This is a simple walkthrough on making a Linux server act as a Windows Domain Controller. By using LDAP we can scale the server to a few hundred users rather than 50 – 100. This guide is very Distro specific – CentOS 5, REHL 5. This is just a first draft of the guide and I will be improving it over time.

Please note text appearing like this is either a command or text that needs to be added to a configuration file.

First we need to install all the packages we need for the server.

yum install samba samba-client openldap openldap-servers openldap-clients

Then we need to copy the schema for use in LDAP please note that you’ll need to change your command to fit the proper version you have installed.

#cp /usr/share/doc/samba-3.0.*/LDAP/samba.schema /etc/openldap/schema/samba.schema

Then we’ll need to edit a few lines in the LDAP configuration file. First add the following line to /etc/openldap/slapd.conf with the rest of the includes at the top of the file.

include /etc/openldap/schema/samba.schema

Add Access-Rights in slapd.conf in the appropriate section.

access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn.children=”ou=admin,dc=example,dc=com” write
by self write
by anonymous auth
by * none
access to *
by dn.children=”ou=admin,dc=example,dc=com” write
by * read

Then adjust suffix and rootdn in slapd.conf:

suffix “dc=example,dc=com”
rootdn “cn=Manager,dc=example,dc=com”

Use the command slappasswd to create password hash and add it to the slapd.conf file:

rootpw {SSHA}QL9L55wK/tOnsHs9flW+jJlWmws7aR6d

Enable indexing to improve speed

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

Next we needed to download the sambaldap tools from RPMForge. Instructions on enabling rpmforge are found here.

After installing the RPRForge Repository you’ll need to install smbldap-tools to be able to create accounts in LDAP.

#yum install smbldap-tools

Now you’ll need to get the SID of the server to do that run this command.

#net getlocalsid

Next you’ll need to edit /etc/smbldap-tools/smbldap.conf

add the SID to the config file like this.:

SID=”S-1-5-21-2716683063-1859637689-668750523″

Change the suffix, binddn to suit your domain name then change the LDAP TLS like below:

ldapTLS=”0″

There are other options in the config file to pay attention to, just read the documentation on each parameter and it’s pretty self explanatory.

Now edit /etc/smbldap-tools/smbldap_bind.conf
change Master/SlaveDN and Master/SlavePW to 127.0.0.1 and you ldap password respectively.

Start LDAP

#/etc/init.d/ldap start

or

#service ldap start

Create LDAP-Groups and -Users

#smbldap-populate

Create an Admin Account File (after entering your password the line will be blank, start entering the
dn: on this line. Be sure to hit return twice after each dn statement so that ldapadd will accept it.

#ldapadd -cxW -D “cn=Manager,dc=example,dc=com”
Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admin

dn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure

use ctrl+c to exit ldapadd

Use Authconfig to add LDAP as both User and Password source

#authconfig –enableldap –enableldapauth –ldapserver=127.0.0.1 –ldapbasedn=dc=excample,dc=com –update

Adjust your smb.conf options

Worgroup=domainmname
Ldap admin dn=cn=samba,ou=admin,dc=example,dc=com
ldap suffix=dc=example,dc=com

Add the following options to smb.conf

Passdb backend=ldapsam:ldap://127.0.0.1/
Domain master=yes
Domain logon=yes
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap password change = yes

Edit the following

passwd program = /usr/sbin/smbldap-passwd %u

Comment Out this

#unix password sync = yes

Add the LDAP Admin password.

#smbpasswd -w securepassword

start samba

#/etc/init.d/smb start

or

#service smb start