Samba PDC With Ldap Backend On CentOS 6.5

Samba PDC With Ldap Backend On CentOS 6.5

by -
7 7146

PDC

A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.

In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.

Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user’s home directory

Hostname


[root@ldap ~]#vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 ldap ldap.example.com

Install The Ldap Server

Note: Disable selinux and flush all iptables rules

root@ldap ~]# yum install openldap*
Enter the ldap password


[root@ldap]r~# slappasswd
Enter the new password:                              <— password is redhat here. remember this, we will use this later
renter the password:
{SSHA}Fa2h91Po+wGEqObvg1rJmHf45d15RX3X
(encrypted password)
[root@ldap]~# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf


[root@ldap]~#vim /etc/openldap/slapd.conf


#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# – modulepath is architecture dependent value (32/64-bit system)
# – back_sql.la overlay requires openldap-server-sql package
# – dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile “\”OpenLDAP Server\””
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base=”” by * read
# access to dn.base=”cn=Subschema” by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., “access to * by * read”)
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact=”gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.exact=”cn=Manager,dc=example,dc=com” read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix “dc=example,dc=com”
checkpoint 1024 15
rootdn “cn=Manager,dc=example,dc=com”
rootpw {SSHA}TjG/HWzQCm7jKh3OWCgW/VUfpMUR+xV2       <—add encrypted password for root created above 
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq                                                <–add this line
index sambaPrimaryGroupSID eq                      <—-add this line
index sambaDomainName eq                              <–add this line
index default sub                                                     <–add this line
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

:wq


[root@ldap ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap ~]# rm -rf /var/lib/ldap/*
[root@ldap ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap ~]# slaptest -u
config file testing succeeded
[root@ldap ~]#echo “” | slapadd -f /etc/openldap/slapd.conf
[root@ldap ~]#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
[root@ldap ~]#chown -Rf ldap. /etc/openldap/slapd.d/
[root@ldap ~]# chown -Rf ldap. /var/lib/ldap/
[root@ldap ~]#chmod 700 /var/lib/ldap/
[root@ldap ~]#chmod 700 /etc/openldap/slapd.d/
[root@ldap ~]#service slapd start
Starting slapd:
[ OK ]
[root@ldap ~]# chkconfig slapd on
Start the slapd process and service at system bootup
[root@ldap ~]# service slapd status
slapd (pid 2242) is running…
[root@ldap ~]# netstat -ntlup | grep slapd
(If you the get the output it means, your slapd is running without any problem)


[root@ldap ~]#vim /etc/openldap/ldap.conf


#
# LDAP Defaults#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com                      <—–add this line
URI ldap://127.0.0.1/                                <–add this line
#HOST 127.0.0.1
#ldap://ldap-master.example.com:666
#SIZELIMIT
12
#TIMELIMIT
15
#DEREF
never
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/cacerts          <—add this line

Install The Samba Server

[root@ldap ~]# yum install samba*

Note: Make a copy of smb.conf. then overwrite existing one with given parameter  ….below

[root@ldap ~]#vim /etc/samba/smb.conf

[global]
workgroup = LINUX
netbios name = ldap
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
#min passwd length = 3
#pam password change = no
#obey pam restrictions = No
ldap ssl = no
# method 1:
unix password sync = no
ldap passwd sync = yes
# method 2:
#unix password sync = yes
#ldap passwd sync = no
#passwd program = /usr/sbin/smbldap-passwd -u “%u”
#passwd chat = “Changing *\nNew password*” %n\n “*Retype newpassword*” %n\n”
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
# passdb backend = ldapsam:”ldap://”
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=example,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
#add user script = /usr/sbin/useradd “%u” -n -g users
#add group script = /usr/sbin/groupadd “%g”
#add machine script = /usr/sbin/useradd -n -c “Workstation (%u)” -M -d /nohome -s /bin/false “%u”
#delete user script = /usr/sbin/userdel “%u”
#delete user from group script = /usr/sbin/userdel “%u” “%g”
#delete group script = /usr/sbin/groupdel “%g”
# add machine script = /usr/sbin/useradd -n -c “Workstation (%u)” -M -d /nohome -s /bin/false “%u”
add group script = /usr/sbin/smbldap-groupadd -p “%g”
delete group script = /usr/sbin/smbldap-groupdel “%g”
add user to group script = /usr/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/sbin/smbldap-usermod -g ‘%g’ ‘%u’
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m “%u”
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel “%u”
add machine script = /usr/sbin/smbldap-useradd -t 0 -w “%u”
# printers configuration
#printer admin = @”Print Operators”
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all profiles
#valid users = %U “Domain Admins”
[printers]
comment = Network Printers
#printer admin = @”Print Operators”
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M start %p
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @”Print Operators”
write list = @”Print Operators”
create mask = 0664
directory mask = 0775
[public]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
[homes]
comment = Home Directories
valid users = %S
browseable = yes
writable = yes
create mask = 0600
directory mask = 0700

#testpram (check the error on smb.conf file)
make both directory
mkdir /home/netlogon
mkdir /home/profile

[root@ldap ~]#testparm (check the error on smb.conf file)
Note: Every line should be in one row
make both directory
[root@ldap ~]#mkdir /home/netlogon
[root@ldap ~]#mkdir /home/profile

Smbldap-tools Configuration

[root@ldap ~]#smbpasswd -w redhat
  <redhat is passowrd here, which is sotre in slapd.conf file>
[root@ldap ~]#net getlocalsid
SID for domain LDAP is: S-1-5-21-1834966309-3405184030-1647912285
(“ this is imp step ouput should be without errors )
Now download the EPEL Repositiory from https://fedoraproject.org/wiki/EPEL and install the rpm
[root@ldap ~]# yum install smbldap-tools
[root@ldap ~]# cd /usr/share/doc/smbldap-tools-0.9.6/
ChangeLog CONTRIBUTORS FILES INSTALL README smb.conf smbldap.conf TODO
configure.pl COPYING INFRA migration_scripts slapd.conf smbldap_bind.conf smbldap-tools.pdf
[root@ldap smbldap-tools-0.9.6]# chmod 777 configure.pl
[root@ldap smbldap-tools-0.9.6]# ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the ‘net getlocalsid’)
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the “.” character

Note: keep all fields default and give below value on below fields

 ldap master bind password [] >redhat

 ldap slave bind password [] >redhat

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Configure interactive file configuration, these configuration will reflect in /etc/smbldap-tools/
(1) smbladap.conf
(2) smbldap_bind.conf
check both files
[root@ldap smbldap-tools]# smbldap-populate
Populating LDAP directory for domain LINUX (S-1-5-21-1834966309-3405184030-1647912285)
(using builtin directory structure)
entry dc=example,dc=com
entry ou=Users,dc=example,dc=com .
entry ou=Groups,dc=example,dc=com
entry ou=Computers,dc=example,dc=com
entry ou=Idmap,dc=example,dc=com
entry uid=root,ou=Users,dc=example,dc=com
entry uid=nobody,ou=Users,dc=example,dc=com
entry cn=Domain Admins,ou=Groups,dc=example,dc=com
entry cn=Domain Users,ou=Groups,dc=example,dc=com
entry cn=Domain Guests,ou=Groups,dc=example,dc=com
entry cn=Domain Computers,ou=Groups,dc=example,dc=com .
entry cn=Administrators,ou=Groups,dc=example,dc=com
entry cn=Account Operators,ou=Groups,dc=example,dc=com
entry cn=Print Operators,ou=Groups,dc=example,dc=com
entry cn=Backup Operators,ou=Groups,dc=example,dc=com
entry cn=Replicators,ou=Groups,dc=example,dc=com
entry sambaDomainName=LINUX,dc=example,dc=com Updating it…
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
(set your root password redhat for Domain Join )

LAM(Ldap-Account-Manager) Configuration

Now Download the LAM from https://www.ldap-account-manager.org/lamcms/releases
Tested on: ldap-account-manager-4.8-0.fedora.1.noarch.rpm

wget http://downloads.sourceforge.net/project/lam/LAM/4.8/ldap-account-manager-4.8-0.fedora.1.noarch.rpm
install the lam rpm


[root@ldap ~]# /etc/init.d/httpd restart
[root@ldap ~]# rpm -ivh “path to rpm file”


Open your Browser to configure LAM
enter the url 127.0.0.1/lam or localhost/lam or your IP-ADDRESS/lam

login_page

On the Right hand Corner go to LAM Configuration the default password is lam

lam2

Edit the server setting with default password and in general setting set server address
localhost:389
Tree suffix = dc=example.dc=com
Security settings cn=Manager,dc=example,dc=com

lam3

Go to Account Tab set the these parameter
Users:
LDAP Suffix ou=Users,dc=example,dc=com
Groups:
LDAP Suffix ou=Groups,dc=example,dc=com
Hosts:
LDAP Suffix ou=Computers,dc=example,dc=com
Samba domains:
LDAP Suffix dc=example,dc=com

lam4

Save the setting and login to Lam with LDAP password which you set in first step, after the login
it will ask you to creates OU just click yes.

lam5

samba domain you will see the Samba Domain with SID

lam6

PAM Configuration

Now comes the Important Topic PAM configuration to enable to LDAP login


[root@ldap ~]#yum install pam_ldap
[root@ldap ~]#yum install nss-pam-ldapd

Note: Take backup of all files then modify
[root@ldap ~]#vim /etc/nslcd.conf


Use the same ldap root password which u set in first step
# This is the configuration file for the LDAP nameservice
# switch library’s nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the ‘/’ used as directory separator
# uri ldap://127.0.0.1/
uri ldap://127.0.0.1/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
# base dc=example,dc=com
base dc=example,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
binddn cn=manager,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw secret
bindpw redhat
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# NDS mappings
#map group uniqueMember member
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group uniqueMember msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group uniqueMember posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
#map group uniqueMember member
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group uniqueMember member
#map group gidNumber gid
uid ldap
gid ldap


[root@ldap ~]##vim /etc/pam_ldap.conf


# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# The man page for this file is pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the ‘/’ used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
bindpw redhat
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the ‘host’ attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the ‘authorizedService’ attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user’s entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you’re using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &’d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure –enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure –enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure –enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap’s default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is “no”, for 2.1 and later is “yes”.
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is “yes”
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication – use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5


[root@ldap ~]#vim /etc/nsswitch.conf


#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ‘[NOTFOUND=return]’ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the “db” in front of “files” for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example – obey only what nisplus tells us…
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus


[root@ldap ~]#vim /etc/sysconfig/authconfig


IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=md5
USELDAPAUTH=no
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no


[root@ldap ~]#vim /etc/pam.d/password-auth-ac


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so md5 use_authok
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_ldap.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077


[root@ldap ~]#vim /etc/pam.d/system-auth-ac


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


Now restart the Services


[root@ldap ~]# service nslcd start
Starting nslcd:
[root@ldap ~]# service slapd restart
Stopping slapd:
Starting slapd:
[ OK ]
[ OK ]
[ OK ]
[root@ldap ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@ldap ~]# service nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap ~]# service winbind restart
Shutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ]

Create User Account Using LAM

Create administrator account by LAM

Step1: Log in lam using ip address or localhost/lam and click on user tab

Step2: Click  on user tab and Write last name as administrator

Screenshot from 2015-05-29 17:52:14

Step3: Now click on Unix tab and set the primary group as Account operator and addition group as administrator

Screenshot from 2015-05-29 17:55:06

Step4: Click on shadow and shadow extension

Screenshot from 2015-05-29 17:55:41

Step5: Click on Samba and add samba Extension

Step6: Click on set password and set password

Screenshot from 2015-05-29 17:56:25

Step7:Click on Save and user is added Successfully

Screenshot from 2015-05-29 17:56:47
To check user are replicated as unix user


[root@ldap ~]# getent passwd
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
administrator:x:10000:548:administrator:/home/administrator:/bin/bash

[root@ldap ~]# ssh administrator@localhost
[root@ldap ~]# ssh administrator@ IP -ADDRESS OF YOUR System
——————————————————————————————————
For Windows 7 & System use the REGISTRY Editing
——————————————————————————————————-
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000

Screenshot from 2015-05-30 16:42:54

Screenshot from 2015-05-30 16:41:05
If every command fine ….our samba ldap server is ready
Step1: Open your window machine. Right click on My computer tab.
Select the properties
or
Control Panel\System and Security\System
Select advanced system setting
Step2: Choose Computer Name
Select change tab
Select Domain tab
And type your Domain name
LINUX
Then ok

Screenshot from 2015-05-30 13:31:02
It will take some time
Step3: If server configuration fine it will show you successfully adding message.
Make sure your samba ldap server ip should be ping or access.
Now restart your windows machine
And give username and password.

Screenshot from 2015-05-30 14:53:45

 

Step4: After ssh every user on your server, we will add samba drive on user profile.

Open notepad and type this command

net use y: \\192.168.0.157\gopal gopal@321# /USER:gopal

net use -> Command

y-> This is drive name

192.168.0.157-> Server ip address

\gopal -> User share

gopal@321#-> This is password

/USER:gopal-> This is username

Step5: Save this file as .bat on desktop and run this command on CMD and check.

Screenshot from 2015-05-30 17:48:31

 

Here you will get  message the command completed successfully.

Step6: Now open my computer and check the mounted drive.

Screenshot from 2015-05-30 17:48:44

Step7: The last step is to add .bat file on startup of your computer

Screenshot from 2015-05-30 17:49:13

 

Enjoy this post.

Very Special Thanks To Mr. Abhishek Verma

Linux Engineer At
KV IT-Solutions Pvt. Ltd.
Download PDF

SIMILAR ARTICLES

0 1314

7 COMMENTS

  1. Whenever I’m trying to connect to the LDAP Server using the above created administrator user its showing wrong password

    [root@smbldap ~]# ssh administrator@10.10.12.143
    The authenticity of host ‘10.10.12.143 (10.10.12.143)’ can’t be established.
    RSA key fingerprint is bc:45:6c:ad:d7:dc:71:48:73:7b:49:44:fc:d5:e3:3a.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘10.10.12.143’ (RSA) to the list of known hosts.
    administrator@10.10.12.143‘s password:
    Permission denied, please try again.
    administrator@10.10.12.143‘s password:
    Awaiting your response

    • Hi Manoj first run #getent passwd command it will show you the created user administrator like that
      root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
      nobody:x:999:514:nobody:/dev/null:/bin/false
      administrator:x:10000:548:administrator:/home/administrator:/bin/bash

      After that first ssh administrator on local host after that you can run ssh administrator@10.10.12.143, it will work

  2. When I am runnig command “smbpasswd -w redhat”
    Output : Setting stored password for “cn=Manager,dc=example,dc=com” in secrets.tdb
    is it right or not.

    #net getlocalsid
    failed to bind to server ldap://127.0.0.1/ with dn=”cn=Manager,dc=example,dc=com” Error: Invalid credentials
    (unknown)
    SID for domain LDAP is: S-1-5-21-2692471953-3316726557-1827536056

    What is the problem can you help me

  3. Mr. Gopal Singh Bhandari

    i was configured the samba pdc with ldap after two month i am login through ssh client its showing the message:
    You are required to change your LDAP password immediately. please fix this issue.

    Regards,
    R.Lakshmaiah

  4. I cannot edit server profile, I get error: “Cannot open config file! lam”.
    And i cannot login lam by passwd i was set before. I get error: “Cannot contact LDAP server”.
    What is the problem? Can you help me fix it?

Leave a Reply

Required Captcha *