|
|||||||||
|
Raspberry Pi Infrastructure Series Samba PDC using LDAP (PART 2) |
|||||||||
|
In the second part of setting up a Samba PDC using LDAP we'll update the LDAP schema to allow for Samba objects, then we'll install and configure Samba. After that's all done we'll have a working Samba domain controller.
Updating the LDAP schemaIn order for LDAP to function with Samba we have to include a schema in the configuration so it knows how the objects are defined. For this we're going to get samba, samba-common-bin, and smbldap-tools installed and out of the way. sudo apt-get install samba samba-common-bin smbldap-tools After that's done we need to copy the Samba schema from the examples folder into the LDAP configuration folder. sudo cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz /etc/ldap/schema With that in place we now need to create a file that we'll use to generate the config file that slapd needs. Put the following into a samba.conf somewhere, location isn't important. include /etc/ldap/schema/core.schema With that file we're going to run the following commands which will generate the appropriate file and then we'll move it into place and restart slapd. mkdir /tmp/slapd.d As long as you didn't encounter any errors along the way LDAP should now be configured for handling Samba objects. Samba Installation and ConfigurationTechnically at this point we've got Samba installed but we still need to get it configured for LDAP. Thankfully smbldapt-tools provides files to make this process relatively simple. In the following commands we're going to move the default Samba configuration and copy over a template for setting up a PDC with LDAP. sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak Now with a text editor we need to open /etc/samba/smb.conf and make some changes. Only the following settings in this file need to be modified. workgroup = DUCKY-PONDLAN Once that's done we need to restart samba and then we'll need to run smbpasswd with the -W switch, this is where you need to give Samba the password for your LDAP admin user. This will allow Samba to bind to the LDAP server. After it's got the password we restart samba one more time. At this point Samba will connect to LDAP and create an object in LDAP representing your domain. sudo service samba restart And then if I login to LAM and look at the Samba domains I should see the entry for my domain as below.
We're almost there, all that's left is to populate LDAP with the standard groups and a couple users. First we need to copy a couple of template configuration files in to place. sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/ Now let's open /etc/smbldap-tools/smbldap_bind.conf in a text editor and modify the following values. slaveDN="cn=admin,dc=ducky-pond,dc=lan" Next we need to open /etc/smbldap-tools/smbldap.conf and modify the following values. For the SID you need to run the command sudo net getlocalsid prior to this and copy that value into that field. SID="S-1-5-21-1705418217-809208568-3223557651" With those changes everything should be set, so let's run the command to populate the Samba objects. During the process it will ask you to provide a password for the domain root user. This is the default domain administrator account so I would suggest giving this a complex password. This is generally the account you'll use when you join a computer to the domain. sudo smbldap-populate After that's done, everything should now be set for and you should have a functioning Samba PDC with LDAP. If we log back into LAM you should see the root and nobody users as well as the standard domain groups.
At this point the tutorial is technically done and you can now join machines to the domain and authenticate users against it using the DUCKY-PONDLAN\ prefix like DUCKY-PONDLAN\user. However, in the next section I'll briefly describe how to create a basic user and setup a file share. Creating a user and sharing a folderTo create a user on our PDC we need to login to LAM and on the Users tab click New User. First fill out information on the Personal tab, then proceed to the Unix tab. There isn't much you really need to configure here but let's go ahead and set the Primary Group to Domain Users. After that click the Samba 3 tab and hit Add Samba 3 extension. Everything should be set here by default, the Windows Group should be set to Domain Users. Now finally, click Set Password and enter a password for the account. Once that's done hit the Save button and the user will be created. Now in the /home/pi directory let's create a directory that the user will be able to access and a test file. sudo mkdir /home/pi/share Then let's open /etc/samba/smb.conf and add the following lines to the end. This will setup the share. [SHARE] Lastly, restart Samba by doing sudo service samba restart. After that you should be able to navigate to \\PDC-SRV\share and then enter DUCKY-PONDLAN\user with the password and you should be able to see the hello.txt file we created. That's the basics of sharing a folder to a user. If you want to share with a group instead of a user then in valid users just prefix the name of the group you want with a @. Leave a comment
BLC
Hey
I've followed this through to the last step (creating a PDC user and sharing a folder), but I've run into an issue. It seems that LAM hasn't added the new user as a Unix user (nor has it added the domain groups as Unix groups) so when I come to chown the test directory to my new user, it fails because the username specified is invalid. I am guessing that LAM is supposed to add new domain users as Unix users, so any idea what I've done wrong?
Steve
alright from the comments it looks like everyone can get this to work except me. I have ran through this tutorial twice now and I run into the same problem each time. I can add my user, I can add my machine. I can join my machine to the domain, but when I go to log on the pc that I just added to the domain I get an error. Trust Relationship between this workstation and primary domain failed. Arrrgh! It seems to be a common error with Samba servers because I've found some mentions of it on different forums but NO solution. Do you have any suggestions?
greg
I'm getting this, any suggestions?
LDAP search failed! Please check your preferences. Invalid DN syntax
DerekJ
OK I got it!
I'll paste a comment in the section 1 as I think that when running this from a clean install you need to update stuff first. Cheers DerekJ
DerekJ
Hi,
I just completed this installation on a new disk flashed with Wheezy, many thanks Ben, this is just what I wanted. It worked well and the only problem I had was understanding which username/password was responsible for what so I set all of the passwords the same. I had the error reported below by Jeremy and the mod he shows worked. I used my common password in the MasterPw section as indicated below and it worked a treat. I joined my workstation to the domain using Root's username and password I used :- sudo passwd root to set it but I don't know if that was needed or not. I can log on to the workstation as [domain]\root and run LAM. I can browse \\PDC-SRV from my workstation but don't have permissions to browse the share set up as above, although I can see it. I added a user and made sure everything (except the user name and UID) was the same as root but I can't log on to the workstation as this user. I get the “user name or password incorrect” error. Any Idea what I'm doing wrong? Have I missed something that needs to be set up on the PDC for the user that's not set through LAM? Thanks again to Ben for this. DerekJ
Ben Hanna
@DerekJ
That is correct, just create a file (samba.conf) and copy those lines into it.
DerekJ
Hi,
Just reading through this to make sure I understand it before trying to install it. Everything makes sence to me except the section "With that in place we now need to create a file that we'll use to generate....." Do I just create a file called samba.conf and copy the lines as they are shown?
Ben Hanna
@MQ
If you the change the port that Nginx/Apache listens on then it won't takeover the default port. The better way is to set the server_name for LDAP Account Manager to ldap.myserver.com. This will make it so the webserver only serves that page when the ldap.myserver.com address is requested. You just need to make sure that you have a DNS record that points ldap.myserver.com to the webserver.
MQ
I got the error I posted about previously resolved. However, I was wondering if there's a way to make the LDAP account manager NOT be the "homepage" of my webserver? If I punch in my Pi's IP, it'll go straight to the LDAP account manager. What I'd like to do is move this to something else like ldap.myserver.com for example. I ask this because I'd like to set up Dynamic DNS, but I don't want the LDAP control panel to be the front page. Thank you for your awesome guides.
MQ
You have great guides. I've been following this one, but for some reason after I do the smbldap-populate command -- it won't show the users and groups on the users & groups page for LDAP Account Manager. But it still shows them in the Tree View. Any ideas?
Ben Hanna
@Jeremy
That is correct, the reason I have 'admin' set there is because that's what I specified as using for the default LDAP password in Part 1.
Jeremy
I think I may have found the solution here: http://www.howtoforge.com/forums/archive/index.php/t-21069.html
when editing /etc/smbldap-tools/smbldap_bind.conf where is has: masterPw="admin" it should be the password you've set, not 'admin'
Jeremy
I too am getting the same error
"failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 500." "Please provide a password for the domain root: Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, line 558. /usr/sbin/smbldap-passwd: user root doesn't exist"
kelxon
From: http://raerek.blogspot.com/2012/05/samba-pdc-on-ubuntu-1204-using-ldap_28.html
it says to change: Now for the case of qw. Search the line in question in the file mentioned above and replace for my $sig_name qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU) { with this (the prathenses in bold(?) are new): for my $sig_name (qw(ALRM INT HUP QUIT TERM TSTP TTIN TTOU)) { Made the change but still getting error on the first part that I didn't add on the first post. That error I'm still getting is: adding new entry: cn=Replicators,ou=Groups,dc=my-dcname,dc=com failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 500.
kelxon
When I try to run "sudo smbldap-populate" I'm getting the following error:
Please provide a password for the domain root: Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, line 558. /usr/sbin/smbldap-passwd: user root doesn't exist I'm not even able to enter the domain root password here, it just display the error msg. |
|||||||||
