RPM Based Installation of Snort with SnortSnarf and Snort Rule Creation Methods:
===============================================================================
written by: Muhammad Farrukh Siddique
Snort is an open source Network Intrusion Detection System
Snort can also act as Sniffer and Logger
In this section we will discuss the more beneficial part of Snort that is Intrusion Detection System (IDS)
Snort can also be installed on Windows Platform which will be covered later.
Currently the Operating System is CentOS-5.3
Snort Installation and Configuration:
------------------------------------
First of all download and install the following required packages
# snort and snort-mysql rpm (download-able from http://www.snort.org/downloads)
# mysql and mysql-server-5.0 with all affected packages
# libpcap
# Apache
# php5
# php-cli
# php-common
# php-devel
# php-ldap
# Php5-mysql
You can check these rpms through rpm -qa command.
you can install missing packages either from source DVD or through yum command
After downloading snort rpms, just install them
[root@snortserver tmp]# rpm -ivh snort-2.8.5.3-1.RH5.i386.rpm
[root@snortserver tmp]# rpm -ivh snort-mysql-2.8.5.3-1.RH5.i386.rpm
now configure some basic settings for snort:
# vim /etc/snort/snort.conf
Change var HOME_NET any to var HOME_NET 192.168.2.0/24 # you can give a single ip address or range of IP addresses by syntax [192.168.2.1,192.168.2.10] and similarly different networks can also be defined as [192.168.1.0/24,192.168.2.0/24]
Change var EXTERNAL_NET any to var EXTERNAL_NET !$HOME_NET # (It states that everything except HOME_NET is external).
The rule path should be
var RULE_PATH /etc/snort/rules
save and exit
Now add rules to /etc/snort/rules directory
just download all the .rules file from the link http://cvs.snort.org/viewcvs.cgi/snort/rules/ one by one.
or just follow a simple way, i have created all the links for your convenience and time saving.
# cd /tmp
# mkdir rules
# cd rules
# vim download-rules.txt
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/attack-responses.rules?rev=1.23.2.7
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/backdoor.rules?rev=1.50
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/bad-traffic.rules?rev=1.22.2.5
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/chat.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/ddos.rules?rev=1.14.2.7
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/deleted.rules?rev=1.39
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/dns.rules?rev=1.42
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/dos.rules?rev=1.43
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/experimental.rules?rev=1.80
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/finger.rules?rev=1.29
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/ftp.rules?rev=1.63
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/icmp-info.rules?rev=1.25
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/icmp.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/imap.rules?rev=1.13.2.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/info.rules?rev=1.31
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/misc.rules?rev=1.59
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/local.rules?rev=1.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/multimedia.rules?rev=1.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/mysql.rules?rev=1.13
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/netbios.rules?rev=1.54
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/nntp.rules?rev=1.16
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/oracle.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/other-ids.rules?rev=1.12
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/p2p.rules?rev=1.20
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/pop2.rules?rev=1.14
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/pop3.rules?rev=1.26
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/porn.rules?rev=1.12
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/rservices.rules?rev=1.24
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/scan.rules?rev=1.19.2.6
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/shellcode.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/smtp.rules?rev=1.48
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/snmp.rules?rev=1.19
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/sql.rules?rev=1.32
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/telnet.rules?rev=1.40
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/tftp.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-attacks.rules?rev=1.21
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-cgi.rules?rev=1.63.2.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-client.rules?rev=1.27
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-coldfusion.rules?rev=1.30
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-frontpage.rules?rev=1.35
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-iis.rules?rev=1.84
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-misc.rules?rev=1.102.2.15
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/web-php.rules?rev=1.23
http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/x11.rules?rev=1.20
save and exit
# wget -i download-rules.txt
it will download all the rules at once saving a lot of time.
[you can start snort by simple creating blank .rules files but remember with blank rule files snort will not detect anything]
after downloading the rules in a directory. Copy the directory on another location. Rename each file to rule-name.rules and then paste the files in /etc/snort/rules directory
change the ownership of newly created rules files
# chown snort.root /etc/snort/rules/*
Keep the original rules directory and match weekly the revision version of each rule on the site to incorporate changes accordingly.
some rules can also be download and copied in rules directory from http://openmaniak.com/snort_bleeding.php
then append these lines in inlude section of /etc/snort/snort.conf file for each new rule
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding-attack_response.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding-drop.rules
include $RULE_PATH/bleeding-dshield.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-game.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/bleeding-malware.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/bleeding-web.rules
Now its time to start snort
Start snort
# /etc/init.d/snortd start
Remember syslogd daemon must be running in order to take logs
The log file named 'alert' will be generated in /var/log/snort directory
now do a port scan and check the alerts in /var/log/snort/alert file, if you have defined a complete subnet in HOME_NET variable then you can do a port scan of any host but that host must be reachable by snort server
If you have some network issues then try stopping iptables and SElinux for test purpose
if you have nmap installed then simple run the command to scan ports
# nmap localhost
you can see alerts in real time by command
# tailf /var/log/snort/alert
At this time snort is running fine and generating alerts
Now lets move to an interesting section
Creating your own Snort Rules:
----------------------------
you can also use Snort Rule Generator or some other utilities but its better to write a rule in a file. lets do it
We are going to create a rule for generating alerts whenever someone is trying to open youtube.com
# vim /etc/snort/rules/youtube.rules
alert tcp any any -> any any (content:"www.youtube.com"; msg:"someone is accessing youtube"; sid:1000003; rev:1;)
save and exit
now add the rule path in snort.conf
#vim /etc/snort/snort.conf
append the line in include section as
include $RULE_PATH/youtube.rules
save and exit
and restart snort daemon to take affect changes
# /etc/init.d/snortd restart
lets describe the rule:
alert tcp any any -> any any (content:"www.youtube.com"; msg:"someone is accessing youtube"; sid:1000003; rev:1;)
tcp = protocol
1st any = Source IP (your local IP in this case)
2nd any = Source Port
-> = request for
3rd any = Destination IP (youtube IP in this case)
4th any = Destination Port (that would be 80 in this case)
sid = snort unique id which snort uses to differentiate different alerts and their descriptions
rev = version number
Now after creating the rule and restarting the snort daemon, lets check our new rule working status
just type
# elinks www.youtube.com
wait for youtube to be loaded
or Open a browser and type www.youtube.com
then view the alerts
# cat /var/log/snort/alert
you will see some alerts like
[**] [1:100003:1] someone is accessing youtube.com [**] [Priority: 0] {TCP} 192.168.2.5:48401 -> 64.233.169.139:80
[**] [1:100003:1] someone is accessing youtube.com [**] [Priority: 0] {TCP} 192.168.2.5:38510 -> 110.93.194.23:80
SnortSnarf:
----------
In order to get better results we will have to manage alerts in a more descriptive form
So lets install and configure SnortSnarf an html generator for snort alerts
make sure that you have installed Apache and its running
[root@snortserver ~]# /etc/init.d/httpd status
httpd (pid 2992 2991 2990 2989 2988 2987 2986 2985 2983) is running...
[root@snortserver ~]#
otherwise just start it
# /etc/init.d/httpd start
make sure that you have installed perl5 packages because SnortSnarf depends on perl based Time modules
lets start
download snortsnarf from http://sourceforge.net/projects/snortsnarf/
# cd /etc
# wget http://downloads.sourceforge.net/project/snortsnarf/snortsnarf/Initial%20Release%201.0/SnortSnarf-1.0.tar.gz?use_mirror=space
# tar -zxvf SnortSnarf-1.0.tar.gz
Now you have to download and install Time modules needed for snortsnarf from http://search.cpan.org/~muir/Time-modules-2006.0814/
# wget http://search.cpan.org/CPAN/authors/id/M/MU/MUIR/modules/Time-modules-2006.0814.tar.gz
# tar -zxvf Time-modules-2006.0814.tar.gz
# cd Time-modules-2006.0814
install the modules by following commands:
# perl Makefile.pl
# make
# make test
# make install
After successfull installation of Time modules, create a destination directory where snortsnarf will generate html pages as an output
# mkdir /var/www/html/ids
Now run snortsnarf
# cd /etc/SnortSnarf-1.0
# ./snortsnarf.pl -d /var/www/html/ids/ /var/log/snort/alert
where -d defines output directory and /var/log/snort/alert is the source file to take input.
The above command shows a similar output on the console
[root@snortserver SnortSnarf-1.0]# ./snortsnarf.pl -d /var/www/html/ids/ /var/log/snort/alert
Using an array as a reference is deprecated at include/SnortSnarf/HTMLMemStorage.pm line 290.
Using an array as a reference is deprecated at include/SnortSnarf/HTMLAnomMemStorage.pm line 266.
SnortFileInput: input file /var/log/snort/alert exists but is length 0; skipping it
[root@snortserver SnortSnarf-1.0]#
if your /var/log/snort/alert file is not empty then you will not see the last output line
Cron Job for SnortSnarf:
-----------------------
Create a cron job to automatically run the snorsnarf script to append alerts in html pages
first of all make a simple script
# cd /etc
# touch snortsnarf
# vim snortsnarf
cd /etc/SnortSnarf-1.0
./snortsnarf.pl -d /var/www/html/ids /var/log/snort/alert
save and exit
make the script executable
# chmod +x snortsnarf
now define a new cron job to run snortsnarf after every 5 minutes
# crontab -e
*/5 * * * * /etc/snortsnarf
save and exit
*/5 means that snortsnarf will be run after every 5 minutes, you can adjust the time accordingly.
restart the cron and Apache daemons
# /etc/init.d/crond restart
# /etc/init.d/httpd restart
now create a simple port scan and generate alerts in /var/log/snort/alert file and then open your browser and type http://localhost/ids
You can see the alerts, further click the alerts and find some more information and go on.
Now snort IDS with SnortSnarf has been successfully configured, Alhamdullilah
In next session we will discuss some advanced functionality, how alerts can be stored in a database and managed by Basic Analysis and Security Engine which is an enhanced version of ACID with Graph facilities, and also how SnortSnarf and other web based utilities can be secured.
Thursday, April 1, 2010
Monday, February 8, 2010
SmbLDAP Configuration Samba OpenLDAP Domain Controller UrduCBTs by Muhammad Farrukh Siddique
SmbLDAP Configuration Samba OpenLDAP Domain Controller UrduCBTs by Muhammad Farrukh Siddique
http://mfarrukhsiddique.blip.tv/
Link:
http://mfarrukhsiddique.blip.tv/
http://blip.tv/file/3178403
Friday, January 15, 2010
Highly Available WebService by using rsync with heartbeat
Highly Available WebService by using rsync with heartbeat
=========================================================
Written by: Muhammad Farrukh Siddique (LPIC)
Operating System on both machines: CentOS-5.3 Final
Required RPMs: Heartbeat,rsync,httpd
Service to be mirrored: web service (httpd)
First Machine name (fqdn): node1.ha.int
Second Machine name (fqdn): node2.ha.int
IP Address of node1: 192.168.3.224
IP Address of node2: 192.168.3.225
Default Gateway of both machines: 192.168.3.1
DNS Server: 192.168.2.11
make sure that you have httpd installed. You can use rsycn to sync any
file/directory for
any service but in this case we will use httpd
Now first configure Network settings for both machines and check by pinging and
resolving hostnames of each other
that everything is going fine. We will also generate ssh keys so that each
machine can login the other machine without password.
Defining a dns server is necessary if internet access is required specially in
case of using Yellow Update Manager (yum).
Otherwise heartbeat and rsync will work absolutely fine without any dns.
Configuring node1:
------------------
[root@node1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=node1.ha.int
[root@node1 ~]#
[root@node1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0c:29:3a:36:94
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.224
GATEWAY=192.168.3.1
TYPE=Ethernet
[root@node1 ~]#
[root@node1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.3.224 node1.ha.int node1
192.168.3.225 node2.ha.int node2
[root@node1 ~]#
[root@node1 ~]# cat /etc/resolv.conf
nameserver 192.168.2.11
[root@node1 ~]#
Configuring node2:
------------------
[root@node2 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=node2.ha.int
[root@node2 ~]#
[root@node2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:30:5b:e3
NETMASK=255.255.255.0
IPADDR=192.168.3.225
GATEWAY=192.168.3.1
TYPE=Ethernet
[root@node2 ~]#
[root@node2 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.3.224 node1.ha.int node1
192.168.3.225 node2.ha.int node2
[root@node2 ~]#
[root@node2 ~]# cat /etc/resolv.conf
nameserver 192.168.2.11
[root@node2 ~]#
configuring ssh keys for both machines:
---------------------------------------
[root@node1 ~]# ssh-keygen -t rsa
[root@node1 ~]# ssh-keygen -t dsa
[root@node1 ~]# cat /root/.ssh/*.pub > /root/.ssh/authorized_keys
Now replace the folder /root/.ssh on node2
[root@node1 ~]# scp -r /root/.ssh/ node2:/root/
this time u have to enter the password
[root@node1 ~]# ssh-keyscan -t rsa node1 node2
[root@node1 ~]# ssh-keyscan -t dsa node1 node2
Now remember to login through ssh from each machine one time to save the key
permanently
if your /etc/hosts file contains both fqdn and short names against each IP
Address then login
through ssh separately by fqdn and short names for the first time.
Install rsycn rpm package, by default it is installed in CentOS-5.3
the command is found as /usr/bin/rsync
u can also check the exact path in your distribution normally by command
[root@node1 ~]# which rsync
/usr/bin/rsync
[root@node1 ~]#
Now schedule rsycin with cron daemon
[root@node1 ~]# crontab -e
*/1 * * * * /usr/bin/rsync -avz --perms --delete --links -e ssh /var/www/
node2:/var/www/
~
~
~
~
~
~
~
~
"/tmp/crontab.XXXXed1Rxx" 2L, 92C
[root@node1 ~]#
this cron file is saved under /var/spool/cron/root
*/1 shows it will check the synchronizing directories after every one minute and
if found any change then transfer the changed files/directories only.
/usr/bin/rysnc is the command to be run
-avz a for archive v for verbose and z for compression. You can adjust these
settings according to your need
--perms means retain the original permissions
--delete means delete extra files from node2 which are not found on node1
--links means copy the symbolic links as it is.
-e means define rsh command, in this case it is ssh
/var/www is the directory on node1 to be synchronized.
node2:/var/www is the path to be synchronized on node2. You can also make it
specific to some user e.g: user@node2:/var/www/
for further options see man pages
# man rsync
while configuring rsync on node2, just replace "node2" with "node1" , then the
cron job on node sould look like as:
*/1 * * * * /usr/bin/rsync -avz --perms --delete --links -e ssh /var/www/
node1:/var/www/
Now on both machines run the following commands
# chkconfig crond off
#/etc/init.d/crond stop
Installing heartbeat
====================
On both machines
[root@node1 ~]# yum install -y heartbeat-pils heartbeat-stonith
[root@node2 ~]# yum install -y heartbeat-pils heartbeat-stonith
after installing these packages run the command below on both machines
[root@node1 ~]# yum install -y heartbeat
[root@node1 ~]# yum install -y heartbeat
Configuring Heartbeat:
----------------------
Remember you have to create the required three files in /etc/ha.d directory
eithor by using vi editor or someother tool
--> ha.cf
--> haresources
--> authkeys
[root@node1 ~]# cat /etc/ha.d/ha.cf
logfacility local0
keepalive 2
#deadtime 30 # USE THIS!!!
deadtime 10
bcast eth0
#serial /dev/ttyS0
baud 19200
auto_failback off
node node1.ha.int
node node2.ha.int
[root@node1 ~]#
[root@node1 ~]# cat /etc/ha.d/authkeys
auth 3
3 md5 centos
[root@node1 ~]#
[root@node1 ~]# chmod 600 /etc/ha.d/authkeys
[root@node1 ~]# scp /etc/ha.d/ha.cf node2:/etc/ha.d/
[root@node1 ~]# scp /etc/ha.d/authkeys node2:/etc/ha.d/
[root@node1 ~]# cat /etc/ha.d/haresources
node1.ha.int IPaddr::192.168.3.226/24/eth0 httpd crond
[root@node1 ~]#
[root@node2 ~]# cat /etc/ha.d/haresources
node2.ha.int IPaddr::192.168.3.226/24/eth0 httpd crond
[root@node2 ~]#
ha.cf and authkeys files must be same on both machines but haresources file
contains its own hostname on each machine, rest of the haresources file is the
same.
Remember to stop httpd service on both machines and also run the following
commands on both machines to stop httpd and to start heartbeat at boot up.
#chkconfig httpd off
#chkconfig --level 35 heartbeat on
Now start heartbeat
[root@node1 ~]# /etc/init.d/heartbeat start
Starting High-Availability services:
2009/07/06_16:56:56 INFO: Resource is stopped
[ OK ]
[root@node1 ~]#
[root@node2 ~]# /etc/init.d/heartbeat start
Starting High-Availability services:
2009/07/06_17:23:53 INFO: Resource is stopped
[ OK ]
[root@node2 ~]#
Best Regards
Muhammad Farrukh
=========================================================
Written by: Muhammad Farrukh Siddique (LPIC)
Operating System on both machines: CentOS-5.3 Final
Required RPMs: Heartbeat,rsync,httpd
Service to be mirrored: web service (httpd)
First Machine name (fqdn): node1.ha.int
Second Machine name (fqdn): node2.ha.int
IP Address of node1: 192.168.3.224
IP Address of node2: 192.168.3.225
Default Gateway of both machines: 192.168.3.1
DNS Server: 192.168.2.11
make sure that you have httpd installed. You can use rsycn to sync any
file/directory for
any service but in this case we will use httpd
Now first configure Network settings for both machines and check by pinging and
resolving hostnames of each other
that everything is going fine. We will also generate ssh keys so that each
machine can login the other machine without password.
Defining a dns server is necessary if internet access is required specially in
case of using Yellow Update Manager (yum).
Otherwise heartbeat and rsync will work absolutely fine without any dns.
Configuring node1:
------------------
[root@node1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=node1.ha.int
[root@node1 ~]#
[root@node1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0c:29:3a:36:94
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.224
GATEWAY=192.168.3.1
TYPE=Ethernet
[root@node1 ~]#
[root@node1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.3.224 node1.ha.int node1
192.168.3.225 node2.ha.int node2
[root@node1 ~]#
[root@node1 ~]# cat /etc/resolv.conf
nameserver 192.168.2.11
[root@node1 ~]#
Configuring node2:
------------------
[root@node2 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=node2.ha.int
[root@node2 ~]#
[root@node2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
HWADDR=00:0c:29:30:5b:e3
NETMASK=255.255.255.0
IPADDR=192.168.3.225
GATEWAY=192.168.3.1
TYPE=Ethernet
[root@node2 ~]#
[root@node2 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.3.224 node1.ha.int node1
192.168.3.225 node2.ha.int node2
[root@node2 ~]#
[root@node2 ~]# cat /etc/resolv.conf
nameserver 192.168.2.11
[root@node2 ~]#
configuring ssh keys for both machines:
---------------------------------------
[root@node1 ~]# ssh-keygen -t rsa
[root@node1 ~]# ssh-keygen -t dsa
[root@node1 ~]# cat /root/.ssh/*.pub > /root/.ssh/authorized_keys
Now replace the folder /root/.ssh on node2
[root@node1 ~]# scp -r /root/.ssh/ node2:/root/
this time u have to enter the password
[root@node1 ~]# ssh-keyscan -t rsa node1 node2
[root@node1 ~]# ssh-keyscan -t dsa node1 node2
Now remember to login through ssh from each machine one time to save the key
permanently
if your /etc/hosts file contains both fqdn and short names against each IP
Address then login
through ssh separately by fqdn and short names for the first time.
Install rsycn rpm package, by default it is installed in CentOS-5.3
the command is found as /usr/bin/rsync
u can also check the exact path in your distribution normally by command
[root@node1 ~]# which rsync
/usr/bin/rsync
[root@node1 ~]#
Now schedule rsycin with cron daemon
[root@node1 ~]# crontab -e
*/1 * * * * /usr/bin/rsync -avz --perms --delete --links -e ssh /var/www/
node2:/var/www/
~
~
~
~
~
~
~
~
"/tmp/crontab.XXXXed1Rxx" 2L, 92C
[root@node1 ~]#
this cron file is saved under /var/spool/cron/root
*/1 shows it will check the synchronizing directories after every one minute and
if found any change then transfer the changed files/directories only.
/usr/bin/rysnc is the command to be run
-avz a for archive v for verbose and z for compression. You can adjust these
settings according to your need
--perms means retain the original permissions
--delete means delete extra files from node2 which are not found on node1
--links means copy the symbolic links as it is.
-e means define rsh command, in this case it is ssh
/var/www is the directory on node1 to be synchronized.
node2:/var/www is the path to be synchronized on node2. You can also make it
specific to some user e.g: user@node2:/var/www/
for further options see man pages
# man rsync
while configuring rsync on node2, just replace "node2" with "node1" , then the
cron job on node sould look like as:
*/1 * * * * /usr/bin/rsync -avz --perms --delete --links -e ssh /var/www/
node1:/var/www/
Now on both machines run the following commands
# chkconfig crond off
#/etc/init.d/crond stop
Installing heartbeat
====================
On both machines
[root@node1 ~]# yum install -y heartbeat-pils heartbeat-stonith
[root@node2 ~]# yum install -y heartbeat-pils heartbeat-stonith
after installing these packages run the command below on both machines
[root@node1 ~]# yum install -y heartbeat
[root@node1 ~]# yum install -y heartbeat
Configuring Heartbeat:
----------------------
Remember you have to create the required three files in /etc/ha.d directory
eithor by using vi editor or someother tool
--> ha.cf
--> haresources
--> authkeys
[root@node1 ~]# cat /etc/ha.d/ha.cf
logfacility local0
keepalive 2
#deadtime 30 # USE THIS!!!
deadtime 10
bcast eth0
#serial /dev/ttyS0
baud 19200
auto_failback off
node node1.ha.int
node node2.ha.int
[root@node1 ~]#
[root@node1 ~]# cat /etc/ha.d/authkeys
auth 3
3 md5 centos
[root@node1 ~]#
[root@node1 ~]# chmod 600 /etc/ha.d/authkeys
[root@node1 ~]# scp /etc/ha.d/ha.cf node2:/etc/ha.d/
[root@node1 ~]# scp /etc/ha.d/authkeys node2:/etc/ha.d/
[root@node1 ~]# cat /etc/ha.d/haresources
node1.ha.int IPaddr::192.168.3.226/24/eth0 httpd crond
[root@node1 ~]#
[root@node2 ~]# cat /etc/ha.d/haresources
node2.ha.int IPaddr::192.168.3.226/24/eth0 httpd crond
[root@node2 ~]#
ha.cf and authkeys files must be same on both machines but haresources file
contains its own hostname on each machine, rest of the haresources file is the
same.
Remember to stop httpd service on both machines and also run the following
commands on both machines to stop httpd and to start heartbeat at boot up.
#chkconfig httpd off
#chkconfig --level 35 heartbeat on
Now start heartbeat
[root@node1 ~]# /etc/init.d/heartbeat start
Starting High-Availability services:
2009/07/06_16:56:56 INFO: Resource is stopped
[ OK ]
[root@node1 ~]#
[root@node2 ~]# /etc/init.d/heartbeat start
Starting High-Availability services:
2009/07/06_17:23:53 INFO: Resource is stopped
[ OK ]
[root@node2 ~]#
Best Regards
Muhammad Farrukh
Thursday, January 14, 2010
OpenLDAP Samba Domain Controller using OpenLDAP Samba SMBldap
Samba Primary Domain Controller with Open-LDAP HowTO Using OpenLDAP Samba
written by: Muhammad Farrukh Siddique (LPIC)
Scenario:
We are going to configure a Linux based Primary Domain Controller using Samba
which will authenticate the domain users through LDAP
Domain Name : company.xy
Hostname IP-Address OPerating System
dns.company.xy 192.168.3.135 RedHat-5
ldap.company.xy 192.168.3.140 CentOS-5.3
client1.company.xy 192.168.3.145 Windows-XP-Service Pack2
client2.company.xy 192.168.3.150 Windows-XP-Service Pack2
Default Gateway os all the servers is 192.168.3.1 which is the IP of DSL router
for Internet
Required Packages: version number:
1).DNS packages>>
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher
2).OpenLDAP packages>>
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17
3).Samba packages>>
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer
4).samba-ldap tools>> Download Link for Perl Packages:
http://dag.wieers.com/rpm/packages/
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a
Download Link:
http://nchc.dl.sourceforge.net/project/smbldap-tools/smbldap-tools/0.9.2/smbldap\
-tools-0.9.2-1a.noarch.rpm
Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine
and after successful completion of our task, we will add ports tcp 53 for DNS
and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.
lets check network settings
[root@dns /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns
[root@dns /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.135
GATEWAY=192.168.3.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@dns /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@dns /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@dns /]#
DNS configuration:
[root@dns ~]# cd /var/named/chroot/etc/
[root@dns etc]# vim named.conf
options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.fwd";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "company.xy" IN {
type master;
file "company.xy.fwd";
allow-update { none; };
};
zone "3.168.192.in-addr.arpa" IN {
type master;
file "company.xy.rev";
allow-update { none; };
};
Now we will create the zone files
[root@dns etc]# cd /var/named/chroot/var/named/
Note: About any leading spaces in front of the lines in named.root: remove them!
Lines should start in a ;, . or character, not blanks.
[root@dns named]# vim named.root
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[root@dns named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
localhost. IN A 127.0.0.1
[root@dns named]# vim localhost.rev
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
1.0.0.127.in-addr.arpa. IN PTR localhost.
[root@dns named]# vim company.xy.fwd
$ORIGIN company.xy.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
dns.company.xy. IN A 192.168.3.135
ldap.company.xy. IN A 192.168.3.140
client1.company.xy. IN A 192.168.3.145
client2.company.xy. IN A 192.168.3.150
_ldap._tcp.company.xy. SRV 0 0 389 ldap.company.xy.
_ldap._tcp.dc._msdcs.company.xy. SRV 0 0 389 ldap.company.xy.
[root@dns named]# vim company.xy.rev
$ORIGIN 3.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
135.3.168.192.in-addr.arpa. IN PTR dns.company.xy.
140.3.168.192.in-addr.arpa. IN PTR ldap.company.xy.
145.3.168.192.in-addr.arpa. IN PTR client1.company.xy.
150.3.168.192.in-addr.arpa. IN PTR client2.company.xy.
now run the dns daemon i.e named
[root@dns named]# /etc/init.d/named start
Starting named: [ OK ]
[root@dns named]#
make it sure that named service will run automatically at startup
[root@dns named]# chkconfig --level 235 named on
now we will test our newly configured dns
[root@dns named]# nslookup
> dns
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: dns.company.xy
Address: 192.168.3.135
> ldap
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: ldap.company.xy
Address: 192.168.3.140
> 192.168.3.135
Server: 192.168.3.135
Address: 192.168.3.135#53
135.3.168.192.in-addr.arpa name = dns.company.xy.
> 192.168.3.140
Server: 192.168.3.135
Address: 192.168.3.135#53
140.3.168.192.in-addr.arpa name = ldap.company.xy.
> exit
[root@dns named]#
Everything is fine Alhamdulillah
***********************************************
Lets configure Primary Domain Controller
first of all check the network settings
[root@ldap /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.company.xy
[root@ldap /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.3.140
GATEWAY=192.168.3.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@ldap /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@ldap /]# hostname
ldap.company.xy
[root@ldap /]#
now restart the network service
[root@ldap /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@ldap /]#
Add samba.schema file to /etc/openldap/schema/ directory
[root@ldap ~]# cd /etc/openldap/schema/
[root@ldap schema]# vim samba.schema
now copy the below schema context and paste it in samba.schema file, remember to
press i from keyboard before you paste the context.
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
DESC 'Logon Hours'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
DESC 'Share Name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
DESC 'Option Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
DESC 'An integer option'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
DESC 'A string option'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
DESC 'Trust Password Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "user must logon to change password"
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "maximum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "minimum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate password
change)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "reset count minutes"
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "bad lockout attempt"
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "refuse machine password change"
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top
STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $
sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top
STRUCTURAL
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
now add samba.schema entry in ldap configuration file slapd.conf and also some
other attributes
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# vim slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section
# any u s e r s can a u t h e n t i c a t e and change h i s password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustC\
hange
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by dn="cn=nssldap,ou=DSA,dc=company, dc=xy" write
by selfwrite
by anonymous auth
# by ∗ none
# by * read
# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t
’ i d u s e r ’ can answer c o r r e c t l y
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ read
# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v
e s
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,gi\
venname
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLog\
offTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,dis\
playName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,descript\
ion,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,s\
ambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,s\
ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupR\
id,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,samba\
BoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by selfread
# by ∗ none
# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base="dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn="ou=Users,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s
access to dn="ou=Groups,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn="ou=Computers,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e
c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=company,dc=xy"
rootdn "cn=Manager,dc=company,dc=xy"
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be 640
[root@ldap openldap]# stat slapd.conf
File: `slapd.conf'
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 55/ ldap)
[root@ldap openldap]#
[root@ldap openldap]# vim ldap.conf
#HOST 127.0.0.1
BASE dc=company,dc=xy
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
now copy the Databse file from /etc/openldap to /var/lib/ldap
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/
rename DB file
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG
[root@ldap openldap]#
start the ldap server
[root@ldap /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap /]#
configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a
service called nscd will also be used
[root@ldap /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[root@ldap /]#
[root@ldap /]# chkconfig --level 235 nscd on
[root@ldap /]#
[root@ldap /]# setup
run Authentication Configuration
select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Press the Next button
don't select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=company,dc=xy
Press OK and exit
[root@ldap /]# vim /etc/ldap.conf
host 127.0.0.1
base dc=company,dc=xy
rootbinddn cn=manager,dc=company,dc=xy
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in
it the ldap password defined in slapd.conf
[root@ldap /]# vim /etc/ldap.secret
secret
[root@ldap /]# chmod 600 /etc/ldap.secret
[root@ldap /]#
****************************************************
smbldap-tools configuration
[root@ldap /]# cd /etc/opt/IDEALX/smbldap-tools/
[root@ldap smbldap-tools]# vim smbldap_bind.conf
slaveDN="cn=Manager,dc=company,dc=xy"
slavePw="secret"
masterDN="cn=Manager,dc=company,dc=xy"
masterPw="secret"
[root@ldap smbldap-tools]# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
SID="S-1-5-21-2815000769-282395026-991120840"
sambaDomain="company.xy"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
slaveLDAP="127.0.0.1"
# Slave LDAP port
slavePort="389"
# Master LDAP server: needed for write operations
masterLDAP="127.0.0.1"
# Master LDAP port
masterPort="389"
suffix="dc=company,dc=xy"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=company.xy,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
userLoginShell="/bin/bash"
# Home directory
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
#userSmbHome="\\192.168.3.140\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
#userProfile="\\192.168.3.140\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
#userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="company.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
configuring smb.conf
[root@ldap smbldap-tools]# cd /etc/samba/
[root@ldap samba]# vim smb.conf
[global]
workgroup = company.xy
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.3.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=company,dc=xy
ldap suffix = dc=company,dc=xy
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldapâˆ'useradd âˆ'm "%u"
ldap delete dn = Yes
add machine script = /usr/local/sbin/smbldapâˆ'useradd âˆ'w "%u"
add group script = /usr/local/sbin/smbldapâˆ'groupadd âˆ'p "%g"
add user to group script = /usr/local/sbin/smbldapâˆ'groupmod âˆ'm "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
#logon script = STARTUP.BAT
;[homes]
;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No
;[profiles]
;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow
roaming profiles and home directories for domain users.
lets configure some directories referenced in /etc/samba/smb.conf
[root@ldap samba]# mkdir /home/samba
[root@ldap samba]# mkdir /home/samba/netlogon
[root@ldap samba]# mkdir /home/samba/profiles
[root@ldap samba]# chmod 1777 /home/samba/profiles [currently we
will not use profile feature]
Samba must know the ldap admin dn password so lets do it
[root@ldap samba]# smbpasswd -w secret
Setting stored password for "cn=Manager,dc=company,dc=xy" in secrets.tdb
[root@ldap samba]#
Now define the domain Secure ID (SID)
[root@ldap samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[root@ldap samba]#
Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above
mentioned SID.
make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is
defined in smb.conf
[root@ldap samba]# cd /opt/IDEALX/sbin/
[root@ldap sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel
smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/configure.pl
/usr/local/sbin/configure.pl
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupadd
/usr/local/sbin/smbldap-groupadd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupdel
/usr/local/sbin/smbldap-groupdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupmod
/usr/local/sbin/smbldap-groupmod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupshow
/usr/local/sbin/smbldap-groupshow
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-passwd
/usr/local/sbin/smbldap-passwd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-populate
/usr/local/sbin/smbldap-populate
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap_tools.pm
/usr/local/sbin/smbldap_tools.pm
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd
/usr/local/sbin/smbldap-useradd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userdel
/usr/local/sbin/smbldap-userdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userinfo
/usr/local/sbin/smbldap-userinfo
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usermod
/usr/local/sbin/smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usershow
/usr/local/sbin/smbldap-usershow
Now add the default base entries
[root@ldap /]# smbldap-populate
Populating LDAP directory for domain company.xy
(S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)
adding new entry dc=company,dc=xy
adding new entry ou=Users,dc=company,dc=xy
adding new entry ou=Groups,dc=company,dc=xy
adding new entry ou=Computers,dc=company,dc=xy
adding new entry ou=Idmap,dc=company,dc=xy
adding new entry uid=root,ou=Users,dc=company,dc=xy
adding new entry uid=nobody,ou=Users,dc=company,dc=xy
adding new entry cn=Domain Admins,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Users,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Guests,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Computers,ou=Groups,dc=company,dc=xy
adding new entry cn=Administrators,ou=Groups,dc=company,dc=xy
adding new entry cn=Account Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Print Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Backup Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Replicators,ou=Groups,dc=company,dc=xy
adding new entry sambaDomainName=company.xy,dc=company,dc=xy
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@ldap /]#
adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[root@ldap Desktop]# vim dsa.ldif
dn: ou=DSA,dc=company,dc=xy
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
[root@ldap Desktop]# ldapadd -x -h localhost -D "cn=Manager,dc=company,dc=xy" -f
dsa.ldif -W
Enter LDAP Password:
adding new entry "ou=DSA,dc=company,dc=xy"
adding new entry "cn=samba,,ou=DSA,dc=company,dc=xy"
adding new entry "cn=nssldap,ou=DSA,dc=company,dc=xy"
adding new entry "cn=smbtools,ou=DSA,dc=company,dc=xy"
[root@ldap Desktop]#
Password of each security accoutn can be changed further by the following
command
[root@ldap Desktop]# ldappasswd -x -h localhost -D "cn=Manager,dc=company,dc=xy"
-s password -W cn=samba,ou=DSA,dc=company,dc=xy
now start samba server
[root@ldap Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap Desktop]#
Now create a samba user account for UNIX and SAMBA
[root@ldap Desktop]# smbldap-useradd -a -m -c "Muhammad Farrukh Siddique"
mfarrukh
[root@ldap Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[root@ldap Desktop]# useradd mfarrukh
Now create a machine trust account
[root@ldap Desktop]# smbldap-useradd -w client1
Machine trust accoutn must also be in /etc/passwd
[root@ldap Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)
lets search a user account
[root@ldap Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSa\
mAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[root@ldap Desktop]#
[root@ldap Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command
ldapsearch -x -b "ou=Users,dc=company,dc=xy" -LLL -D
"cn=Manager,dc=company,dc=xy" -W
Now Everything has been configured successfully.
Last step is to join domain.
Power ON xp machine
set the network settings according to this scenario these will be
IP Address: 192.168.3.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.3.1
Primary DNS: 192.168.3.135
Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.
Task completed successfully.
Shuker AlHamdullilah
Best Regards
Muhammad Farrukh
written by: Muhammad Farrukh Siddique (LPIC)
Scenario:
We are going to configure a Linux based Primary Domain Controller using Samba
which will authenticate the domain users through LDAP
Domain Name : company.xy
Hostname IP-Address OPerating System
dns.company.xy 192.168.3.135 RedHat-5
ldap.company.xy 192.168.3.140 CentOS-5.3
client1.company.xy 192.168.3.145 Windows-XP-Service Pack2
client2.company.xy 192.168.3.150 Windows-XP-Service Pack2
Default Gateway os all the servers is 192.168.3.1 which is the IP of DSL router
for Internet
Required Packages: version number:
1).DNS packages>>
bind 9.3 or higher
bind-chroot 9.3 0r higher
bind-utils 9.3 0r higher
bind-libs 9.3 0r higher
2).OpenLDAP packages>>
openldap 2.3 or higher
openldap-clients 2.3 or higher
openldap-devel 2.3 or higher
compat-openldap 2.3 or higher
python-ldap 2.2 or higher
ldapjdk 4.18 or higher
php-ldap 5.1 or higher
nss_ldap 253-17
3).Samba packages>>
samba 3.0 or higer
samba-common 3.0 or higer
samba-client 3.0 or higer
4).samba-ldap tools>> Download Link for Perl Packages:
http://dag.wieers.com/rpm/packages/
perl-Crypt-SmbHash 0.12-1.2.el5
perl-Digest-SHA1 2.11-1.2.1
perl-Jcode 2.06-1.el5
perl-Unicode-Map 0.112-1.el5
perl-Unicode-Map8 0.12-1.el5
perl-Unicode-MapUTF8 1.11-1.2.el5
perl-Unicode-String 2.09-1.2.el5
smbldap-tools 0.9.2-1a
Download Link:
http://nchc.dl.sourceforge.net/project/smbldap-tools/smbldap-tools/0.9.2/smbldap\
-tools-0.9.2-1a.noarch.rpm
Note: currently we will disable SELINUX,Firewall,Iptables on each linux machine
and after successful completion of our task, we will add ports tcp 53 for DNS
and tcp 389 for ldap to make use of firewalls.
After installing all the packages, we will configure DNS with ldap support.
lets check network settings
[root@dns /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=dns
[root@dns /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:D4:54:7D
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.3.135
GATEWAY=192.168.3.1
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@dns /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@dns /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@dns /]#
DNS configuration:
[root@dns ~]# cd /var/named/chroot/etc/
[root@dns etc]# vim named.conf
options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.fwd";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
allow-update { none; };
};
zone "company.xy" IN {
type master;
file "company.xy.fwd";
allow-update { none; };
};
zone "3.168.192.in-addr.arpa" IN {
type master;
file "company.xy.rev";
allow-update { none; };
};
Now we will create the zone files
[root@dns etc]# cd /var/named/chroot/var/named/
Note: About any leading spaces in front of the lines in named.root: remove them!
Lines should start in a ;, . or character, not blanks.
[root@dns named]# vim named.root
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
[root@dns named]# vim localhost.fwd
$ORIGIN localhost.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
localhost. IN A 127.0.0.1
[root@dns named]# vim localhost.rev
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
1.0.0.127.in-addr.arpa. IN PTR localhost.
[root@dns named]# vim company.xy.fwd
$ORIGIN company.xy.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
dns.company.xy. IN A 192.168.3.135
ldap.company.xy. IN A 192.168.3.140
client1.company.xy. IN A 192.168.3.145
client2.company.xy. IN A 192.168.3.150
_ldap._tcp.company.xy. SRV 0 0 389 ldap.company.xy.
_ldap._tcp.dc._msdcs.company.xy. SRV 0 0 389 ldap.company.xy.
[root@dns named]# vim company.xy.rev
$ORIGIN 3.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA dns.company.xy. hostmaster.company.xy. (
20090526 ; Serial number
3H ; Refresh 1 day
15M ; Retry 2 hours
1W ; Expire 41.67 days
1D ) ; Minimum TTL 2 days
@ IN NS dns.company.xy.
135.3.168.192.in-addr.arpa. IN PTR dns.company.xy.
140.3.168.192.in-addr.arpa. IN PTR ldap.company.xy.
145.3.168.192.in-addr.arpa. IN PTR client1.company.xy.
150.3.168.192.in-addr.arpa. IN PTR client2.company.xy.
now run the dns daemon i.e named
[root@dns named]# /etc/init.d/named start
Starting named: [ OK ]
[root@dns named]#
make it sure that named service will run automatically at startup
[root@dns named]# chkconfig --level 235 named on
now we will test our newly configured dns
[root@dns named]# nslookup
> dns
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: dns.company.xy
Address: 192.168.3.135
> ldap
Server: 192.168.3.135
Address: 192.168.3.135#53
Name: ldap.company.xy
Address: 192.168.3.140
> 192.168.3.135
Server: 192.168.3.135
Address: 192.168.3.135#53
135.3.168.192.in-addr.arpa name = dns.company.xy.
> 192.168.3.140
Server: 192.168.3.135
Address: 192.168.3.135#53
140.3.168.192.in-addr.arpa name = ldap.company.xy.
> exit
[root@dns named]#
Everything is fine Alhamdulillah
***********************************************
Lets configure Primary Domain Controller
first of all check the network settings
[root@ldap /]# vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=ldap.company.xy
[root@ldap /]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:0D:56:74
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0
IPADDR=192.168.3.140
GATEWAY=192.168.3.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
[root@ldap /]# vim /etc/resolv.conf
nameserver 192.168.3.135
search company.xy
[root@ldap /]# hostname
ldap.company.xy
[root@ldap /]#
now restart the network service
[root@ldap /]# /etc/init.d/network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@ldap /]#
Add samba.schema file to /etc/openldap/schema/ directory
[root@ldap ~]# cd /etc/openldap/schema/
[root@ldap schema]# vim samba.schema
now copy the below schema context and paste it in samba.schema file, remember to
press i from keyboard before you paste the context.
#######################################################################
## Attributes used by Samba 3.0 schema ##
#######################################################################
##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
## Account flags in string format ([UWDX ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
DESC 'Logon Hours'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
## SID, of any type
##
attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
##
attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
## Store info on the domain
##
attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
DESC 'Share Name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
DESC 'Option Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
DESC 'An integer option'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
DESC 'A string option'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
## SUP name )
##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
## DESC 'Privileges List'
## EQUALITY caseIgnoreIA5Match
## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
DESC 'Trust Password Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# "min password length"
attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "password history"
attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "user must logon to change password"
attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "maximum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "minimum password age"
attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate password
change)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "lockout duration"
attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "reset count minutes"
attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "bad lockout attempt"
attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "disconnect time"
attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
# "refuse machine password change"
attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
## objectClasses used by Samba 3.0 schema ##
#######################################################################
## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass. OpenLDAP 2.0 does not enforce
## this currently but will in v2.1
##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours))
##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ))
##
## Trust password for trust relationships (any kind)
##
objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top
STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ))
##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $
sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ))
##
## used for idmap_ldap module
##
objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top
STRUCTURAL
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
now add samba.schema entry in ldap configuration file slapd.conf and also some
other attributes
[root@ldap ~]# cd /etc/openldap/
[root@ldap openldap]# vim slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel -1
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by selfwrite
by anonymous auth
#access to *
#access to ∗
by * none
by ∗ read
#slapdAtts.conf Section
# any u s e r s can a u t h e n t i c a t e and change h i s password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustC\
hange
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by dn="cn=nssldap,ou=DSA,dc=company, dc=xy" write
by selfwrite
by anonymous auth
# by ∗ none
# by * read
# some a t t r i b u t e s need t o be r e a d a b l e anonymously s o t h a t
’ i d u s e r ’ can answer c o r r e c t l y
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ read
# somme a t t r i b u t e s can be w r i t a b l e by u s e r s t h e m s e l v
e s
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,gi\
venname
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by selfwrite
# by ∗ read
# some a t t r i b u t e s need t o be w r i t a b l e f o r samba
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLog\
offTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,dis\
playName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,descript\
ion,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,s\
ambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,s\
ambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupR\
id,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,samba\
BoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
by selfread
# by ∗ none
# samba need t o be a b l e t o c r e a t e t h e samba domain a c c o u n t
access to dn.base="dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new u s e r s a c c o u n t s
access to dn="ou=Users,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new g r o u p s a c c o u n t s
access to dn="ou=Groups,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# samba need t o be a b l e t o c r e a t e new computers a c c o u n t s
access to dn="ou=Computers,dc=company,dc=xy"
by dn="cn=samba,ou=DSA,dc=company,dc=xy" write
by dn="cn=smbtools,ou=DSA,dc=company,dc=xy" write
# by ∗ none
# t h i s can be o m i t t e d but we l e t i t s t a y b e c a u s e t h e r e
c o u l d be o t h e r
# b r a n c h e s i n t h e d i r e c t o r y
#access to ∗
by selfread
by ∗ none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=company,dc=xy"
rootdn "cn=Manager,dc=company,dc=xy"
rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
check the slapd.conf permissions, which must be 640
[root@ldap openldap]# stat slapd.conf
File: `slapd.conf'
Size: 12234 Blocks: 24 IO Block: 4096 regular file
Device: 803h/2051d Inode: 817606 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 55/ ldap)
[root@ldap openldap]#
[root@ldap openldap]# vim ldap.conf
#HOST 127.0.0.1
BASE dc=company,dc=xy
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts
now copy the Databse file from /etc/openldap to /var/lib/ldap
[root@ldap openldap]# cp DB_CONFIG.example /var/lib/ldap/
rename DB file
[root@ldap openldap]# cd /var/lib/ldap/
[root@ldap openldap]# mv DB_CONFIG.example DB_CONFIG
[root@ldap openldap]#
start the ldap server
[root@ldap /]# /etc/init.d/ldap start
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
[root@ldap /]#
configuration of ldap server to use LDAP through pam_ldap and nss_ldap, a
service called nscd will also be used
[root@ldap /]# /etc/init.d/nscd start
Starting nscd: [ OK ]
[root@ldap /]#
[root@ldap /]# chkconfig --level 235 nscd on
[root@ldap /]#
[root@ldap /]# setup
run Authentication Configuration
select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication
Press the Next button
don't select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=company,dc=xy
Press OK and exit
[root@ldap /]# vim /etc/ldap.conf
host 127.0.0.1
base dc=company,dc=xy
rootbinddn cn=manager,dc=company,dc=xy
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
create a file ldap.secret in /etc directory protected by mode 600 and place in
it the ldap password defined in slapd.conf
[root@ldap /]# vim /etc/ldap.secret
secret
[root@ldap /]# chmod 600 /etc/ldap.secret
[root@ldap /]#
****************************************************
smbldap-tools configuration
[root@ldap /]# cd /etc/opt/IDEALX/smbldap-tools/
[root@ldap smbldap-tools]# vim smbldap_bind.conf
slaveDN="cn=Manager,dc=company,dc=xy"
slavePw="secret"
masterDN="cn=Manager,dc=company,dc=xy"
masterPw="secret"
[root@ldap smbldap-tools]# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
SID="S-1-5-21-2815000769-282395026-991120840"
sambaDomain="company.xy"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
slaveLDAP="127.0.0.1"
# Slave LDAP port
slavePort="389"
# Master LDAP server: needed for write operations
masterLDAP="127.0.0.1"
# Master LDAP port
masterPort="389"
suffix="dc=company,dc=xy"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=company.xy,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
userLoginShell="/bin/bash"
# Home directory
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
#userSmbHome="\\192.168.3.140\%U"
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
#userProfile="\\192.168.3.140\profiles\%U"
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
#userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="company.com"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
configuring smb.conf
[root@ldap smbldap-tools]# cd /etc/samba/
[root@ldap samba]# vim smb.conf
[global]
workgroup = company.xy
netbios name = ldapserver
enable privileges = yes
#interfaces = 192.168.3.131
username map = /etc/samba/smbusers
server string = samba-ldap-pdc
security = user
encrypt passwords = Yes
admin users = root
#min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
#time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
#guest account = root
logon script = logon.bat
logon drive =
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=Manager,dc=company,dc=xy
ldap suffix = dc=company,dc=xy
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
#ldap ssl = start_tls
add user script = /usr/local/sbin/smbldapâˆ'useradd âˆ'm "%u"
ldap delete dn = Yes
add machine script = /usr/local/sbin/smbldapâˆ'useradd âˆ'w "%u"
add group script = /usr/local/sbin/smbldapâˆ'groupadd âˆ'p "%g"
add user to group script = /usr/local/sbin/smbldapâˆ'groupmod âˆ'm "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
#logon script = STARTUP.BAT
;[homes]
;comment = Home Directories
;valid users = %U
;read only = No
;create mask = 0664
;directory mask = 0775
;browseable = No
;[profiles]
;path = /home/samba/profiles
;read only = No
;create mask = 0600
;directory mask = 0700
;browseable = No
;guest ok = Yes
;profile acls = Yes
;csc policy = disable
;force user = %U
;valid users = %U @"Domain Admins"
[netlogon]
path = /home/samba/netlogon/
browseable = No
read only = yes
we are configuring a simple domain controller in this howto. You can allow
roaming profiles and home directories for domain users.
lets configure some directories referenced in /etc/samba/smb.conf
[root@ldap samba]# mkdir /home/samba
[root@ldap samba]# mkdir /home/samba/netlogon
[root@ldap samba]# mkdir /home/samba/profiles
[root@ldap samba]# chmod 1777 /home/samba/profiles [currently we
will not use profile feature]
Samba must know the ldap admin dn password so lets do it
[root@ldap samba]# smbpasswd -w secret
Setting stored password for "cn=Manager,dc=company,dc=xy" in secrets.tdb
[root@ldap samba]#
Now define the domain Secure ID (SID)
[root@ldap samba]# net getlocalsid
SID for domain LDAPSERVER is: S-1-5-21-2815000769-282395026-991120840
[root@ldap samba]#
Replace the raw SID in /etc/opt/IDEALX/smbldap-tools/smbldap.conf with above
mentioned SID.
make sure that smbldap scripts are placed in /usr/local/sbin
otherwise make symbolic link of each script in /usr/local/sbin as this path is
defined in smb.conf
[root@ldap samba]# cd /opt/IDEALX/sbin/
[root@ldap sbin]# ls
configure.pl smbldap-groupmod smbldap-populate smbldap-userdel
smbldap-usershow
smbldap-groupadd smbldap-groupshow smbldap_tools.pm smbldap-userinfo
smbldap-groupdel smbldap-passwd smbldap-useradd smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/configure.pl
/usr/local/sbin/configure.pl
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupadd
/usr/local/sbin/smbldap-groupadd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupdel
/usr/local/sbin/smbldap-groupdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupmod
/usr/local/sbin/smbldap-groupmod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-groupshow
/usr/local/sbin/smbldap-groupshow
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-passwd
/usr/local/sbin/smbldap-passwd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-populate
/usr/local/sbin/smbldap-populate
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap_tools.pm
/usr/local/sbin/smbldap_tools.pm
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-useradd
/usr/local/sbin/smbldap-useradd
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userdel
/usr/local/sbin/smbldap-userdel
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-userinfo
/usr/local/sbin/smbldap-userinfo
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usermod
/usr/local/sbin/smbldap-usermod
[root@ldap sbin]# ln -s /opt/IDEALX/sbin/smbldap-usershow
/usr/local/sbin/smbldap-usershow
Now add the default base entries
[root@ldap /]# smbldap-populate
Populating LDAP directory for domain company.xy
(S-1-5-21-2815000769-282395026-991120840)
(using builtin directory structure)
adding new entry dc=company,dc=xy
adding new entry ou=Users,dc=company,dc=xy
adding new entry ou=Groups,dc=company,dc=xy
adding new entry ou=Computers,dc=company,dc=xy
adding new entry ou=Idmap,dc=company,dc=xy
adding new entry uid=root,ou=Users,dc=company,dc=xy
adding new entry uid=nobody,ou=Users,dc=company,dc=xy
adding new entry cn=Domain Admins,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Users,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Guests,ou=Groups,dc=company,dc=xy
adding new entry cn=Domain Computers,ou=Groups,dc=company,dc=xy
adding new entry cn=Administrators,ou=Groups,dc=company,dc=xy
adding new entry cn=Account Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Print Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Backup Operators,ou=Groups,dc=company,dc=xy
adding new entry cn=Replicators,ou=Groups,dc=company,dc=xy
adding new entry sambaDomainName=company.xy,dc=company,dc=xy
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
[root@ldap /]#
adding Domain Security Accounts
for this purpose we will create a ldif file and add the entries at once.
[root@ldap Desktop]# vim dsa.ldif
dn: ou=DSA,dc=company,dc=xy
objectClass: top
objectClass: organizationalUnit
ou: DSA
description: security accounts for LDAP clients
dn: cn=samba,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: sambasecretpwd
cn: samba
dn: cn=nssldap,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: nssldapsecretpwd
cn: nssldap
dn: cn=smbtools,ou=DSA,dc=company,dc=xy
objectclass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
userPassword: smbtoolssecretpwd
cn: smbtools
[root@ldap Desktop]# ldapadd -x -h localhost -D "cn=Manager,dc=company,dc=xy" -f
dsa.ldif -W
Enter LDAP Password:
adding new entry "ou=DSA,dc=company,dc=xy"
adding new entry "cn=samba,,ou=DSA,dc=company,dc=xy"
adding new entry "cn=nssldap,ou=DSA,dc=company,dc=xy"
adding new entry "cn=smbtools,ou=DSA,dc=company,dc=xy"
[root@ldap Desktop]#
Password of each security accoutn can be changed further by the following
command
[root@ldap Desktop]# ldappasswd -x -h localhost -D "cn=Manager,dc=company,dc=xy"
-s password -W cn=samba,ou=DSA,dc=company,dc=xy
now start samba server
[root@ldap Desktop]# /etc/init.d/smb start
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap Desktop]#
Now create a samba user account for UNIX and SAMBA
[root@ldap Desktop]# smbldap-useradd -a -m -c "Muhammad Farrukh Siddique"
mfarrukh
[root@ldap Desktop]# smbldap-passwd mfarrukh
Changing UNIX and samba passwords for mfarrukh
New password:
Retype new password:
[root@ldap Desktop]# useradd mfarrukh
Now create a machine trust account
[root@ldap Desktop]# smbldap-useradd -w client1
Machine trust accoutn must also be in /etc/passwd
[root@ldap Desktop]# useradd -d /dev/null -s /bin/false client1$
($ sign differentiate between user and machine accounts)
lets search a user account
[root@ldap Desktop]# smbldap-usershow mfarrukh
dn: uid=mfarrukh,ou=Users,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,shadowAccount,sambaSa\
mAccount
cn: mfarrukh
sn: mfarrukh
givenName: mfarrukh
uid: mfarrukh
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/mfarrukh
loginShell: /bin/bash
gecos: Muhammad Farrukh Siddique
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Muhammad Farrukh Siddique
sambaSID: S-1-5-21-2815000769-282395026-991120840-3000
sambaPrimaryGroupSID: S-1-5-21-2815000769-282395026-991120840-513
sambaLogonScript: logon.bat
sambaLMPassword: 78BCCAEE08C90E29AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: F9E37E83B83C47A93C2F09F66408631B
sambaPwdLastSet: 1257784838
sambaPwdMustChange: 1261672838
userPassword: {SSHA}2syv4k3FUxv3269R29xbBDnQ6tFaS2Rz
[root@ldap Desktop]#
[root@ldap Desktop]# smbldap-usershow client1$
dn: uid=client1$,ou=Computers,dc=company,dc=xy
objectClass:
top,person,organizationalPerson,inetOrgPerson,posixAccount,sambaSamAccount
cn: client1$
sn: client1$
uid: client1$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-2815000769-282395026-991120840-1000
displayName: CLIENT1$
sambaAcctFlags: [W ]
sambaNTPassword: A6F443E99DBF9DD0686A90919A9D6967
sambaPwdLastSet: 1243494068
you can search the whole OU by command
ldapsearch -x -b "ou=Users,dc=company,dc=xy" -LLL -D
"cn=Manager,dc=company,dc=xy" -W
Now Everything has been configured successfully.
Last step is to join domain.
Power ON xp machine
set the network settings according to this scenario these will be
IP Address: 192.168.3.145
Subnet Mask: 255.255.255.0
D.Gateway: 192.168.3.1
Primary DNS: 192.168.3.135
Right click on My Computer icon and go to the Properties
under Computer Name tab click on Change button and write the domain name
enter username: root and its password a welcome screen will appear.
Just restart the computer and enter with domain username.
Task completed successfully.
Shuker AlHamdullilah
Best Regards
Muhammad Farrukh
Subscribe to:
Posts (Atom)