Centos Directory Server and Samba

Install Centos Directory Server


1. Install the directory server and extras
centos 5: yum install centos-ds centos-idm-console
centos 6: yum install 389-ds 389-admin-console 389-console
centos 7: yum install  389-admin 389-admin-console 389-adminutil 389-ds 389-ds-console--enablerepo=epel-testing  [ epel-testing repo required as at August 2016]

2. Make sure DNS is set correctly to resolve the FQDN ldap hostname (forward AND reverse)

3. run /usr/sbin/setup-ds-admin.pl to setup both a new Directory Server instance AND Administration Server. Use /usr/sbin/setup-ds.pl to setup another LDAP instance.

4. Remember the Directory Manager (cn=Directory Manager by default) password.
N.B. When using this to access the LDAP server for full access it does NOT sit beneath the Base DN you specifiy. So don't include the Base DN in your LDAP client connection settings when you want to access the LDAP server using these credentials.

5. Configure PAM client and /etc/nsswitch.conf by running the following (changing the correct ldap server and ldap base dn details!):

authconfig --enableldap --enableldapauth --disablenis \
--ldapserver=host.example.com --ldapbasedn=dc=example,dc=com  \
--enablemkhomedir --enablelocauthorize
--updateall

Configure Samba Integration
1. yum install smbldap-tools

2. Include at least the following in /etc/samba/smb.conf:

security = user
passdb backend = ldapsam:ldap://example.co.nz
ldap admin dn = cn=Directory Manager
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = off
add machine script = /usr/sbin/smbldap-useradd -w "%u"
admin users = administrator root other_admin_users_separated_by_spaces
wins support = yes
dns proxy = yes

Of course, change the ldap URI, LDAP suffix, and admin dn,  to reflect what  you set up when you installed the LDAP instance.

3. Edit the /etc/ldap.conf (centos6: /etc/pam_ldap.conffile to reflect the values for your install and setup of the Directory Server. I set the bind dn to the Directory Manager and also set the bindpw. Then I make sure to chmod 640 /etc/ldap.conf. Update: securing /etc/ldap.conf in this way can result in some daemons failing: Amavisd-New being one of them! Also set the nss_base_ settings for the Users, Computers, Groups, etc. N.B. It is possible to have many of one type of nss_base_ line. Also since Windows considers a machine to be a user login you will need to add the nss_base_passwd line that points to your Computers OU. eg:

 

nss_base_passwd ou=People,dc=example,dc=co,dc=nz?one

nss_base_shadow ou=People,dc=example,dc=co,dc=nz?one

nss_base_passwd ou=Computers,dc=example,dc=co,dc=nz?one

nss_base_shadow ou=Computers,dc=example,dc=co,dc=nz?one

nss_base_group ou=Groups,dc=example,dc=co,dc=nz?one

nss_base_hosts ou=Computers,dc=example,dc=co,dc=nz?one

4. Edit the /etc/smbldap-tools/smbldap_bind.conf with the correct master/slave DN and master/slave pw to allow the smbldap-tools to connect to the LDAP server. I make them both the same (master & slave).

5. Create a samba password for the ldap admin dn: smbpasswd -w <ldap-admin-dn-password> (as root)

6. Run net getlocalsid to retrieve the SID for your PDC

7. Edit the /etc/smbldap-tools/smbldap.conf with the correct:

a. SID

b. sambaDomain
(same as what you set for workgroup in /etc/samba/smb.conf). (I have found that this does need to be listed in this file even though the comments say it will pick it up from smb.conf - it doesn't!)

c. slaveLDAP and port

d. masterLDAP and port

e.ldapTLS="0"

f. usersdn, computersdn, groupsdn

g. Under Samba Config set the userSmbHome and userProfile to null (it will then use /etc/samba/smb.conf values)

 

8. Download this samba ldif schema file and place it in /etc/dirsrv/schema (that way any extra ldap servers you create will have it included by default) AND /etc/dirsrv/slapd-instance/schema: 61samba.ldif

9. Run smbldap-populate to fill the Directory Server with the correct entries required by Samba. And supply the root/administrator password at the end.

10. centos6 only: Centos uses SSSD as the security broker by default. And by default this daemon requires connection to the ldap server via SSL (ldaps). This will be a headache if you have a self-signed certificate. To stop using SSSD as the go-between broker (as in centos 5) change/add FORCELEGACY=yes in the /etc/sysconfig/authconfig and run authconfig --updateall. Also if you use legacy you will need to yum install pam_ldap nss-pam-ldapd.

 

N.B. Most problems I have had with implementation are the inconsistencies between what you specify for the dn of the Users, Computers, and Groups in the different configuration fles (/etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, /etc/smbldap-tools/smbldap_bind.conf). Check, re-check, and re-check AGAIN!!! The OU's I normally use are ou=People, ou=Computers, ou=Groups. Something to watch also: plurality - eg: Group vs Groups!

N.B: If you want to use Windows 7 or Windows 2008 Server clients on your samba domain you will need to install the (later than stock Centos) 3rd-party samba3 packages from enterprisesamba.com (supplied by Sernet). Also some Client registry changes are required: See here for these.