Complete PDC Server and BDC (slave). OpenLDAP+Samba+NFS
We are going to install a complete PDC server to serve user accounts to Windows and Linux machines. We buid a Master and Slave machines for giving the system a HA.
I have used the Ubuntu Server 10.04 distribution. Follow the next steps:
On Master:
1.- Install the software:
apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools
2.- Need to add some additional schema:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
3.- Create the configuration file for service:
nano backend.ldif
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=domain,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=domain,dc=com
olcRootPW: password
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=admin,dc=domain,dc=com” write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”” by * read
olcAccess: to * by dn=”cn=admin,dc=domain,dc=com” write by * read
And add the conf file to LDAP service:
ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
4.- Modify Samba configuration
nano /etc/samba/smb.conf
[global]# Domain name
workgroup = DOMAIN.COM
# Server name – as seen by Windows PCs ..
netbios name = PDCServer
# Be a PDC ..
domain logons = Yes
domain master = Yes
# Be a WINS server ..
wins support = true
obey pam restrictions = Yes
dns proxy = No
os level = 35
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
pam password change = Yes
# Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del
unix password sync = no
ldap passwd sync = yes
# Printing from PCs will go via CUPS ..
load printers = yes
printing = cups
printcap name = cups
# Use LDAP for Samba user accounts and groups ..
passdb backend = ldapsam:ldap://localhost
# This must match init.ldif ..
ldap suffix = dc=domain,dc=com
# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb
# This is done by running ‘sudo smbpasswd -w’.
ldap admin dn = cn=admin,dc=domain,dc=com
# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.
# (Because we are using smbldap-tools, call them ‘Users’, ‘Computers’, etc.)
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
# Samba and LDAP server are on the same server in this example.
ldap ssl = no
# Scripts for Samba to use if it creates users, groups, etc.
add user script = /usr/sbin/smbldap-useradd -m ‘%u’
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p ‘%g’
delete group script = /usr/sbin/smbldap-groupdel ‘%g’
add user to group script = /usr/sbin/smbldap-groupmod -m ‘%u’ ‘%g’
delete user from group script = /usr/sbin/smbldap-groupmod -x ‘%u’ ‘%g’
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
# Script that Samba users when a PC joins the domain ..
# (when changing ‘Computer Properties’ on the PC)
add machine script = /usr/sbin/smbldap-useradd -w ‘%u’
# Values used when a new user is created ..
# (Note: ‘%L’ does not work properly with smbldap-tools 0.9.4-1)
logon drive =
logon home =
logon path =
logon script = allusers.bat
# This is required for Windows XP client ..
server signing = auto
server schannel = Auto
[homes]comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]comment = Network Logon Service
path = /disc1/users/netlogon
admin users = root
guest ok = Yes
browseable = No
logon script = allusers.bat
[Profiles]comment = Roaming Profile Share
# would probably change this to elsewhere in a production system ..
path = /disc1/users/profiles
read only = No
profile acls = Yes
browsable = No
[printers]comment = All Printers
path = /var/spool/samba
use client driver = Yes
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
public = yes
writable = yes
admin users = root
write list = root
[print$]comment = Printer Drivers Share
path = /var/lib/samba/printers
write list = root
create mask = 0664
directory mask = 0775
admin users = root
5.- In the next step you have to set the same password that we set in the openldap conf file.
smbpasswd -W
service smbd restart
Type the next line, and enter when it ask for password:
smbclient -L localhost
And something like this should appear:
Anonymous login successful
Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers Share
shared Disk
archive Disk
IPC$ IPC IPC Service (Samba 3.4.7)
Anonymous login successful
Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]
Server Comment
——— ——-
Workgroup Master
——— ——-
DOMAIN.COM PDCSERVER
6.- Create the users folders:
mkdir /disc1/users/profile
mkdir /disc1/users/homes
mkdir /disc1/users/netlogons
7.- Add the Samba schemas:
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gzip -d /etc/ldap/schema/samba.schema.gz
To add them to OpenLDAP you need to convert them:
nano schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schemainclude /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema
slapcat -f ~/schema_convert.conf -F ~ -n0 -s “cn={12}samba,cn=schema,cn=config” > ~/cn=samba.ldif
Some changes need to be done in this file:
nano cn\=samba.ldif
and change the following attributes:
dn: cn={12}samba,cn=schema,cn=config
…
cn: {12}samba
To
dn: cn=samba,cn=schema,cn=config … cn: samba
Also, remove all these lines at the bottom of the file.
structuralObjectClass: olcSchemaConfig
entryUUID: fd0ebb56-bcc3-102f-96ec-b349c2a696c6
creatorsName: cn=config
createTimestamp: 20110125114253Z
entryCSN: 20110125114253.060461Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110125114253Z
And finally add it to the OpenLDAP conf:
ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif
8.- Configure the smbldap-tools, for administrating tasks:
gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
perl /usr/share/doc/smbldap-tools/configure.pl
We need to modify the next lines in ‘/etc/default/slapd’ before continue:
SLAPD_SERVICES=”ldap://192.168.1.5:389/ ldapi:///”
And restart the service:
/etc/init.d/slapd restart
Answer all questions like you want to configure your PDC.
smbldap-populate
/etc/init.d/slapd stop
9.- Fix the permissions of the databases and he index:
The next command will give you a warning…nevermind…
slapindex
chown openldap:openldap /var/lib/ldap/*
/etc/init.d/slapd start
10.- Add root to the administrator group:
smbldap-groupmod -m ‘root’ ‘Administrators’
11.-Install and config the client support:
apt-get –yes install ldap-auth-client
We should answer the question with the new ip or dns name of the server, port 389, and password and user the same that we set before.
auth-client-config -t nss -p lac_ldap
pam-auth-update ldap
12.- Let’s check an user:
smbldap-useradd -a -m -P prueba
ldapsearch -xLLL -b “dc=domain,dc=com” uid=prueba -H ldap://192.168.1.5:389/
And we should see the next answer:
dn: uid=prueba,ou=Users,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: prueba
sn: prueba
givenName: prueba
uid: prueba
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/disc/prueba
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: prueba
sambaSID: S-1-5-21-3167597010-657216360-3316184497-3002
sambaPrimaryGroupSID: S-1-5-21-3167597010-657216360-3316184497-513
sambaLogonScript: allusers.bat
sambaProfilePath: \\PDCServer\profiles\prueba
sambaHomePath: \\PDCServer\prueba
sambaHomeDrive: Z:
sambaLMPassword: 3161C9670753329FAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 06E7CD27E9E3ECF4426211D37CA2B236
sambaPwdLastSet: 1295957319
sambaPwdMustChange: 1299845319
shadowLastChange: 14999
shadowMax: 45
13.- To exporting the homes directories to the Linux machines:
apt-get install nfs-kernel-server
We edit the file ‘/etc/exports’ and add the next line in order to share the folder for linux machines:
/disc1/users/homes/ 192.168.1.5/255.255.255.0(rw)
/etc/init.d/nfs-kernel-server restart
14.- On the master server you have to modify the OpenLDAP conf:
nano provider_sync.ldif
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
–
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
–
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=domain,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
15.- Adjust the AppArmor:
nano /etc/apparmor.d/usr.sbin.slapd
And add:
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,
sudo -u openldap mkdir /var/lib/ldap/accesslog
sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/
sudo /etc/init.d/apparmor reload
Finally add the conf to OpenLDAP:
ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
/etc/init.d/slapd restart
16- To Configure the Slave server, we folow all the steps till 13. And instead follow the 14 step, folow this:
nano consumer_sinc.ldif
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
# syncrepl specific indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
–
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://192.168.1.5 bindmethod=simple binddn=”cn=admin,dc=domain,dc=com”
credentials=password searchbase=”dc=domain,dc=com” logbase=”cn=accesslog”
logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))” schemachecking=on
type=refreshAndPersist retry=”60 +” syncdata=accesslog
–
add: olcUpdateRef
olcUpdateRef: ldap://192.168.1.5
ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif
PD: If you find problems with logins, check the permissions, each user has to have permission over its folder.
Make sure that you have in all the /etc/hosts of both servers, the both name servers registered with the ip.
LinuxMay 16th, 20130 comments
-
Categories
-
Latest Posts