Setup Samba on openLDAP

This is a simple walkthrough on making a Linux server act as a Windows Domain Controller. By using LDAP we can scale the server to a few hundred users rather than 30 to 200. This guide is very Distro specific – CentOS, REHL. This is just a first draft of the guide and I will be improving it over time.

Please note text appearing like this is either a command or text that needs to be added to a configuration file.

First we need to install all the packages we need for the server.

yum install samba-* openldap -y

Then we need to copy the schema for use in LDAP please note that you’ll need to change your command to fit the proper version you have installed.

cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/samba.schema

Then we’ll need to edit a few lines in the LDAP configuration file. First add the following line to /etc/openldap/slapd.conf or ldap.conf with the rest of the includes at the top of the file.

include /etc/openldap/schema/samba.schema

Add Access-Rights in slapd.conf in the appropriate section.

access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn.children=”ou=admin,dc=example,dc=com” write
by self write
by anonymous auth
by * none
access to *
by dn.children=”ou=admin,dc=example,dc=com” write
by * read

Then adjust suffix and rootdn in slapd.conf:

suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”

Use the command slappasswd to create password hash and add it to the slapd.conf file:

rootpw {SSHA}QL9L55wK/tOnsHs9flW+jJlWmws7aR6d

Enable indexing to improve speed

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

Next we needed to download the sambaldap tools from epel-release, or you can install repo using command below.

yum install epel-release -y

After installing the EPEL Repository you’ll need to install smbldap-tools to be able to create accounts in LDAP.

yum install smbldap-tools

Now you’ll need to get the SID of the server to do that run this command.

net getlocalsid

Next you’ll need to edit /etc/smbldap-tools/smbldap.conf

add the SID to the config file like this.:

SID=”S-1-5-21-2716683063-1859637689-668750523″

Change the suffix, binddn to suit your domain name then change the LDAP TLS like below:

ldapTLS=”0″

There are other options in the config file to pay attention to, just read the documentation on each parameter and it’s pretty self explanatory.

Now edit /etc/smbldap-tools/smbldap_bind.conf
change Master/SlaveDN and Master/SlavePW to 127.0.0.1 and you ldap password respectively.

Start LDAP

systemctl start slapd

or

service slapd start

Create LDAP-Groups and -Users

smbldap-populate

Create an Admin Account File (after entering your password the line will be blank, start entering the
dn: on this line. Be sure to hit return twice after each dn statement so that ldapadd will accept it.

ldapadd -cxW -D “cn=Manager,dc=example,dc=com”

Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admin

dn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure

use ctrl+c to exit ldapadd

Use Authconfig to add LDAP as both User and Password source

authconfig --enableldap --enableldapauth --ldapserver=127.0.0.1 --ldapbasedn=dc=excample,dc=com --update

Adjust your smb.conf options

Worgroup=domainmname
Ldap admin dn=cn=samba,ou=admin,dc=example,dc=com
ldap suffix=dc=example,dc=com

Add the following options to smb.conf

Passdb backend=ldapsam:ldap://127.0.0.1/
Domain master=yes
Domain logon=yes
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap password change = yes

Edit the following

passwd program = /usr/sbin/smbldap-passwd %u

Comment Out this

unix password sync = yes

Add the LDAP Admin password.

smbpasswd -w securepassword

start samba

systemctl start smb

or

service smb start

See Also