Samba PDC and Kolab

Our project is to replace in our corporate all MS Windows servers. The new environment should be compatible with simple users habits and the transition from Microsoft servers to Linux servers must be completely transparent to the end user. The first step towards this is to provide a Windows Domain functionality with Samba Server v3. As long as we also want to replace MS Exchange Server, we choose Kolab 2 as a replacement. Both Samba and Kolab should share the same ldap user database and a common administration GUI. The following procedure requires knowledge of Linux Administration.On our server we have installed CentOS 4 but I beleive you should not have any serious problems with other distros.

The Procedure:

1. Download and install the latest samba release for your platform. I have installed the following:

samba-3.0.10-1.4E
samba-common-3.0.10-1.4E
samba-client-3.0.10-1.4E

1b. Download also the latest samba source as we are going to use specific files not provided by the rpm.

2. Download and install the latest openldap packages. I have:

openldap-2.2.13-2
openldap-devel-2.2.13-2
nss_ldap-226-1

3. Download and install Kolab 2 according to the installation instructions of Kolab. We assume our main domain is howto.gr and our base dn is dc=howto,dc=gr .

4. Copy from the samba source directory the samba.schema file into the appropriate kolab directory. In my installation this is done by issuing the following command:

cp /root/samba-3.0.12/examples/LDAP/samba.schema /kolab/etc/openldap/schema

5. Edit /kolab/etc/kolab/templates/slapd.conf.template and after the include lines at the beggining add the following:

include /kolab/etc/openldap/schema/nis.schema
include /kolab/etc/openldap/schema/samba.schema

6. Configure Samba to run as a PDC with ldap. It is also userful (in our environment to allow integrate ldap into all pam authentication modules).

6a. Edit /etc/ldap.conf . Delete all lines and insert the following (change accordingly for you configuration)

———————— /etc/ldap.conf —————————————

 base dc=howto,dc=gr
 uri ldap://127.0.0.1/
 ldap_version 3
 rootbinddn cn=manager,cn=internal,dc=howto,dc=gr
 scope one
 pam_filter objectclass=posixAccount
 pam_login_attribute uid
 pam_password exop
 crypt sha
 nss_base_passwd dc=howto,dc=gr?sub
 nss_base_shadow dc=howto,dc=gr?sub
 nss_base_group ou=Group,dc=howto,dc=gr?one
 host localhost

———————— /etc/ldap.conf —————————————-

6b. Alter the appropriate pam configuration regarding authentication.

———————— /etc/pam.d/system-auth —————————————-

auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

———————— /etc/pam.d/system-auth —————————————-

6c. Install perl-Crypt-SmbHash and perl-Digest-SHA1 modules.

6d. Download mkntpasswd from http://sf.gds.tuwien.ac.at/l/ld/ldaputils/ compile and install it on /usr/sbin .

6e. Retreive the Samba Sid:

$> net getlocalsid
 SID for domain HOWTO-LAB is: S-1-5-21-545352460-3000959604-3178679851

6f. Install manually smbldap-tools. I have just copied the whole folder from the samba source directory to /etc/samba/ldap.

$> cp –Rp /root/samba-3.0.15pre2/examples/LDAP/smbldap-tools-0.8.8 /etc/samba/ldap

6g. Configure smb-ldap tools. The configuration files are /etc/samba/ldap/smbldap_bind.conf and /etc/samba/ldap/smbldap.conf . Suite it to your needs!

6h. Populate Ldap directory with the minimum needed entries for samba.

$> /etc/samba/ldap/smbldap-populate
 Populating LDAP directory for domain HOWTO-LAB (S-1-5-21-545352460-3000959604-3178679851)
 (using builtin directory structure)
 .....
 adding new entry: cn=Backup Operators,ou=Groups,dc=howto,dc=gr
 adding new entry: cn=Replicators,ou=Groups,dc=howto,dc=gr
 adding new entry: sambaDomainName=HOWTO-LAB,dc=howto,dc=gr
 Please provide a password for the domain root:
 Changing password for root
 New password :
 Retype new password :

This way you can see in your ldap directories the creation among others of the Groups container and a sambaDomainName Container.

6i. Edit Samba configuration. The default file is in /etc/samba/smb.conf.

———————— /etc/samba/smb.conf —————————————-

[global]
 #-- Basic Server Options --#
 netbios name = UNIXDC
 workgroup = HOWTO-LAB
 server string = Samba Server PDC
 passdb backend = ldapsam:ldap://127.0.0.1
 username map = /etc/samba/smbusers
 log file = /var/log/samba/%m.log
 max log size = 50
 #-- Networking and Performance --#
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 #bind interfaces only = yes
 #interfaces = eth1 eth2 127.0.0.1
 #-- PDC and Master Browser Settings --#
 preferred master = Yes
 domain master = Yes
 local master = Yes
 domain logons = Yes
 os level = 64
 dns proxy = Yes
 wins support = Yes
 security = user
 #-- LDAP Setings --#
 ldap suffix = dc=howto,dc=gr
 ldap machine suffix = ou=computers,dc=howto,dc=gr
 ldap user suffix = dc=howto,dc=gr
 ldap group suffix = ou=Groups,dc=howto,dc=gr
 ldap idmap suffix = ou=idmap,dc=howto,dc=gr
 ldap admin dn = cn=manager,cn=internal,dc=howto,dc=gr
 ldap ssl = no
 ldap passwd sync = Yes
 #-- User / Group / Machine Scripts --#
 ldap delete dn = yes
 add user script = /etc/samba/ldap/smbldap-useradd -m "%u"
 delete user script = /etc/samba/ldap/smbldap-userdel "%u"
 add machine script = /etc/samba/ldap/smbldap-useradd -w "%u"
 add group script = /etc/samba/ldap/smbldap-groupadd -p "%g"
 delete group script = /etc/samba/ldap/groupdel "%g"
 add user to group script = /etc/samba/ldap/smbldap-groupmod -m "%u" "%g"
 delete user from group script = /etc/samba/ldap/smbldap-usermod -x "%u" "%g"
 set primary group script = /etc/samba/ldap/smbldap-usermod -g "%g" "%u"
 #-- Profiles and Home Directories --#
 ;logon script = %m.bat
 ;logon script = %U.bat
 ;logon path = %LProfiles%U
 ;logon home = %L%U.profile
 #============================ Share Definitions ==============================
 ### Standard Shares ####################
 [homes]
 comment = Home Directories
 read only = No
 browseable = No
[printers]
 comment = All Printers
 path = /var/spool/samba
 printable = Yes
 browseable = No
 ############## PDC Related Shares #################
 [netlogon]
 path = /home/netlogon
 read only = yes
 write list = @admins root

———————— /etc/samba/smb.conf —————————————-

6j. Insert your ldap manager password into samba with

$> smbpasswd –w

6k. Test you smb configuration with

$> testparm
 Load smb config files from /etc/samba/smb.conf
 Processing section "[homes]"
 Processing section "[printers]"
 Processing section "[netlogon]"
 Processing section "[apps]"
 Loaded services file OK.
 Server role: ROLE_DOMAIN_PDC

7. Now it’s the time to “hack” Kolab administration interface in order to enter the appropriate entries for each user in kolab so as to be able to log on with samba.

WARNING: This hack maybe be quite buggy and not tested enough. It justs works.

7a. Edit /kolab/var/kolab/www/admin/user/user.php

At about line 453 you will find the line:

“ $ldap_object['objectClass'] = array('top', 'inetOrgPerson','kolabInetOrgPerson'); “

Replace it with the following lines (suited to your configuration)

$ldap_object['objectClass'] = array('top', 'inetOrgPerson','kolabInetOrgPerson','shadowAccount','posixAccount','sambaSamAccount');
 // Create the appropriate values for SMB Password
 $mkntpwd = "/usr/sbin/mkntpwd";
 $exe = "$mkntpwd " . escapeshellarg($_POST['password_0']) . " 2>&1" ;
 $ntString = exec ($exe, $retarray, $retval);
 if ( $retval == "0" && preg_match("/^[0-9A-F]+:[0-9A-F]+$/",$ntString )) {
 list($lmPassword, $ntPassword) = explode (":", $ntString);
 }
 $uid_for_home_dir = trim( strtolower( $_POST['uid'] ) );
 $ldap_object['uidNumber'] = time();
 $ldap_object['gidNumber'] = "513";
 $ldap_object['homeDirectory'] = "/home/".$uid_for_home_dir."/";
 $ldap_object['sambaPwdLastSet'] = time();
 $ldap_object['sambaLogonTime'] = "0";
 $ldap_object['sambaLogoffTime'] = "0";
 $ldap_object['sambaKickoffTime'] = "0";
 $ldap_object['sambaPwdCanChange'] = "0";
 $ldap_object['sambaPwdMustChange'] = "0";
 $ldap_object['sambaAcctFlags'] = "[UX]";
 $ldap_object['sambaSID'] = "S-1-5-21-545352460-3000959604-3178679851-".time();
 $ldap_object['sambaLMPassword'] = $lmPassword;
 $ldap_object['sambaPrimaryGroupSID'] = "S-1-5-21-545352460-3000959604-3178679851-513"; $ldap_object['sambaNTPassword'] = $ntPassword;
 $ldap_object['sambaLogonScript'] = "STARTUP.BAT";
 $ldap_object['sambaHomeDrive'] = "H:";

————————————————————————————————————–

You should be ready by now. Create some users in kolab, join a computer to your new domain and log on with the various users you have created!

Leave a Comment

Your email address will not be published.