Samba will serve three main purposes:
- Act as a Primary Domain Controller for Windows clients
- Serve the network printers to Windows clients
- Serve files to Windows and Linux clients
To act as a primary domain controller, Samba needs to access LDAP as the central authentication database.
Install Samba
yum install samba nscd
Load the Samba schema file into LDAP on the LDAP server.
It is located at /usr/share/doc/samba-3.0.28/LDAP/samba.schema on the Samba server.
Configure LDAP for Samba
We need to create the default organisational units for Samba so while log into phpldapadmin (assumed already installed), expand the root node and then click on:
Create new entry here
Select Organisational Unit and click Proceed.
Enter the information:
Organisational Unit -> users
and click Proceed
- NOTE: If Proceed is still greyed out, hit the ‘Tab’ key.
Now select Create Object to finally create it.
Repeat these three steps to create another two organisational units called:
groups
and
machines
Configure Samba for LDAP
To tell Samba to use LDAP database back end:
Stop Samba:
service samba stop
Open up /etc/samba/smb.conf and search for:
passdb backend = tdbsam
Delete that line and replace with:
passdb backend = ldapsam:ldap://IP address of LDAP server
ldap suffix = dc=simonandkate,dc=lan
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=Manager,dc=simonandkate,dc=lan
ldap delete dn = no
Samba has now been told to use LDAP. Now we need to tell Samba to act as a primary domain controller.
Still in the /etc/samba/smb.conf file, ensure that the following are set:
wins support = yes
name resolve order = lmhosts host wins bcast
security = user
domain logons = yes
domain master = auto
Add the following items (you should check to make sure they are not already there):
ldap password sync = yes
enable privileges = yes
preferred master = auto
local master = yes
This tells Samba to act as the primary domain controller for the network.
Now we need to ensure other components of running a primary domain controller exist, such as the profiles shares and logon paths.
Ensure that the following are set (make sure the paths are exactly as specified):
logon path = \\%N\profiles
logon drive = H:
logon home = \\%N\%U\data
logon script = logon.bat
The value %N is the netbios name of the server, %U is the Windows username. This means the logon path will be set to the profiles share from the server. The profiles share from the server (as you will see shortly) is actually a directory under the user’s home location called the profiles (and thus unique for each user). Similarly, the H:\ will be automatically mapped to the data directory in the user’s home location. Later we will make sure that these folders exist on the server.
- NOTE: If you want to give users individual logon scripts you can do so by changing logon script to:
logon script = %S.bat
Next, make sure that the Samba shares are configured. Here, %S is the Unix account, so the home share is on the physical directory /home/[username]/data/ on the server (this is what the H:\ is mapped to above).
Edit the shares to look like this (once again, make sure the paths are exactly as specified):
[homes]
comment = Home Directories
browseable = no
path = /home/%S/data
valid users = %S
writable = yes
create mask = 0600
directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
guest ok = yes
writable = no
share modes = no
write list = @admins
[profiles]
comment = Users profiles
path = /home/%U/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700
writable = yes
We store each user’s profile and data under their home directory. All other group information and shares are stored under the /data/samba/ directory.
When you have finished, save and exit the file.
Samba should now be configured as a primary domain controller, set to use LDAP and has the required shares enabled.
Before we restart Samba, let’s check its configuration with
testparm
You should see output something like this
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
This (should) tell you there were no errors and that the server’s role is as primary domain controller.
Set Samba LDAP Admin Password
Very importantly, we need to tell Samba the password for our LDAP admin account so that it can do fancy stuff. It sets the password for the LDAP account specified above in the smb.conf (cn=Manager,dc=simonandkate,dc=lan), so make sure that’s all correct.
To set the password, simply run:
smbpasswd -w [ldap admin password]
http://blog.simonandkate.net/20091230/samba-openldap-on-centos
Have a fun... ;)
Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the md5sum of the key injection package, and trust Dag, et al., then it should be as safe as your trust of them extends.