. ldap slave bind dn [cn=Manager,dc=esa,dc=com] > // press Enter
. ldap slave bind password [] >secret123 //the rootpw in sldap.conf, I used the same server as master and slave, if you have slave, you many change
. ldap tls support (1/0) [0] > //press Enter
. SID for domain esa.com: SID of the domain (can be obtained with 'net getlocalsid domainserver')
SID for domain esa.com [S-1-5-21-3456266429-2160885202-3924598192] > // press Enter, check the sid is the same as "net getlocalsid"
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > // press Enter
. default user gidNumber [513] > // press Enter
. default computer gidNumber [515] > // press Enter
. default login shell [/bin/bash] > // press Enter
. default skeleton directory [/etc/skel] > // press Enter
. default domain name to append to mail adress [] > // press Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value in concatenation (.) or string at ./configure.pl line 314, <STDIN> line 34.
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.
# smbldap-populate // use this tool to modify ldap data
Populating LDAP directory for domain esa.com (S-1-5-21-3192196383-2887643535-4176574845)
(using builtin directory structure)
adding new entry: dc=esa,dc=com
adding new entry: ou=Users,dc=esa,dc=com
adding new entry: ou=Groups,dc=esa,dc=com
adding new entry: ou=Computers,dc=esa,dc=com
adding new entry: ou=Idmap,dc=esa,dc=com
adding new entry: uid=root,ou=Users,dc=esa,dc=com
adding new entry: uid=nobody,ou=Users,dc=esa,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=esa,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=esa,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=esa,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=esa,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=esa,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=esa,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=esa,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=esa,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=esa,dc=com
adding new entry: sambaDomainName=esa.com,dc=esa,dc=com
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:123456 //input the password for domain root, here I use 123456
Retype new password:123456 //again
#smbclient –L //localhost –U test1 //check the user can access
# chkconfig ldap on
# chkconfig smb on
#smbldap-useradd -a -m test1 // add a use, -a mean for windows, -m mean create home fold
#smbldap-passwd test1 // set password for test1
#pdbedit -Lw // check the user info, system will auto add root, the root password is set at smbldap-popule
Then you can add a client for test, e.g. join the domain and using test1 to login…
7. Other
Issue help:
When run usr/share/doc/smbldap-tools-0.9.5/configure.pl show “Samba need to be started first!” and stop. Check samba log /var/log/samba/smbd.log, see below info
services/services_db.c:svcctl_init_keys(420)
svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
smbd/server.c:main(1063)
ERROR: failed to setup guest info.
Fix link:http://www.linuxquestions.org/questions/linux-server-73/smb-service-startup-failed-709046/
modify /etc/samba/smb.conf, add below in global
winbind nested groups = no
Userfull link:
http://bbs.chinaunix.net/thread-308791-1-1.html
http://openmyhand.com/cms/index.php?option=com_content&task=view&id=15&Itemid=31
261
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
