close x

Complete PDC Server and BDC (slave). OpenLDAP+Samba+NFS

We are going to install a complete PDC server to serve user accounts to Windows and Linux machines. We buid a Master and Slave machines for giving the system a HA.

I have used the Ubuntu Server 10.04 distribution. Follow the next steps:

On Master:

1.- Install the software:

apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools

2.- Need to add some additional schema:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

3.- Create the configuration file for service:

nano backend.ldif

# Load dynamic backend modules

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib/ldap

olcModuleload: back_hdb

# Database settings

dn: olcDatabase=hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {1}hdb

olcSuffix: dc=domain,dc=com

olcDbDirectory: /var/lib/ldap

olcRootDN: cn=admin,dc=domain,dc=com

olcRootPW: password

olcDbConfig: set_cachesize 0 2097152 0

olcDbConfig: set_lk_max_objects 1500

olcDbConfig: set_lk_max_locks 1500

olcDbConfig: set_lk_max_lockers 1500

olcDbIndex: objectClass eq

olcLastMod: TRUE

olcDbCheckpoint: 512 30

olcAccess: to attrs=userPassword by dn=”cn=admin,dc=domain,dc=com” write by anonymous auth by self write by * none

olcAccess: to attrs=shadowLastChange by self write by * read

olcAccess: to dn.base=”” by * read

olcAccess: to * by dn=”cn=admin,dc=domain,dc=com” write by * read

And add the conf file to LDAP service:

ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

4.- Modify Samba configuration

nano /etc/samba/smb.conf


# Domain name

workgroup = DOMAIN.COM

# Server name – as seen by Windows PCs ..

netbios name = PDCServer

# Be a PDC ..

domain logons = Yes

domain master = Yes

# Be a WINS server ..

wins support = true

obey pam restrictions = Yes

dns proxy = No

os level = 35

log file = /var/log/samba/log.%m

max log size = 1000

syslog = 0

panic action = /usr/share/samba/panic-action %d

pam password change = Yes

# Allows users on WinXP PCs to change their password when they press Ctrl-Alt-Del

unix password sync = no

ldap passwd sync = yes

# Printing from PCs will go via CUPS ..

load printers = yes

printing = cups

printcap name = cups

# Use LDAP for Samba user accounts and groups ..

passdb backend = ldapsam:ldap://localhost

# This must match init.ldif ..

ldap suffix = dc=domain,dc=com

# The password for cn=admin MUST be stored in /etc/samba/secrets.tdb

# This is done by running ‘sudo smbpasswd -w’.

ldap admin dn = cn=admin,dc=domain,dc=com

# 4 OUs that Samba uses when creating user accounts, computer accounts, etc.

# (Because we are using smbldap-tools, call them ‘Users’, ‘Computers’, etc.)

ldap machine suffix = ou=Computers

ldap user suffix = ou=Users

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

# Samba and LDAP server are on the same server in this example.

ldap ssl = no

# Scripts for Samba to use if it creates users, groups, etc.

add user script = /usr/sbin/smbldap-useradd -m ‘%u’

delete user script = /usr/sbin/smbldap-userdel %u

add group script = /usr/sbin/smbldap-groupadd -p ‘%g’

delete group script = /usr/sbin/smbldap-groupdel ‘%g’

add user to group script = /usr/sbin/smbldap-groupmod -m ‘%u’ ‘%g’

delete user from group script = /usr/sbin/smbldap-groupmod -x ‘%u’ ‘%g’

set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’

# Script that Samba users when a PC joins the domain ..

# (when changing ‘Computer Properties’ on the PC)

add machine script = /usr/sbin/smbldap-useradd -w ‘%u’

# Values used when a new user is created ..

# (Note: ‘%L’ does not work properly with smbldap-tools 0.9.4-1)

logon drive =

logon home =

logon path =

logon script = allusers.bat

# This is required for Windows XP client ..

server signing = auto

server schannel = Auto


comment = Home Directories

valid users = %S

read only = No

browseable = No


comment = Network Logon Service

path = /disc1/users/netlogon

admin users = root

guest ok = Yes

browseable = No

logon script = allusers.bat


comment = Roaming Profile Share

# would probably change this to elsewhere in a production system ..

path = /disc1/users/profiles

read only = No

profile acls = Yes

browsable = No


comment = All Printers

path = /var/spool/samba

use client driver = Yes

create mask = 0600

guest ok = Yes

printable = Yes

browseable = No

public = yes

writable = yes

admin users = root

write list = root


comment = Printer Drivers Share

path = /var/lib/samba/printers

write list = root

create mask = 0664

directory mask = 0775

admin users = root

5.- In the next step you have to set the same password that we set in the openldap conf file.

smbpasswd -W

service smbd restart

Type the next line, and enter when it ask for password:

smbclient -L localhost

And something like this should appear:

Anonymous login successful

Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]

Sharename Type Comment

——— —- ——-

print$ Disk Printer Drivers Share

shared Disk

archive Disk

IPC$ IPC IPC Service (Samba 3.4.7)

Anonymous login successful

Domain=[DOMAIN.COM] OS=[Unix] Server=[Samba 3.4.7]

Server Comment

——— ——-

Workgroup Master

——— ——-


6.- Create the users folders:

mkdir /disc1/users/profile

mkdir /disc1/users/homes

mkdir /disc1/users/netlogons

7.- Add the Samba schemas:

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/

gzip -d /etc/ldap/schema/samba.schema.gz

To add them to OpenLDAP you need to convert them:

nano schema_convert.conf

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema

include /etc/ldap/schema/duaconf.schema

include /etc/ldap/schema/dyngroup.schemainclude /etc/ldap/schema/inetorgperson.schema

include /etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema

include /etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema

include /etc/ldap/schema/ppolicy.schema

include /etc/ldap/schema/samba.schema

slapcat -f ~/schema_convert.conf -F ~ -n0 -s “cn={12}samba,cn=schema,cn=config” > ~/cn=samba.ldif

Some changes need to be done in this file:

nano cn\=samba.ldif

and change the following attributes:

dn: cn={12}samba,cn=schema,cn=config

cn: {12}samba
dn: cn=samba,cn=schema,cn=config … cn: samba

Also, remove all these lines at the bottom of the file.

structuralObjectClass: olcSchemaConfig
entryUUID: fd0ebb56-bcc3-102f-96ec-b349c2a696c6
creatorsName: cn=config
createTimestamp: 20110125114253Z
entryCSN: 20110125114253.060461Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110125114253Z

And finally add it to the OpenLDAP conf:

ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif

8.- Configure the smbldap-tools, for administrating tasks:

gzip -d /usr/share/doc/smbldap-tools/

perl /usr/share/doc/smbldap-tools/

We need to modify the next lines in ‘/etc/default/slapd’ before continue:

SLAPD_SERVICES=”ldap:// ldapi:///”
And restart the service:
/etc/init.d/slapd restart

Answer all questions like you want to configure your PDC.


/etc/init.d/slapd stop

9.- Fix the permissions of the databases and he index:

The next command will give you a warning…nevermind…


chown openldap:openldap /var/lib/ldap/*

/etc/init.d/slapd start

10.- Add root to the administrator group:

smbldap-groupmod -m ‘root’ ‘Administrators’

11.-Install and config the client support:

apt-get –yes install ldap-auth-client

We should answer the question with the new ip or dns name of the server, port 389, and password and user the same that we set before.

auth-client-config -t nss -p lac_ldap

pam-auth-update ldap

12.- Let’s check an user:

smbldap-useradd -a -m -P prueba

ldapsearch -xLLL -b “dc=domain,dc=com” uid=prueba -H ldap://

And we should see the next answer:

dn: uid=prueba,ou=Users,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: prueba
sn: prueba
givenName: prueba
uid: prueba
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/disc/prueba
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: prueba
sambaSID: S-1-5-21-3167597010-657216360-3316184497-3002
sambaPrimaryGroupSID: S-1-5-21-3167597010-657216360-3316184497-513
sambaLogonScript: allusers.bat
sambaProfilePath: \\PDCServer\profiles\prueba
sambaHomePath: \\PDCServer\prueba
sambaHomeDrive: Z:
sambaLMPassword: 3161C9670753329FAAD3B435B51404EE
sambaAcctFlags: [U] sambaNTPassword: 06E7CD27E9E3ECF4426211D37CA2B236
sambaPwdLastSet: 1295957319
sambaPwdMustChange: 1299845319
shadowLastChange: 14999
shadowMax: 45

13.- To exporting the homes directories to the Linux machines:
apt-get install nfs-kernel-server

We edit the file ‘/etc/exports’ and add the next line in order to share the folder for linux machines:


/etc/init.d/nfs-kernel-server restart

14.- On the master server you have to modify the OpenLDAP conf:
nano provider_sync.ldif

# Add indexes to the frontend db.

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryCSN eq

add: olcDbIndex

olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules.

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

add: olcModuleLoad

olcModuleLoad: accesslog

# Accesslog database definitions

dn: olcDatabase={2}hdb,cn=config

objectClass: olcDatabaseConfig

objectClass: olcHdbConfig

olcDatabase: {2}hdb

olcDbDirectory: /var/lib/ldap/accesslog

olcSuffix: cn=accesslog

olcRootDN: cn=admin,dc=domain,dc=com

olcDbIndex: default eq

olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov.

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

olcSpReloadHint: TRUE

# syncrepl Provider for primary db

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config

changetype: add

objectClass: olcOverlayConfig

objectClass: olcSyncProvConfig

olcOverlay: syncprov

olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db

dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config

objectClass: olcOverlayConfig

objectClass: olcAccessLogConfig

olcOverlay: accesslog

olcAccessLogDB: cn=accesslog

olcAccessLogOps: writes

olcAccessLogSuccess: TRUE

# scan the accesslog DB every day, and purge entries older than 7 days

olcAccessLogPurge: 07+00:00 01+00:00

15.- Adjust the AppArmor:
nano /etc/apparmor.d/usr.sbin.slapd

And add:
/var/lib/ldap/accesslog/ r,

/var/lib/ldap/accesslog/** rwk,

sudo -u openldap mkdir /var/lib/ldap/accesslog

sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/

sudo /etc/init.d/apparmor reload

Finally add the conf to OpenLDAP:
ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
/etc/init.d/slapd restart
16- To Configure the Slave server, we folow all the steps till 13. And instead follow the 14 step, folow this:
nano consumer_sinc.ldif

#Load the syncprov module.

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: syncprov

# syncrepl specific indices

dn: olcDatabase={1}hdb,cn=config

changetype: modify

add: olcDbIndex

olcDbIndex: entryUUID eq

add: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap:// bindmethod=simple binddn=”cn=admin,dc=domain,dc=com”

credentials=password searchbase=”dc=domain,dc=com” logbase=”cn=accesslog”

logfilter=”(&(objectClass=auditWriteObject)(reqResult=0))” schemachecking=on

type=refreshAndPersist retry=”60 +” syncdata=accesslog

add: olcUpdateRef

olcUpdateRef: ldap://

ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

PD: If you find problems with logins, check the permissions, each user has to have permission over its folder.
Make sure that you have in all the /etc/hosts of both servers, the both name servers registered with the ip.

Linux0 comments

Leave a Reply