LDAP SAMBA to Primary Domain Controller (PDC)################################################################################################################Step 1: DNS Servicea. Install#cat /etc/hosts# Do not remove the following line, or various programs# that require network functionality will fail.192.168.44.150 server.hbn.local server127.0.0.1 localhost.localdomain localhost::1 localhost6.localdomain6 localhost6#yum install -y bind-chroot#chmod 755 -R /var/named/#cp /usr/share/doc/bind-*/sample/var/named/named.local /var/named/chroot/var/named/#cp /usr/share/doc/bind-*/sample/var/named/named.root /var/named/chroot/var/named/#cp /usr/share/doc/bind-*/sample/var/named/localhost.zone /var/named/chroot/var/named/#touch /var/named/chroot/etc/named.conf#chkconfig --level 35 named on#service named startb.Configuration:#vim /var/named/chroot/etc/named.conf options { directory "/var/named"; forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};};zone "." IN { type hint; file "named.root";};zone "localhost" IN { type master; file "localhost.zone";};zone "0.0.127.in-addr.arpa" IN { type master; file "named.local";};zone "44.168.192.in-addr.arpa" IN { type master; file "192.168.44.0.db";};zone "hbn.local" { type master; file "hbn.local";};save and quit# cd /var/named/chroot/var/named/#vim 192.168.44.0.db$TTL 86400@ IN SOA hbn.local. root.hbn.local. ( 1997022700 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.hbn.local.100 IN PTR dns.hbn.local.250 IN PTR winxp.hbn.local.#vim hbn.local$TTL 14400@ IN SOA root.hbn.local. hostmaster.hbn.local. ( 2009102800 14400 3600 1209600 86400 ) IN NS hbn.local. IN NS hbn.local.ftp IN A 192.168.44.150hbn.local. IN A 192.168.44.150localhost IN A 127.0.0.1mail IN A 192.168.44.150pop IN A 192.168.44.150smtp IN A 192.168.44.150www IN A 192.168.44.150dns IN A 192.168.44.150ldap IN A 192.168.44.150winxp IN A 192.168.44.250hbn.local. IN MX 10 mailhbn.local. 14400 IN TXT "v=spf1 a mx ip4:192.168.44.150 ~all"# vim /etc/resolv.conf search hbn.localnameserver 192.168.44.150nameserver 192.168.44.2c.Test:# nslookup > hbn.local Server: 192.168.44.150Address: 192.168.44.150#53Name: hbn.localAddress: 192.168.44.150> dns.hbn.localServer: 192.168.44.150Address: 192.168.44.150#53Name: dns.hbn.localAddress: 192.168.44.150> winxp.hbn.localServer: 192.168.44.150Address: 192.168.44.150#53Name: winxp.hbn.localAddress: 192.168.44.250> ldap.hbn.localServer: 192.168.44.150Address: 192.168.44.150#53Name: ldap.hbn.localAddress: 192.168.44.150> exit################################################################################################################Step 2: PDC with LDAP - Sambaa.InstallAdd Dag repository#wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt#rpm --import RPM-GPG-KEY.dag.txt#rm -f RPM-GPG-KEY.dag.txt#vim /etc/yum.repos.d/dag.repo[dag]name=Dag RPM Repository for Red Hat Enterprise Linuxbaseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/gpgcheck=1enabled=0#yum --enablerepo=dag install -y openldap openldap-clients openldap-devel openldap-servers openldap-clients compat-openldap python-ldap ldapjdk php-ldap nss_ldap samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools#cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/# cd /etc/openldap/# vim slapd.confinclude /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2loglevel -1pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args######################################################################## ldbm and/or bdb database definitions######################################################################## Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex sambaSID,sambaPrimaryGroupSID,sambaDomainName eqdatabase bdbsuffix "dc=hbn,dc=local"rootdn "cn=Manager,dc=hbn,dc=local"rootpw 123456# rootpw {crypt}ijFYNcSNctBYgdirectory /var/lib/ldap#Access control List informationaccess to attrs="userPassword,sambaLMPassword,sambaNTPassword" by selfwrite by anonymous auth# users can authenticate and change their passwordaccess to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange" by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="cn=nssldap,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by anonymous auth by self write by * none# some attributes need to be readable anonymously so that 'id user' can answer correctlyaccess to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by * read# somme attributes can be writable by users themselvesaccess to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by self write by * read# some attributes need to be writable for sambaaccess to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by self read by * none# samba need to be able to create the samba domain accountaccess to dn.base="dc=hbn,dc=local" by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by * none# samba need to be able to create new users accountaccess to dn="ou=Users,dc=hbn,dc=local" by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by * none# samba need to be able to create new groups accountaccess to dn="ou=Groups,dc=hbn,dc=local" by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by * none# samba need to be able to create new computers accountaccess to dn="ou=Computers,dc=hbn,dc=local" by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write by dn="uid=root,ou=People,dc=hbn,dc=local" write by * noneaccess to * by self read by * nonesave and quit-----------------------------------------------------------------------------------#chmod 640 slapd.conf# vim ldap.confBASE dc=hbn, dc=localURI ldap://127.0.0.1/TLS_CACERTDIR /etc/openldap/cacerts#cp DB_CONFIG.example /var/lib/ldap/#cd /var/lib/ldap/#mv DB_CONFIG.example DB_CONFIG# /etc/init.d/ldap startChecking configuration files for slapd: config file testing succeeded[ OK ]Starting slapd: [ OK ]# /etc/init.d/nscd startStarting nscd: [ OK ]# chkconfig --level 35 nscd on# setuprun Authentication Configurationselect Cache InformationUse LDAPUse MD5 PasswordsUse Shadow PasswordsUse LDAP AuthenticationPress the Next buttondon't select Use TLS optionServer: ldap://127.0.0.1/Base DN: dc=hbn,dc=localPress OK and exit# vim /etc/ldap.confhost 127.0.0.1base dc=hbn,dc=localrootbinddn cn=manager,dc=hbn,dc=localtimelimit 120bind_timelimit 120idle_timelimit 3600nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdmssl notls_cacertdir /etc/openldap/cacertspam_password md5#net getlocalsidSID for domain SERVER is: S-1-5-21-3926925045-1584093657-3115473201# vim /etc/ldap.secret123456# chmod 600 /etc/ldap.secret##########################################################################################smbldap-tools configuration#cd /etc/smbldap-tools/# vim smbldap_bind.confslaveDN="cn=Manager,dc=hbn,dc=local"slavePw="123456"masterDN="cn=Manager,dc=hbn,dc=local"masterPw="123456"# vim smbldap.conf################################################################################ General Configuration###############################################################################SID="S-1-5-21-3926925045-1584093657-3115473201"sambaDomain="hbn.local"################################################################################ LDAP Configuration###############################################################################slaveLDAP="127.0.0.1"# Slave LDAP portslavePort="389"# Master LDAP server: needed for write operationsmasterLDAP="127.0.0.1"# Master LDAP portmasterPort="389"suffix="dc=hbn,dc=local"usersdn="ou=Users,${suffix}"computersdn="ou=Computers,${suffix}"groupsdn="ou=Groups,${suffix}"idmapdn="ou=Idmap,${suffix}"sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"scope="sub"hash_encrypt="SSHA"crypt_salt_format="%s"ldapTLS="0"anduserSmbHome="\\PDC-SRV\%U"userProfile="\\PDC-SRV\profiles\%U"------------------------------------------------------------------------------------Samba config:#vim /etc/samba/smb.conf[global]workgroup = hbn.localnetbios name = HBNenable privileges = yes#interfaces = 192.168.1.131username map = /etc/samba/smbusersserver string = samba-ldap-pdcsecurity = userencrypt passwords = Yesadmin users = root#min passwd length = 3obey pam restrictions = Noldap passwd sync = Yeslog level = 0syslog = 0log file = /var/log/samba/log.%mmax log size = 100000#time server = Yessocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192mangling method = hash2Dos charset = 850Unix charset = ISO8859-1#guest account = rootlogon script = logon.batlogon drive =logon home =logon path =domain logons = Yesos level = 65preferred master = Yesdomain master = Yeswins support = Yespassdb backend = ldapsam:ldap://127.0.0.1ldap admin dn = cn=Manager,dc=hbn,dc=localldap suffix = dc=hbn,dc=localldap group suffix = ou=Groupsldap user suffix = ou=Usersldap machine suffix = ou=Computersldap idmap suffix = ou=Usersidmap backend = ldap://127.0.0.1idmap uid = 10000-20000idmap gid = 10000-20000#ldap ssl = start_tlsadd user script = /usr/sbin/smbldap-useradd -a '%u'delete user script = /usr/sbin/smbldap-userdel '%u'add group script = /usr/sbin/smbldap-groupadd -p '%g'delete group script = /usr/sbin/smbldap-groupdel '%g'add user to group script = /usr/sbin/smbldap-groupmod -m '%u''%g'delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'add machine script = /usr/sbin/smbldap-useradd -w '%u'#logon script = STARTUP.BAT[homes]comment = Home Directoriesvalid users = %Uread only = Nocreate mask = 0664directory mask = 0775browseable = No[profiles]path = /home/samba/profilesread only = Nocreate mask = 0600directory mask = 0700browseable = Noguest ok = Yesprofile acls = Yescsc policy = disableforce user = %Uvalid users = %U @"Domain Admins"[netlogon]path = /home/samba/netlogon/browseable = Noread only = yessave and quit------------------------------------------------------------------------------# mkdir /home/samba# mkdir /home/samba/netlogon# mkdir /home/samba/profiles# chmod 1777 /home/samba/profiles #smbpasswd -w 123456Setting stored password for "cn=Manager,dc=hbn,dc=local" in secrets.tdb# smbldap-populatePopulating LDAP directory for domain hbn.local (S-1-5-21-3926925045-1584093657-3115473201)(using builtin directory structure)adding new entry: dc=hbn,dc=localadding new entry: ou=Users,dc=hbn,dc=localadding new entry: ou=Groups,dc=hbn,dc=localadding new entry: ou=Computers,dc=hbn,dc=localadding new entry: ou=Idmap,dc=hbn,dc=localadding new entry: uid=root,ou=Users,dc=hbn,dc=localadding new entry: uid=nobody,ou=Users,dc=hbn,dc=localadding new entry: cn=Domain Admins,ou=Groups,dc=hbn,dc=localadding new entry: cn=Domain Users,ou=Groups,dc=hbn,dc=localadding new entry: cn=Domain Guests,ou=Groups,dc=hbn,dc=localadding new entry: cn=Domain Computers,ou=Groups,dc=hbn,dc=localadding new entry: cn=Administrators,ou=Groups,dc=hbn,dc=localadding new entry: cn=Account Operators,ou=Groups,dc=hbn,dc=localadding new entry: cn=Print Operators,ou=Groups,dc=hbn,dc=localadding new entry: cn=Backup Operators,ou=Groups,dc=hbn,dc=localadding new entry: cn=Replicators,ou=Groups,dc=hbn,dc=localadding new entry: sambaDomainName=hbn.local,dc=hbn,dc=localPlease provide a password for the domain root: Changing UNIX and samba passwords for rootNew password: Retype new password:# vim dsa.ldifdn: ou=DSA,dc=hbn,dc=localobjectClass: topobjectClass: organizationalUnitou: DSAdescription: security accounts for LDAP clientsdn: cn=samba,ou=DSA,dc=hbn,dc=localobjectclass: organizationalRoleobjectClass: topobjectClass: simpleSecurityObjectuserPassword: sambasecretpwdcn: sambadn: cn=nssldap,ou=DSA,dc=hbn,dc=localobjectclass: organizationalRoleobjectClass: topobjectClass: simpleSecurityObjectuserPassword: nssldapsecretpwdcn: nssldapdn: cn=smbtools,ou=DSA,dc=hbn,dc=localobjectclass: organizationalRoleobjectClass: topobjectClass: simpleSecurityObjectuserPassword: smbtoolssecretpwdcn: smbtools# ldapadd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -f dsa.ldif -WEnter LDAP Password: adding new entry "ou=DSA,dc=hbn,dc=local"adding new entry "cn=samba,ou=DSA,dc=hbn,dc=local"adding new entry "cn=nssldap,ou=DSA,dc=hbn,dc=local"adding new entry "cn=smbtools,ou=DSA,dc=hbn,dc=local"#ldappasswd -x -h localhost -D "cn=Manager,dc=hbn,dc=local" -s password -W cn=samba,ou=DSA,dc=hbn,dc=local # /etc/init.d/smb startStarting SMB services: [ OK ]Starting NMB services: [ OK ]Now create a samba user account for UNIX and SAMBA# smbldap-useradd -a -m namhb# smbldap-passwd namhbChanging UNIX and samba passwords for namhbNew password: Retype new password: Now create a machine trust account# smbldap-useradd -w winxpFinishThanks