Dixie State College -- Computer and Information Technology

Samba as a PDC

Add the samba site to /etc/apt/sources.list

deb http://us4.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ stable main

Update and install in dselect
Do not convert the smbpasswd file to the new password database.
Do not use WINS settings from DHCP.
Accept the new smb.conf file. The old file will be renamed to smb.conf.dpkg-old.

Edit smb.conf to correctly configure samba.

Set workgroup and netbios name to your windows domain name and computer name.
workgroup = MUSIC netbios name = ALARM
Enable wins support
wins support = yes

Enable utmp for login tracking, and enable an administrative user.

####### Authentication #######

   utmp = yes
   admin users = youradmin

Set security = user and encrypt passwords = true.

   security = user
   encrypt passwords = true

Change passdb backend to ldapsam:ldap://your.ldap.server

    passdb backend = ldapsam:ldap://144.38.210.224

Enable guest account = nobody and add map to guest = bad user

   guest account = nobody
   invalid users = root
   map to guest = bad user

Add LDAP configuration parameters.

    ldap admin dn = cn=sambaLevel,ou=Etc,dc=music,dc=cs,dc=dixie,dc=edu
    ldap suffix = dc=music,dc=cs,dc=dixie,dc=edu
    ldap user suffix = ou=People
    ldap group suffix = ou=Group
    ldap machine suffix = ou=Machine
    ldap ssl = no

Add deadtime = 15

############ Misc ############

   # kill connections after 15 minutes of idle time
   deadtime = 15

Add PDC configuration parameters

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended
   domain master = yes
   local master = yes
   preferred master = true
   # Become PDC and Password Server
   domain logons = yes
   # The election power of this host
   os level = 80
   # Turn of winbindd user account creation
   winbind enable local accounts = no
   # Map users to uids based on (LDAP)
   winbind trusted domains only = yes
   # Treat all users as domain users
   winbind use default domain = yes

Configure uid and gid mapping.

   idmap uid = 10000-19000
   idmap gid = 10000-19000
   template shell = /dev/null

Set homes to writable
[homes] ... writable = yes

Add a share for user profiles

# bottom of the file
[profiles]
   path = /profiles
   writeable      = yes
   browseable     = no
   create mode    = 0640
   directory mode = 0750

Remove the [printers] and [print$] shares.

Restart samba.

Configure LDAP for samba.

Add samba schema.
Install the samba-doc package.

bash# apt-get install samba-doc

Copy the schema file to the ldap schema directory.

bash# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz \
         /etc/ldap/schema
bash# gzip -d /etc/ldap/schema/samba.schema.gz

Edit /etc/ldap/slapd.conf to add the schema include.

include         /etc/ldap/schema/samba.schema

Add sambaLevel access account to LDAP administration.

bash$ ldapadd -x -D 'cn=highLevel,ou=Etc,dc=a,dc=b' \
              -W -f admin.ldif
Enter LDAP Password: <highLevel secret>
adding new entry "cn=sambaLevel,ou=Etc,dc=a,dc=b"

bash$ ldappasswd -x -D 'cn=highLevel,ou=Etc,dc=a,dc=b' \
                    -W -S 'cn=sambaLevel,ou=Etc,dc=a,dc=b'
New password: <sambaLevel secret>
Re-enter new password: <sambaLevel secret>
Enter bind password: <highLevel secret>
Result: Success (0)

Tell samba the sambaLevel password
bash# smbpasswd -w <sambaLevel secret> Setting stored password for "cn=sambaLevel,ou=Etc,dc=a,dc=b" in secrets.tdb
Clear your command history. That password is in clear text! This also means that secrets.tdb needs to be protected.

Give access privileges to the sambaLevel account. Give sambaLevel write access to "*". Create access paragraphs for the attributes sambaLMPassword and sambaNTPassword. Give highLevel and sambaLevel write access to them. My final access control looks like this:

access to attribute=userPassword
        by dn="cn=highLevel,ou=Etc,dc=a,dc=b" write
        by dn="cn=midLevel,ou=Etc,dc=a,dc=b" read
        by anonymous auth
        by * none

access to attribute=sambaLMPassword
        by dn="cn=highLevel,ou=Etc,dc=a,dc=b" write
        by dn="cn=sambaLevel,ou=Etc,dc=a,dc=b" write
        by * none

access to attribute=sambaNTPassword
        by dn="cn=highLevel,ou=Etc,dc=a,dc=b" write
        by dn="cn=sambaLevel,ou=Etc,dc=a,dc=b" write
        by * none

access to *
        by dn="cn=highLevel,ou=Etc,dc=a,dc=b" write
        by dn="cn=sambaLevel,ou=Etc,dc=a,dc=b" write
        by dn="cn=midLevel,ou=Etc,dc=a,dc=b" read
        by dn="cn=lowLevel,ou=Etc,dc=a,dc=b" read
        by * none

Create ou=Machine. Edit the ldif file.

dn: ou=Machine,dc=a,dc=b
ou: Machine
objectClass: top
objectClass: organizationalUnit

Insert the entry.

bash# ldapadd -x -D 'cn=highLevel,ou=Etc,dc=a,dc=b' -W -f ou.ldif
Enter LDAP Password: <highLevel secret>
adding new entry "ou=Machine,dc=a,dc=b"

Restart ldap.

bash# /etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

Restart samba.

bash# /etc/init.d/samba restart
Stopping Samba daemons: nmbd smbd.
Starting Samba daemons: nmbd smbd.

Discover the Domain SID for later use.

bash$ ldapsearch -x -D 'cn=highLevel,ou=Etc,dc=a,dc=b' -W -b \
                 'dc=a,dc=b' '(objectClass=sambaDomain)' sambaSID
Enter LDAP Password: <highLevel secret>
version: 2

#
# filter: (objectClass=sambaDomain)
# requesting: sambaSID 
#

# MUSIC, music, cs, dixie, edu
dn: sambaDomainName=MUSIC,dc=da,dc=b
sambaSID: S-1-5-21-1888978130-2858303845-1446791785

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Install perl-suid
bash# apt-get install perl-suid

Change user administration scripts handle samba accounts:

Download the SAMBA-LDAP version of the tools.

bash$ wget /it/it3110/sources/samba_scripts-y05m03d29.tgz

Unpack and install the software:

bash$ tar zxf samba_scripts-y05m03d29.tgz
bash$ cd samba_scripts
bash$ sudo make
./install.pl
This will install the ldap/samba user
management scripts.  Please answer the following
questions.
LDAP_BASE_DN: dc=music,dc=cs,dc=dixie,dc=edu
LDAP_HOST: 144.38.210.224
LDAP_ADMIN_PASS: rm-rf
SAMBA_DISK: ALARM
SAMBA_PDC: ALARM
SAMBA_SID: S-1-5-21-1888978130-2858303845-1446791785
     SAMBA_DISK ALARM
LDAP_ADMIN_PASS rm-rf
      SAMBA_PDC ALARM
      LDAP_HOST 144.38.210.224
   LDAP_BASE_DN dc=music,dc=cs,dc=dixie,dc=edu
      SAMBA_SID S-1-5-21-1888978130-2858303845-1446791785
OK? y
mkdir -p /usr/local/lib/site_perl
cp LdapSmb.pm-new /usr/local/lib/site_perl/LdapSmb.pm
cp ldap_smb_adduser.pl ldap_smb_deluser.pl ldap_smb_passwd.pl /usr/local/sbin/
chmod 400 /usr/local/lib/site_perl/LdapSmb.pm
chmod 500 /usr/local/sbin/ldap_smb_adduser.pl
chmod 500 /usr/local/sbin/ldap_smb_deluser.pl
chmod 4555 /usr/local/sbin/ldap_smb_passwd.pl

Create users. (This is the administrative user.)

bash# /usr/local/sbin/ldap_smb_adduser.pl -u youradmin -r "Admin User"
modifying entry "uid=lastUid,ou=Etc,dc=a,dc=b"

adding new entry "uid=myadmin,ou=People,dc=a,dc=b"

adding new entry "cn=myadmin,ou=Group,dc=a,dc=b"

bash# /usr/local/sbin/ldap_smb_passwd.pl -u youradmin
        New Password: <youradmin password>
Confirm New Password: <youradmin password>
modifying entry "uid=myadmin,ou=People,dc=a,dc=b"

Join windows clients to the domain.

Create a windows machine account.

bash# /usr/local/sbin/ldap_smb_adduser.pl -w -u computer_name
modifying entry "uid=lastUid,ou=Etc,dc=a,dc=b"

adding new entry "uid=computer_name$,ou=Machine,dc=a,dc=b"

On the windows computer, use the administrative account to authorize the join.

Test. Test. Test.