Our project is to replace in our corporate all MS Windows servers. The new environment should be compatible with simple users habits and the transition from Microsoft servers to Linux servers must be completely transparent to the end user. The first step towards this is to provide a Windows Domain functionality with Samba Server v3. As long as we also want to replace MS Exchange Server, we choose Kolab 2 as a replacement. Both Samba and Kolab should share the same ldap user database and a common administration GUI. The following procedure requires knowledge of Linux Administration.On our server we have installed CentOS 4 but I beleive you should not have any serious problems with other distros.
The Procedure:
1. Download and install the latest samba release for your platform. I have installed the following:
samba-3.0.10-1.4E samba-common-3.0.10-1.4E samba-client-3.0.10-1.4E
1b. Download also the latest samba source as we are going to use specific files not provided by the rpm.
2. Download and install the latest openldap packages. I have:
openldap-2.2.13-2 openldap-devel-2.2.13-2 nss_ldap-226-1
3. Download and install Kolab 2 according to the installation instructions of Kolab. We assume our main domain is howto.gr and our base dn is dc=howto,dc=gr .
4. Copy from the samba source directory the samba.schema file into the appropriate kolab directory. In my installation this is done by issuing the following command:
cp /root/samba-3.0.12/examples/LDAP/samba.schema /kolab/etc/openldap/schema
5. Edit /kolab/etc/kolab/templates/slapd.conf.template and after the include lines at the beggining add the following:
include /kolab/etc/openldap/schema/nis.schema include /kolab/etc/openldap/schema/samba.schema
6. Configure Samba to run as a PDC with ldap. It is also userful (in our environment to allow integrate ldap into all pam authentication modules).
6a. Edit /etc/ldap.conf . Delete all lines and insert the following (change accordingly for you configuration)
———————— /etc/ldap.conf —————————————
base dc=howto,dc=gruri ldap://127.0.0.1/ldap_version 3rootbinddn cn=manager,cn=internal,dc=howto,dc=grscope onepam_filter objectclass=posixAccountpam_login_attribute uidpam_password exopcrypt shanss_base_passwd dc=howto,dc=gr?subnss_base_shadow dc=howto,dc=gr?subnss_base_group ou=Group,dc=howto,dc=gr?onehost localhost———————— /etc/ldap.conf —————————————-
6b. Alter the appropriate pam configuration regarding authentication.
———————— /etc/pam.d/system-auth —————————————-
auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so———————— /etc/pam.d/system-auth —————————————-
6c. Install perl-Crypt-SmbHash and perl-Digest-SHA1 modules.
6d. Download mkntpasswd from http://sf.gds.tuwien.ac.at/l/ld/ldaputils/ compile and install it on /usr/sbin .
6e. Retreive the Samba Sid:
$> net getlocalsid SID for domain HOWTO-LAB is: S-1-5-21-545352460-3000959604-3178679851
6f. Install manually smbldap-tools. I have just copied the whole folder from the samba source directory to /etc/samba/ldap.
$> cp –Rp /root/samba-3.0.15pre2/examples/LDAP/smbldap-tools-0.8.8 /etc/samba/ldap
6g. Configure smb-ldap tools. The configuration files are /etc/samba/ldap/smbldap_bind.conf and /etc/samba/ldap/smbldap.conf . Suite it to your needs!
6h. Populate Ldap directory with the minimum needed entries for samba.
$> /etc/samba/ldap/smbldap-populate Populating LDAP directory for domain HOWTO-LAB (S-1-5-21-545352460-3000959604-3178679851) (using builtin directory structure) ..... adding new entry: cn=Backup Operators,ou=Groups,dc=howto,dc=gr adding new entry: cn=Replicators,ou=Groups,dc=howto,dc=gr adding new entry: sambaDomainName=HOWTO-LAB,dc=howto,dc=grPlease provide a password for the domain root: Changing password for root New password : Retype new password :
This way you can see in your ldap directories the creation among others of the Groups container and a sambaDomainName Container.
6i. Edit Samba configuration. The default file is in /etc/samba/smb.conf.
———————— /etc/samba/smb.conf —————————————-
[global] #-- Basic Server Options --# netbios name = UNIXDC workgroup = HOWTO-LAB server string = Samba Server PDC passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 #-- Networking and Performance --# socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #bind interfaces only = yes #interfaces = eth1 eth2 127.0.0.1 #-- PDC and Master Browser Settings --# preferred master = Yes domain master = Yes local master = Yes domain logons = Yes os level = 64 dns proxy = Yes wins support = Yes security = user #-- LDAP Setings --# ldap suffix = dc=howto,dc=gr ldap machine suffix = ou=computers,dc=howto,dc=gr ldap user suffix = dc=howto,dc=gr ldap group suffix = ou=Groups,dc=howto,dc=gr ldap idmap suffix = ou=idmap,dc=howto,dc=gr ldap admin dn = cn=manager,cn=internal,dc=howto,dc=gr ldap ssl = no ldap passwd sync = Yes #-- User / Group / Machine Scripts --# ldap delete dn = yes add user script = /etc/samba/ldap/smbldap-useradd -m "%u" delete user script = /etc/samba/ldap/smbldap-userdel "%u" add machine script = /etc/samba/ldap/smbldap-useradd -w "%u" add group script = /etc/samba/ldap/smbldap-groupadd -p "%g" delete group script = /etc/samba/ldap/groupdel "%g" add user to group script = /etc/samba/ldap/smbldap-groupmod -m "%u" "%g" delete user from group script = /etc/samba/ldap/smbldap-usermod -x "%u" "%g" set primary group script = /etc/samba/ldap/smbldap-usermod -g "%g" "%u" #-- Profiles and Home Directories --# ;logon script = %m.bat ;logon script = %U.bat ;logon path = %LProfiles%U ;logon home = %L%U.profile #============================ Share Definitions ============================== ### Standard Shares #################### [homes] comment = Home Directories read only = No browseable = No
[printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No ############## PDC Related Shares ################# [netlogon] path = /home/netlogon read only = yes write list = @admins root
———————— /etc/samba/smb.conf —————————————-
6j. Insert your ldap manager password into samba with
$> smbpasswd –w
6k. Test you smb configuration with
$> testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[netlogon]" Processing section "[apps]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC
7. Now it’s the time to “hack” Kolab administration interface in order to enter the appropriate entries for each user in kolab so as to be able to log on with samba.
WARNING: This hack maybe be quite buggy and not tested enough. It justs works.
7a. Edit /kolab/var/kolab/www/admin/user/user.php
At about line 453 you will find the line:
“ $ldap_object['objectClass'] = array('top', 'inetOrgPerson','kolabInetOrgPerson'); “
Replace it with the following lines (suited to your configuration)
$ldap_object['objectClass'] = array('top', 'inetOrgPerson','kolabInetOrgPerson','shadowAccount','posixAccount','sambaSamAccount'); // Create the appropriate values for SMB Password $mkntpwd = "/usr/sbin/mkntpwd"; $exe = "$mkntpwd " . escapeshellarg($_POST['password_0']) . " 2>&1" ; $ntString = exec ($exe, $retarray, $retval); if ( $retval == "0" && preg_match("/^[0-9A-F]+:[0-9A-F]+$/",$ntString )) { list($lmPassword, $ntPassword) = explode (":", $ntString); } $uid_for_home_dir = trim( strtolower( $_POST['uid'] ) ); $ldap_object['uidNumber'] = time(); $ldap_object['gidNumber'] = "513"; $ldap_object['homeDirectory'] = "/home/".$uid_for_home_dir."/"; $ldap_object['sambaPwdLastSet'] = time(); $ldap_object['sambaLogonTime'] = "0"; $ldap_object['sambaLogoffTime'] = "0"; $ldap_object['sambaKickoffTime'] = "0"; $ldap_object['sambaPwdCanChange'] = "0"; $ldap_object['sambaPwdMustChange'] = "0"; $ldap_object['sambaAcctFlags'] = "[UX]"; $ldap_object['sambaSID'] = "S-1-5-21-545352460-3000959604-3178679851-".time(); $ldap_object['sambaLMPassword'] = $lmPassword; $ldap_object['sambaPrimaryGroupSID'] = "S-1-5-21-545352460-3000959604-3178679851-513"; $ldap_object['sambaNTPassword'] = $ntPassword; $ldap_object['sambaLogonScript'] = "STARTUP.BAT"; $ldap_object['sambaHomeDrive'] = "H:";
————————————————————————————————————–
You should be ready by now. Create some users in kolab, join a computer to your new domain and log on with the various users you have created!