Monday, 23 September 2013

Step by Step Installation & Configuration of LDAP+SAMBA on CentOS 5


I am defining here installation and configuration of LDAP server and integrate with SAMBA services. If you will work windows at client side, Samba integration is necessary with LDAP otherwise NT Password will not be accepted by LDAP server. Here we will go step by step to configure LDAP and samba server.

I am using Cent OS 5.5 64 bit Operating system with kernel 2.6.18-194.el5.


I will use LDAP domain example.com for installation procedure.

1.       My system IP address is 10.226.2.66 and hostname is ldapnoida.example.com. If you are not using name server, add hostname entry into /etc/hosts file.

# vim /etc/hosts

10.226.2.66     ldapnoida.example.com ldapnoida


2.  I will install all packages from yum repository so please configure yum before installation the packages on server. I am not covering yum in this document. Here I will install openldap on server.

# yum install *openldap*

This command will install following LDAP packages on your system.
 
nss_ldap.i386          
nss_ldap.x86_64        
openldap.i386          
openldap.x86_64        
openldap-clients.x86_64
openldap-servers.x86_64
Available Packages
nss_ldap.i386          
nss_ldap.x86_64        

3.  Create LDAP password using slappasswd command. It gave here password root123 and generate cypted password as per below screenshot.I will paste this encrypted password in /etc/openldap/slapd.conf file.


4 .       Open file /etc/openldap/slapd.conf and update the following fields on ldap server.
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}+VQndTOziGTtICTQXuY8ExicsLjVlVxd
 5. Open file /etc/openldap/ldap.conf and update the following fields on ldap server.
 BASE dc=example,dc=com
URI  ldap://ldapnoida.example.com/
6. Open file /etc/ldap.conf and add the following lines into this.
base dc=example,dc=com
URI ldap://ldapnoida.example.com/
And comment the line
#host 127.0.0.1
7.   Restart the LDAP service on server.
# /etc/init.d/ldap restart
8.     Copy the DB_CONFIG.example file for slapd DBS/HDB database into LDAP configuration file.
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
9.     Restart the Ldap service and make ldap service on system boot.
# service ldap restart
# chkconfig ldap on
 10.    Update migrate_common.ph file for LDAP directory structure creation.
[root@ldapnoida ~]# cd /usr/share/openldap/migration/
[root@ldapnoida migration]# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN ="example.com";
$DEFAULT_BASE ="dc=example,dc=com";
11.      LDAP imports the directory structure into LDIF format so we are creating base structure LDIF file to import into LDAP directory.
[root@ldapnoida migration]#./migrate_base.pl > base.ldif
[root@ldapnoida migration]#ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f  base.ldif
It will ask LDAP password. Type ldap password as defined above “root123” and it will generate basic LDAP directory structure.
12.     Create a system user so that we can export system user into LDAP server.
root@ldapnoida  migration]# useradd jitendrakumar
root@ldapnoida migration ]#  passwd jitendrakumar
13.Migrate system account having uid above 500 into LDPP server.
[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/passwd >passwd
[root@ldapnoida migration]# grep "x:[5-9][0-9][0-9]" /etc/group > group
[root@ldapnoida migration]#./migrate_passwd.pl passwd > passwd.ldif
[root@ldapnoida migration]#./migrate_group.pl group > group.ldif
[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f passwd.ldif
[root@ldapnoida migration]# ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f group.ldif
14.  Installing SAMBA packages on server.
[root@ldapnoida migration]# yum install *samba*
15.   Copy the Samba schema into LDAP schema repository.
cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
16.  Edit the file /etc/openldap/slapd.conf and include samba.schema location into ldap configuration file.
[root@ldapnoida migration]# vim /etc/openldap/slapd.conf
include         /etc/openldap/schema/samba.schema
17.     Restart the LDAP Service on server.
[root@ldapnoida migration]# service ldap restart
Stopping slapd:                                            [  OK  ]
Starting slapd:                                            [  OK  ]
[root@ldapnoida migration]#
18.     Download EPEL RPM package and install it on server.
[root@ldapnoida migration]# wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
--2013-09-20 14:58:00--  http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Resolving dl.fedoraproject.org...209.132.181.27, 209.132.181.23, 209.132.181.24, ...
Connecting to dl.fedoraproject.org|209.132.181.27|:80...connected.
HTTP request sent, awaiting response... 200 OK
Length: 12232 (12K) [application/x-rpm]
Saving to: `epel-release-5-4.noarch.rpm'
100%[==============================================================================================================>] 12,232      --.-K/s   in 0.02s
2013-09-20 14:58:01 (739 KB/s) - `epel-release-5-4.noarch.rpm' saved [12232/12232]
[root@ldapnoida migration]  rpm –Uvh epel-release-5-4.noarch.rpm
19.     Install smbldap-tools and phpldapadmin on server.
[root@ldapnoida migration]# yum –y install smbldap-tools
[root@ldapnoida migration]# yum –enablerepo=epel –y install phpldapadmin
20.     Configure Phpldapadmin on server to manage LDAP DIT through graphically.
[root@ldapnoida ~]# vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin/usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow 
Deny from all 
Allow from 127.0.0.1 10.226.0.0/16 # IP address you allow
</Directory>
[root@ldapnoida ~]#/etc/rc.d/init.d/httpd restart
To access phpldapadmin use URL “http://(yourhostname or IP address)/ldapadmin “
21. To access phpldapadmin console user following credentials.
User Name: cn=Manager,dc=example,dc=com
Password: root123
Password is LDAP rootdn password as defined above in document.
22.     Take the backup of smb.conf and create a new
smb.conf file from ldap enabled configuration file on ldap server.
mv /etc/samba/smb.conf  /etc/samba/smb.conf.backup
cp /usr/share/doc/smbldap-tools-0.9.6/smb.conf /etc/samba/smb.conf
23.    Change the /etc/samba/smb.conf configuration file for LDAP.
[root@ldapnoida migration]# vim /etc/samba/smb.conf
       workgroup = example
  netbios name = ldap
      unix password sync = yes
      ldap passwd sync = yes
       passwd program = /usr/sbin/smbldap-passwd -u "%u"
       passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
        Dos charset = CP932
      Unix charset = UTF-8
 passdb backend = ldapsam:ldap://10.226.2.66/
        ldap admin dn = cn=Manager,dc=example,dc=com
       ldap suffix = dc=example,dc=com
       ldap group suffix = ou=Group
       ldap user suffix = ou=People
       admin users = admin
24.    Create following directory and set their permissions.
[root@ldapnoida  ~]#mkdir /home/netlogon
[root@ldapnoida  ~]# mkdir /home/profiles
[root@ldapnoida  ~]# chmod 777 /home/profiles.
25.      Restarted samba service and make it permanent.
[root@ldapnoida  ~]# service smb restart
[root@ldapnoida  ~]# chkconfig smb on
26.    Set the SAMBA Password.
[root@ldapnoida  ~]# smbpasswd –W
27.      Change to following directory and set the permission of configure.pl script.
[root@ldapnoida migration]# cd /usr/share/doc/smbldap-tools-0.9.6/
[root@ldapnoida smbldap-tools-0.9.6]# chmod 755 configure.pl
[root@ldapnoida smbldap-tools-0.9.6]#./configure.pl
You can check SID with “net getlocalsid” command. If it is same press enter.
Enter domain name to append to mail address [ ] > example.com


28.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.
[root@ldapnoida smbldap-tools-0.9.6]# pwd
/usr/share/doc/smbldap-tools-0.9.6
[root@ldapnoida smbldap-tools-0.9.6]# net getlocalsid
[2013/09/20 15:50:03, 0] param/loadparm.c:map_parameter(2794)
Unknown parameter encountered: "min passwd length"
[2013/09/20 15:50:03, 0] param/loadparm.c:lp_do_parameter(3541)
Ignoring unknown parameter "min passwd length"
SID for domain LDAP is: S-1-5-21-3088606343-1201082996-3680957859
[root@ldapnoida smbldap-tools-0.9.6]# vi smbldap.conf
SID="S-1-5-21-3088606343-1201082996-3680957859"
slaveLDAP="ldapnoida.example.com"
masterLDAP="ldapnoida.example.com"
suffix="dc=example,dc=com"
sambaUnixIdPooldn="sambaDomainName=$example,${suffix}"
userSmbHome="\\ldap\%U"
userProfile=\\ldap\profiles\%U
mailDomain="example.com"
29.     Open file /usr/share/doc/smbldap-tools-0.9.6/smbldap.conf and change the required parameters into this file.
[root@ldapnoida smbldap-tools-0.9.6]# vim smbldap_bind.conf
# $Id: smbldap_bind.conf 35 2011-02-23 09:07:36Z fumiyas $
#
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=example,dc=com"
slavePw="root123"
masterDN="cn=Manager,dc=example,dc=com"
masterPw="root123"
30.     Restart the samba service and populate the LDAP DIT  on server.
[root@ldapnoida smbldap-tools-0.9.6]# service smb restart
[root@ldapnoida smbldap-tools-0.9.6]#  smbldap-populate
31.     Now I will create admin account and group for domain administrative account.
root@ldapnoida smbldap-tools-0.9.6]#  smbldap-groupadd –a admin
root@ldapnoida smbldap-tools-0.9.6]#  smbldap-useradd –am –g admin admin
32.      We can reset password of admin user with following command.

root@ldapnoida smbldap-tools-0.9.6]#  smbldap-passwd admin

19 comments:

  1. Replies
    1. This is spoon feeding documentation for Linux Admins. Enjoy!!!

      Delete
  2. How to enable ldap logging on server... Please let us know

    ReplyDelete
  3. Waah ustaad waah .....is tareh to hum dimaag lagana hi bhool jaayenge !! :p

    ReplyDelete
  4. Open file /etc/phpldapadmin/config.php and comment out these lines.

    $servers->newServer('ldap_pla');
    $servers->setValue('server','name','Jitendra LDAP Server');
    $servers->setValue('server','host','127.0.0.1');
    $servers->setValue('server','port',389);

    And you can login on phpldapadmin portal.

    ReplyDelete
  5. You can enable LDAP login on server by adding following entry into /etc/syslog.conf and restart syslog service.

    vi /etc/syslog.conf

    # Ldap Server Logs

    local4.* /var/log/ldap.log

    ReplyDelete
  6. how can we add windows client to samba domain.

    ReplyDelete
    Replies
    1. I am getting error unkown object class while smbldap-populate in some the groups adding

      Delete
  7. MIn password age can be set for individual user????

    ReplyDelete
  8. This is working ONLY for windows XP clients. Kindly inform how to use it for Windows 7 clients. Any additional package needs to be installed?

    ReplyDelete
  9. Hello Jitendra, I am unable to connect to phpldapadmin using password and users I created. Can you please help.

    ReplyDelete
  10. Getting issue while running following command i configured dns and ldap .
    But still facing this issue plz help me out

    [root@samba samba]# smbldap-populate
    Populating LDAP directory for domain datametica.com (S-1-5-21-2203322374-4166617578-3146684263)
    (using builtin directory structure)

    entry dc=datametica,dc=com already exist.
    entry ou=People,dc=datametica,dc=com already exist.
    entry ou=Group,dc=datametica,dc=com already exist.
    adding new entry: ou=,dc=datametica,dc=com
    failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 500, line 22.
    entry ou=Idmap,dc=datametica,dc=com already exist.
    entry uid=root,ou=People,dc=datametica,dc=com already exist.
    adding new entry: uid=nobody,ou=People,dc=datametica,dc=com
    failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 87.
    adding new entry: cn=Domain Admins,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 99.
    adding new entry: cn=Domain Users,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 110.
    adding new entry: cn=Domain Guests,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 121.
    adding new entry: cn=Domain Computers,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 132.
    adding new entry: cn=Administrators,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 177.
    adding new entry: cn=Account Operators,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 199.
    adding new entry: cn=Print Operators,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 210.
    adding new entry: cn=Backup Operators,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 221.
    adding new entry: cn=Replicators,ou=Group,dc=datametica,dc=com
    failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 500, line 232.
    adding new entry: sambaDomainName=datametica.com,dc=datametica,dc=com
    failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 500, line 240.

    ReplyDelete
  11. what about if we have both I eman window 8 and ubantu ? then what should I do?

    ReplyDelete
  12. when I am running command "ldapadd -x -W -D cn=Manager,dc=domain,dc=com -f base.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)"

    error is "ldap_bind: Invalid credentials (49)"

    Why I am getting this error .

    My configure file olcRootPW: hash password
    one space between : and hash password.

    ReplyDelete
  13. Have you ever considered about adding a little bit more than just your articles? I mean, what you say is fundamental and everything. Nevertheless just imagine if you added some great graphics or videos to give your posts more, "pop"! Your content is excellent but with pics and videos, this website could certainly be one of the best in its niche. Terrific blog!

    ReplyDelete
  14. I know this if off topic but I'm looking into starting my own blog and was curious what all is needed to get setup? I'm assuming having a blog like yours would cost a pretty penny? I'm not very internet smart so I'm not 100% sure. Any recommendations or advice would be greatly appreciated. Many thanks

    ReplyDelete
  15. Respect and I have a tremendous give: How Much Is Home Renovation home improvements

    ReplyDelete