Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo 2008 Samba dc Ldap HowTo - (Français/English)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
christophe_y2k
n00b
n00b


Joined: 07 Jan 2008
Posts: 28
Location: EUROPE-FRANCE-MANDELIEU

PostPosted: Thu Aug 07, 2008 2:05 pm    Post subject: Gentoo 2008 Samba dc Ldap HowTo - (Français/English) Reply with quote

Bonjour à tous,
Mon objectif est de proposer une méthode fonctionnelle et utilisable pour configurer un serveur Linux Gentoo 2008.0 en contrôleur de domaine(PDC) Samba avec une gestion centralisée des Users avec OpenLDAP.
Je poste ici mes fichiers de configuration au fur et à mesure.
Bien sur mes sources sont celles des howto Gentoo et Wiki sur le sujet j'en remercie tous les auteurs & contributeurs
L'objectif est de manager entre 100 et 200 PC sous Microsoft Windows XP PRO avec environ 500 utilisateurs.
Merci de votre aide


Hello , (Sorry fr my English ... but I'm French)
The objective of this topic is to purpose an valid method to configure an Gentoo 2008.0 Linux server in Samba PDC with centralized users management by OpenLDAP.
I send my script and method here day after days.
I use the informations available on the Gentoo and Wiki documentations about this subject and i profit to say thank you to authors and contributors.
The objective is to manage 100~200 Microsoft Windows XP PRO computers and about 500 users.
Thanks you for your help


Architecture matériel:
Server Hardware:
Mon pseudo serveur est un vieux PC i925X P4 Série 6xx 3.0Ghz EM64T 4x1024Mo DDR2 3xHDD SATA le tout installé a partir install-amd64-minimal-20090108 - de base et en RAID5 software(MDADM) et XFS et UTF8 unicode plus un compte dyndns.org fonctionnel (accès via gentoo.cannet.dyndns.org)
My computer is an older Intel i925X PC Pentium4 EM64T 6xx serie 3.0Ghz with 4x1024Mo DDR2 installed with Gentoo install-amd64-minimal-20090108 - Basic install with software RAID5 (MDADM) and XFS with UTF8 unicode with link by dyndns.org account (access by gentoo.cannet.dyndns.org)
Code:
# nano -w /etc/make.conf

#VERSION 0.3 du Dimanche 1 Février 2009 17h50

CFLAGS="-O2 -march=nocona -pipe"
CHOST="x86_64-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
USE="acl apache2 bcmath branding bzip2 cgi cli crypt ctype cups curl curlwrappers exif gd hash iconv imap innodb ipv6 jpeg jpeg2k kerberos ldap ldap-sasl libwww mmx mysql mysqli nas ncurses nls nntp oav openssl pam pcre pdf perl php png python quotas raw readline reflection samba sasl sendmail session simplexml spl sse sse2 ssl syslog tcpd tiff truetype unicode usb vhosts xfs xinetd xml xmlreader xmlrpc xmlwriter zip zlib"

LINGUAS="fr fr_FR"
Configuration du réseau
Network configuration
Code:
# nano -w /etc/conf.d/net

nis_domain_lo="HARDWORKERS"
config_eth0=( "192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255" )
routes_eth0=( "default via 192.168.1.1" )
mtu_eth0="1500"
Pour démarrer l'interface réseau au boot
Start network device at boot
Code:
# rc-update add net.eth0 default
Code:
# nano -w /etc/hosts

# VERSION 0.3 du Lundi 11 Août 2008 15h47

127.0.0.1    gentoo.cannet.dyndns.org   gentoo     localhost
::1      localhost
Pour commencer installation des logiciels
For start install software pack
Code:
# emerge --sync
# emerge -av samba openldap nss_ldap pam_ldap smbldap-tools
# emerge webmin
# emerge --update --deep --newuse world
# emerge --depclean
# revdep-rebuild

J'utilise le programme WEBMIN il est pratique pour editer les fichiers de configurations, via une
interface web et son explorateur de fichiers
J'utilise aussi SSH pour me connecter depuis un pc Windows avec le client ssh PUTTY

I use the WEBMIN software because it's easy to edit configuration files by web interface and the
integrated files explorer
I use ssh for connecting to linux server via my windows computer with PUTTY a client SSH
Code:
# whereis webmin
webmin: /etc/webmin /usr/libexec/webmin
# /usr/libexec/webmin/changepass.pl /etc/webmin root "Passwordxxxx"
# rc-update add webmin default
# /etc/init.d/sshd start
Pour accéder à webmin:
For webmin access:
Code:
https://gentoo:10000
Login="root" Password="Passwordxxxx"

Puis paramétrage des fichiers de configuration .conf des différents services
Files server configuration
Code:
# nano -w /etc/openldap/slapd.conf

#VERSION 0.1 du Jeudi 7 Aout 2008 16h23

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema

password-hash {SSHA}

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap/openldap
moduleload back_hdb.so

# BDB database definitions #

database hdb
suffix "dc=cannet,dc=dyndns,dc=org"
checkpoint 32 30
rootdn "cn=Manager,dc=cannet,dc=dyndns,dc=org"
rootpw {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG
directory /var/lib/openldap-data

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
NOTE:
Pour obtenir le mot de passe {SSHA}xxxxx sur la ligne: rootpw {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG
du fichier de configuration précédent il faut utiliser la commande suivante

To obtain the {SSHA]xxxxx password for the line rootpw {SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG
of precedent configuration file use this command
Code:
# slappasswd
New password: mon_mot_de_passe
Re-enter new password: mon_mot_de_passe
{SSHA}5CmpqN7EUPrHDPzRJDcSnLivfoOmA4CG
Code:
# nano -w /etc/openldap/ldap.conf

#VERSION 0.2 du Lundi 11 Août 2008 16h55

BASE   dc=cannet,dc=dyndns,dc=org
HOST   127.0.0.1
Code:
# nano -w /etc/conf.d/sldapd

#VERSION 0.2 du Jeudi 7 Aout 2008 17h20

OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
Copier le fichier suivant en modifiant son nom puis preserver le USER=ldap et GROUP=ldap
Copy this file and change this name and preserve USER=ldap and GROUP =ldap
/var/lib/openldap-data/DB_CONFIG.exemple --> /var/lib/openldap-data/DB_CONFIG
Code:
# cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG
# chown -R ldap:ldap /var/lib/openldap-*
Tester le fichier de configuration du serveur OpenLDAP
Test the OpenLDAP server file configuration
Code:
# slaptest -u
config file testing succeeded
Puis démarrer le serveur
Start the service
Code:
# /etc/init.d/slapd start
* Caching service dependencies ...[ ok ]
* Starting ldap-server ...[ ok ]
Maintenant le début de la strcture de la base de données LDAP est crée dans /var/lib/openldap-data
The Beggining Structure files of OpenLDAP database in /var/lib/openldap-data
Code:
# ls -l /var/lib/openldap-data
total 5320
-rw-r--r-- 1 ldap ldap      2048 fév  1 17:55 alock
-rw------- 1 ldap ldap     24576 fév  1 17:55 __db.001
-rw------- 1 ldap ldap   4276224 fév  1 17:55 __db.002
-rw------- 1 ldap ldap 335552512 fév  1 17:55 __db.003
-rw------- 1 ldap ldap   2359296 fév  1 17:55 __db.004
-rw------- 1 ldap ldap    557056 fév  1 17:55 __db.005
-rw------- 1 ldap ldap     24576 fév  1 17:55 __db.006
-rw------- 1 ldap ldap       921 fév  1 16:50 DB_CONFIG
-rw------- 2 ldap ldap       921 fév  1 16:50 DB_CONFIG.example
-rw------- 1 ldap ldap      8192 fév  1 17:55 dn2id.bdb
-rw------- 1 ldap ldap     32768 fév  1 17:55 id2entry.bdb
-rw------- 1 ldap ldap  10485760 fév  1 17:55 log.0000000001
Pour que le service LDAP se lance automatiquement au démarrage du serveur
For start the LDAP service at boot server
Code:
# rc-update add slapd default
* slapd added to runlevel default
Mise en place de la gestion de l'authentification du système par LDAP
Authentication of system by LDAP service
Code:
# nano -w /etc/pam.d/system-auth
# Version 0.3 Du Dimanche 8 Février 2009 11h50
auth      required   pam_env.so
auth      sufficient   pam_unix.so      likeauth nullok # required<--sufficient & remove try_first_pass
#----Add\
auth      sufficient   pam_ldap.so      use_first_pass
auth      required   pam_deny.so
#----End/

account   sufficient   pam_unix.so      # required<--sufficient
#----Add\
account   sufficient   pam_ldap.so      use_first_pass
account   required   pam_deny.so
#----End/

password   required   pam_cracklib.so   difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so      try_first_pass use_authtok nullok md5 shadow   # required<--sufficient
#----Add\
password   sufficient   pam_ldap.so      use_authtok
password   required   pam_deny.so
#----End/

session   required   pam_limits.so
session   required   pam_env.so
session   required   pam_unix.so
#----Add\
session   optional   pam_ldap.so
#----End/
Code:
# nano -w /etc/nsswitch.conf

# VERSION 0.2 du Dimanche 1 Février 2009 18h30
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 2006/09/29 23:52:23 vapier Exp $

passwd:      compat ldap #<-- We add ldap here
shadow:      compat ldap #<-- We add ldap here
group:       compat ldap #<-- We add ldap here

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files
Code:
# nano -w /etc/ldap.conf

# @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $

#VERSION 0.3 du Lundi 11 Août 2008 16h57

BASE   dc=cannet,dc=dyndns,dc=org
HOST   127.0.0.1
ldap_version 3
rootbinddn cn=Manager,dc=cannet,dc=dyndns,dc=org

scope sub
bind_policy soft
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberUid
pam_password exop

nss_base_passwd ou=Computers,dc=cannet,dc=dyndns,dc=org?sub
nss_base_passwd ou=Users,dc=cannet,dc=dyndns,dc=org?sub
nss_base_shadow ou=Users,dc=cannet,dc=dyndns,dc=org?sub
nss_base_group ou=Group,dc=cannet,dc=dyndns,dc=org?one

# For Gentoo's distribution of nss_ldap, as of 250-r1, we use these values
# (The hardwired constants in the code are changed to them as well):
nss_reconnect_tries 4      # number of times to double the sleep time
nss_reconnect_sleeptime 1      # initial sleep value
nss_reconnect_maxsleeptime 16   # max sleep value to cap at
nss_reconnect_maxconntries 2   # how many tries before sleeping
Voici le fichier de configuration de SAMBA
This is the SAMBA configuration file
Code:
# nano -w /etc/samba/smb.conf
#
# Fichier /etc/samba/smb.conf
# VERSION 1.0 Du Dimanche 01 Février 2009 18h51
#
[global]
#
workgroup = HARDWORKERS
netbios name = GENTOO
server string = Serveur Linux Gentoo64
#
log file = /var/log/samba/log.%m
max log size = 1024
syslog = 0
#
security = user
encrypt passwords = yes
null passwords = no
guest account = nobody
#
# Support des Acls
#nt acl support = yes
# Gestion des profils pour 2000/XP
#profile acls = yes
#
# Corbeille
#vfs objects = recycle
#recycle:versions = true
#
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#
domain logons = yes
domain master = yes
preferred master = yes
os level = 66
local master = yes
#
#printing = cups
#printcap name = cups
#
name resolve order = wins lmhosts host bcast
wins support = yes
wins proxy = yes
dns proxy = no
#
display charset = ISO8859-15
unix charset = utf8
dos charset = 850
#
hide dot files = yes
hide unreadable = yes
time server = yes
#
# Respect des noms de fichiers et de leur casse
preserve case = yes
short preserve case = yes
#
logon script = startup.cmd %U %L
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U
#
#option LDAP
#
winbind nested groups = no
passdb backend = ldapsam:ldap://127.0.0.1/
#
ldap suffix = dc=cannet,dc=dyndns,dc=org
ldap admin dn = cn=Manager,dc=cannet,dc=dyndns,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
#ldap delete dn = yes
ldap passwd sync = yes
#
#SMBLDAP-TOOLS
#
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
#passwd program = /usr/sbin/smbldap-passwd -u %u
#
[homes]
   comment = Repertoire personnel de %U
   path = /home/%U
   valid users = %U
   browseable = no
   hide dot files = yes
   guest ok = no
   create mask = 0600
   directory mask = 0700
   writable = yes
#NB: I use veto files directive for antivirus workaround (clamwin doesn't work)
   veto files = /autorun.inf/Boot.exe/Recycled/lost+found/.recycle/
   hide files = /desktop.ini/

[COMMUN]
   comment = Espace commun
   path = /home/COMMUN
   valid users = %U
   browseable = yes
   hide dot files = yes
   guest ok = no
   create mask = 0640
   directory mask = 1755
   writable = yes
   veto files = /autorun.inf/Boot.exe/Recycled/lost+found/.recycle/
   hide files = /desktop.ini/

[netlogon]
   comment = Service de Login du reseau
   path = /var/lib/samba/netlogon/
   browseable = no
   read only = yes
   public = no
   writable = no
   locking = no

[profiles]
   path = /var/lib/samba/profiles
   browseable = no
   write list = @smbusers @root
   create mask = 0600
   directory mask = 0700
   read only = no
   writable = yes
   csc policy = disable

#[printers]
#   comment = Network Printers
#   path = /home/spool/
#   guest ok = Yes
#   printable = Yes
#   browseable = No
#
#[print$]
#   path = /var/lib/samba/printers
#   valid users = "@Print Operators"
#   write list = "@Print Operators"
#   create mask = 0664
#   directory mask = 0775
Création du mot de passe administrateur pour SAMBA
Create root password for SAMBA
Code:
# smbpasswd -w mon_mot_de_passe
Setting stored password for "cn=Manager,dc=cannet,dc=dyndns,dc=org" in secrets.tdb
Pour tester le fichier de configuration de SAMBA
For test the SAMBA configuration file
Code:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[COMMUN]"
Processing section "[netlogon]"
Processing section "[profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
Ajouter le service SAMBA au démarrage
Add SAMBA service to bootstart
Code:
# rc-update add samba default
 * samba added to runlevel default
Lancement du service SAMBA
Starting SAMBA service
Code:
 # /etc/init.d/samba start
 * samba -> start: smbd ...[ ok ]
 * samba -> start: nmbd ...[ ok ]
Récupération du SID pour le domaine
For get the SID of the domain
Code:
# net getlocalsid
SID for domain GENTOO is: S-1-5-21-3186872377-437259626-3819519935
Code:
# nano -w /etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
# Fichier /etcsmbldap-tools/smbldap.conf
# VERSION 0.5 du Dimanche 1 Février 2009 19h42

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $

# General Configuration

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3186872377-437259626-3819519935"

sambaDomain=""

# LDAP Configuration

masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify="none"

suffix="dc=cannet,dc=dyndns,dc=org"

usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
#sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
#sambaUnixIdPooldn="sambaDomainName=HARDWORKERS,${suffix}"
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

# Unix Accounts Configuration

userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"

defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="365"

# SAMBA Configuration

userSmbHome=""
userProfile=""
userHomeDrive=""

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript=""

mailDomain="cannet.dyndns.org"

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
Code:
# nano -w /etc/smbldap-tools/smbldap_bind.conf

# VERSION 0.1 du Vendredi 8 Août 2008 15h44

# Credential Configuration #

masterDN="cn=Manager,dc=cannet,dc=dyndns,dc=org"
masterPw="mon_mot_de_passe"
Code:
# /etc/init.d/nscd start
 * Starting Name Service Cache Daemon ...
Code:
# rc-update add nscd default
 * nscd added to runlevel default
Code:
 # smbldap-populate
 Populating LDAP directory for domain HARDWORKERS (S-1-5-21-3186872377-437259626-3819519935)
(using builtin directory structure)

adding new entry: dc=cannet,dc=dyndns,dc=org
adding new entry: ou=Users,dc=cannet,dc=dyndns,dc=org
adding new entry: ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: ou=Computers,dc=cannet,dc=dyndns,dc=org
adding new entry: ou=Idmap,dc=cannet,dc=dyndns,dc=org
adding new entry: uid=root,ou=Users,dc=cannet,dc=dyndns,dc=org
adding new entry: uid=nobody,ou=Users,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Domain Admins,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Domain Users,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Domain Guests,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Domain Computers,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Administrators,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Account Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Print Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Backup Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: cn=Replicators,ou=Groups,dc=cannet,dc=dyndns,dc=org
adding new entry: sambaDomainName=HARDWORKERS,dc=cannet,dc=dyndns,dc=org

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
Premier test de recherche dans l'annuaire LDAP
First test , try to search Manager user in LDAP
Code:
# ldapsearch -D "cn=Manager,dc=cannet,dc=dyndns,dc=org" -x -W
Enter LDAP Password:mon_mot_de_passe
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# cannet.dyndns.org
dn: dc=cannet,dc=dyndns,dc=org
objectClass: dcObject
objectClass: organization
o: cannet
dc: cannet

# Users, cannet.dyndns.org
dn: ou=Users,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Users

# Groups, cannet.dyndns.org
dn: ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Groups

# Computers, cannet.dyndns.org
dn: ou=Computers,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Computers

# Idmap, cannet.dyndns.org
dn: ou=Idmap,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Idmap

# root, Users, cannet.dyndns.org
dn: uid=root,ou=Users,dc=cannet,dc=dyndns,dc=org
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPrimaryGroupSID: S-1-5-21-3186872377-437259626-3819519935-512
sambaSID: S-1-5-21-3186872377-437259626-3819519935-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: BC8DF733E8DA0A1F511A02B6CACB6D18
sambaAcctFlags: [U]
sambaNTPassword: 7459BFEF7DCB7C2A72CBFB01D6A8D4F8
sambaPwdLastSet: 1233514448
sambaPwdMustChange: 1265050448
userPassword:: e1NTSEF9dEhGNUlDUkR3aTJIUmxaQ2hUR0Nrc05KV3AxTUxtbDE=
shadowLastChange: 14276
shadowMax: 365

# nobody, Users, cannet.dyndns.org
dn: uid=nobody,ou=Users,dc=cannet,dc=dyndns,dc=org
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPrimaryGroupSID: S-1-5-21-3186872377-437259626-3819519935-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-3186872377-437259626-3819519935-2998
loginShell: /bin/false

# Domain Admins, Groups, cannet.dyndns.org
dn: cn=Domain Admins,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3186872377-437259626-3819519935-512
sambaGroupType: 2
displayName: Domain Admins

# Domain Users, Groups, cannet.dyndns.org
dn: cn=Domain Users,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-3186872377-437259626-3819519935-513
sambaGroupType: 2
displayName: Domain Users

# Domain Guests, Groups, cannet.dyndns.org
dn: cn=Domain Guests,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-3186872377-437259626-3819519935-514
sambaGroupType: 2
displayName: Domain Guests

# Domain Computers, Groups, cannet.dyndns.org
dn: cn=Domain Computers,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-3186872377-437259626-3819519935-515
sambaGroupType: 2
displayName: Domain Computers

# Administrators, Groups, cannet.dyndns.org
dn: cn=Administrators,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
 ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators

# Account Operators, Groups, cannet.dyndns.org
dn: cn=Account Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators

# Print Operators, Groups, cannet.dyndns.org
dn: cn=Print Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators

# Backup Operators, Groups, cannet.dyndns.org
dn: cn=Backup Operators,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

# Replicators, Groups, cannet.dyndns.org
dn: cn=Replicators,ou=Groups,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

# HARDWORKERS, cannet.dyndns.org
dn: sambaDomainName=HARDWORKERS,dc=cannet,dc=dyndns,dc=org
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: HARDWORKERS
sambaSID: S-1-5-21-3186872377-437259626-3819519935
uidNumber: 1000
gidNumber: 1000
sambaNextRid: 1000
sambaPwdHistoryLength: 0

# search result
search: 2
result: 0 Success

# numResponses: 18
# numEntries: 17
Modification des droits sur les répertoires:
Modify the owner and right of the folders:

/home: User=root Group=root Droits: User=[Read Write List] Group=[Read List] Other=[Read List]
/home/COMMUN: User=root Group=513 Droits:User=[Read Write List] Group=[Read Write List] Other=[Read List] [Sticky set]
/home/COMMUN/xxx: User=xxx Group=513 Droits:User=[Read Write List] Group=[Read List] Other=[Read List] [Sticky set]
/var/lib/samba/profiles: User=root Group=root Droits:User=[Read Write List] Group=[Read List] Other=[Read Write List] [Sticky set]
Code:
# chmod -R 1757 /var/lib/samba/profiles
# chmod -R 0755 /home
# chmod -R 1755 /home/COMMUN
# chmod 1775 /home/COMMUN
# chown -R root:513 /home/COMMUN

Pour ajouter un utilisateur (LINUX et SAMBA)
Attention le nom d'utilisateur doit être en minuscules et sans accents ni espaces

For add user (LINUX and SAMBA)
The username must be in lower case with no special char & accents
Code:
# smbldap-useradd -a -m -P dapremont.christophe
Changing password for dapremont.christophe
New password : xxxxxxxxxx
Retype new password : xxxxxxxxxx

Pour ajouter une liste d'utilisateurs via un script (LINUX et SAMBA)
For add many users with a script (LINUX and SAMBA)
Code:
# nano -w addusers.sh
echo -e "password1\npassword1\n" | smbldap-useradd -a -m -P lastname1.firstname1
echo -e "password2\npassword2\n" | smbldap-useradd -a -m -P lastname2.firstname2
echo -e "password3\npassword3\n" | smbldap-useradd -a -m -P lastname3.firstname3
echo -e "password4\npassword4\n" | smbldap-useradd -a -m -P lastname4.firstname4
Ne pas oublier de rendre executable le script
Do not forget to modify the executable switch on the script
Code:
# chmod +x addusers.sh

Pour afficher tous les utiisateurs
For list all users
Code:
# pdbedit -L
root:0:root
nobody:65534:nobody
dapremont.christophe:1000:dapremont.christophe
Pour afficher les informations d'un utilisateur particulier
For print informations of one user
Code:
# pdbedit -Lv dapremont.christophe
Unix username:        dapremont.christophe
NT username:          dapremont.christophe
Account Flags:        [U          ]
User SID:             S-1-5-21-3186872377-437259626-3819519935-3000
Primary Group SID:    S-1-5-21-3186872377-437259626-3819519935-513
Full Name:            dapremont.christophe
Home Directory:       \\gentoo\dapremont.christophe
HomeDir Drive:        H:
Logon Script:         startup.cmd dapremont.christophe gentoo
Profile Path:         \\gentoo\profiles\dapremont.christophe
Domain:               HARDWORKERS
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Mon, 02 Feb 2009 13:23:19 CET
Password can change:  Mon, 02 Feb 2009 13:23:19 CET
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Pour vérifier que l'utilisateur est valide pour linux
For test the validity of linux user account
Code:
# ssh dapremont.christophe@gentoo
Password:xxxxxxxxxx
christophe@gentoo / $exit
Verifier que le répertoire est bien crée sous home
The folder of new user under /home is ok?
Code:
# ls -l /home
total 0
drwxrwxr-t 2 root                 513 26 fév  2 13:21 COMMUN
drwx------ 3 dapremont.christophe 513 70 fév  2 13:23 dapremont.christophe
Pour supprimer un utilisateur et son répertoire home/xxx et son profile
For delete an user with /home/xxx and profile folder
Code:
# smbldap-userdel -r dapremont.christophe
# rm -r /var/lib/samba/profiles/dapremont.christophe

Editer le fichier startup.cmd qui sera lancé par chaque utilisateur du domaine au démarrage
Edit the file: startup.cmd this file start at login by domain user
Code:
# nano -w /var/lib/samba/netlogon/startup.cmd
@ECHO OFF
TITLE STARTUP.CMD V0.5 du Samedi 16 Aout 2008 17h15
ECHO Variable envoyee par le serveur : Utilisateur= %1
ECHO Variable envoyee par le serveur : Nom du serveur= %2
ECHO .
ECHO Bonjour %USERNAME%
ECHO Vous etes connecte sur le serveur %2
ECHO controleur du domaine %USERDOMAIN%
ECHO Depuis le poste %COMPUTERNAME%
ECHO .
ECHO Connection au partage reseau COMMUN associe au lecteur X:
NET USE X: \\gentoo\COMMUN /PERSISTENT:NO
EXIT
Maintenant il faut connecter un PC windows dans le domaine
It's time to enter in our windows domain

Un clic droit sur l'icone "poste de travail" puis choisir "propriétés" puis aller dans "Nom de l'ordinateur"
puis cliquer sur "Modifier"
entrer le nom de domaine ici "HARDWORKERS" puis vous serez invité à entrer un nom d'utilisateur autorisé, ici c'est "root" avec le mot de passe "mon_mot_de_passe" quand vous aurez validé il fauda entrer dans le domaine avec l'utilisateur normal crée ici "christophe" ne pas oublier de choisir le domaine ne pas laisser le nom du pc qui est affiché par défault

Right Click on My Computer. Click on properties. Select the Network Identification tab. Click on Properties.
In the Member of field, select Domain and enter HARDWORKERS in the text field.
Click OK. A user name and password box will appear. Enter for login root and password mon_mot_de_passe
Click OK to close window, and reboot
After reboot you use your normal user login christophe and password xxxxxxxxxx you must select to the valid domain HARDWORKERS not the local name of your computer



Construction en cours...
Under construction ...


Last edited by christophe_y2k on Tue Jul 07, 2009 9:43 pm; edited 132 times in total
Back to top
View user's profile Send private message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2395

PostPosted: Thu Aug 07, 2008 2:42 pm    Post subject: Reply with quote

that's nice, but the article would be more useful if it had been written in english.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5213

PostPosted: Sun Aug 17, 2008 8:02 am    Post subject: Reply with quote

Moved from Networking & Security to Documentation, Tips & Tricks.
_________________
goodbye fgo. it was nice knowing you.
Back to top
View user's profile Send private message
clauc
n00b
n00b


Joined: 23 Aug 2008
Posts: 1

PostPosted: Sat Aug 23, 2008 8:30 am    Post subject: Reply with quote

Hi Christophe,

I just created an account on this forum only to say THANK YOU for this excelent tutorial. Good work!

Claudiu
Back to top
View user's profile Send private message
christophe_y2k
n00b
n00b


Joined: 07 Jan 2008
Posts: 28
Location: EUROPE-FRANCE-MANDELIEU

PostPosted: Sat Aug 23, 2008 8:35 am    Post subject: no problemo ! Reply with quote

:wink:
Back to top
View user's profile Send private message
lelik
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2005
Posts: 81
Location: Treasure Island

PostPosted: Tue Sep 09, 2008 9:14 pm    Post subject: Reply with quote

Hi Christophe,

Excellent tutorial.

I have a few questions though. If you could answer them it will be very much appreciated.

1. When
Code:
smbldap-populate

I got
Code:
failed to add entry: attribute 'sambaNextRid' not allowed at /usr/sbin/smbldap-populate line 499, <GEN1> line 235.


I had to change smbldap-tools/smbldap.conf to get rid of the error

Old line:
Code:
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

New line:
Code:
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"


Have the original sambaUnixIdPooldn worked for you?

2. I got really confused with your Linux and Windows domain names. My understanding that your Linux domain is cannet.dyndns.org and your Windows domain is HARDWORKERS. Is this correct? Before I realized that I made a few typing mistakes and had to wipe out all the entries I made and repopulate dbs.

Code:
kilall -INT slapd; \
rm -r /var/lib/openldap-data/*; \
/usr/lib/openldap/slapd


Would you suggest a more cleaner way of doing it? Have I cleaned all the entries? How to check?

3. The last, but not the least is the most important question I have.
I have a small network with W2K server as a PDC and a few WinXps desktops as clients.
PDC is technically is not the right name as it's referencing a NT server, but we all understand what it is. W2K AD domain controllers split up the master operations roles. Active Directory will manage which domain controller ( DC ) has which master operations role. There are five master controller roles. By default, they are on the first domain controller in the domain.
I installed a new Gentoo machine following your guide with the intention to use as a PDC (first domain controller and probably only one DC). Old W2K server is to be put off-line as soon as I synchronize the global catalog and replicate existing users profiles. How to do that? I try to google it, but all I got is ideas for the old NT domain.
Mostly, it was pretty straightforward though: put PDC off-line, hack registry entries making it BDC, put it back on-line. But for W2K? Nothing.
Any tips? I am sure quite a few chaps will use your guide to transit existing AD rather then creating new network from scratch.

Merci, Merci et encore Merci
Back to top
View user's profile Send private message
christophe_y2k
n00b
n00b


Joined: 07 Jan 2008
Posts: 28
Location: EUROPE-FRANCE-MANDELIEU

PostPosted: Tue Sep 09, 2008 9:48 pm    Post subject: sorry .... Reply with quote

sorry but i need to sync my config files...

look i sync /etc/smbldap-tools/smbldap.conf

that certainly correct smbldap-populate
i'm remenber , have the same prob than you ....

And yes have samba workgroup name different with linux

i precice this config work now (with another domain name .... cannet.dyndns.org is my home server but now offline i need to remplace my older hdd)
on the other working domain have 120 windows computer and 600 potential users (300 user connected for 1 or + time)
it's ok with this config files
a need to increase security (tls ssl .... i need time)

in next days (little time per day) i complete this topics

but i spent more time this three weeks for this and i'm so so tired

i try to help you in the next days now i need to go to sleep!!!
Back to top
View user's profile Send private message
lelik
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2005
Posts: 81
Location: Treasure Island

PostPosted: Wed Sep 10, 2008 5:37 pm    Post subject: Reply with quote

Will wait.
Prenez votre temps.
Merci et Bonne Chance.
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 2452
Location: The Peanut Gallery

PostPosted: Thu Sep 11, 2008 5:41 pm    Post subject: Reply with quote

This is an excellent post, and I've bookmarked and recommended it to others; it's now in our bot in #friendly-coders as !samba. Well done, Christophe and take as much time as you need to rest. You've done a great job :-)
Back to top
View user's profile Send private message
lelik
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2005
Posts: 81
Location: Treasure Island

PostPosted: Tue Sep 23, 2008 6:20 pm    Post subject: Reply with quote

Any tips on how to copy current user accounts /profiles from the existing AD and tell the W2K that is not a master anymore?

Thanks.
Back to top
View user's profile Send private message
christophe_y2k
n00b
n00b


Joined: 07 Jan 2008
Posts: 28
Location: EUROPE-FRANCE-MANDELIEU

PostPosted: Wed Jan 14, 2009 2:44 pm    Post subject: migration Reply with quote

hello

I see this official topic for migration

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2655715
Back to top
View user's profile Send private message
lelik
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2005
Posts: 81
Location: Treasure Island

PostPosted: Wed Jan 14, 2009 7:46 pm    Post subject: Reply with quote

Thanks. It answered first part of my question.
By still how to demote an existing W2K computer and promote a newly created Linux machine to be a master controller for the existing AD?

Thanks.
_________________
... and the only thing that scares me is Keyser Söze
Back to top
View user's profile Send private message
aiezue
n00b
n00b


Joined: 29 Dec 2008
Posts: 8

PostPosted: Tue Mar 10, 2009 10:04 am    Post subject: Reply with quote

merci beaucoup. nice post
Back to top
View user's profile Send private message
adrs0061
n00b
n00b


Joined: 08 Jun 2009
Posts: 15

PostPosted: Mon Jun 15, 2009 4:39 am    Post subject: Reply with quote

thanks a lot for your hard work :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum