Copy of a document found here:
(just exported as text in Acrobat & removed extra line breaks)


Also see this thread:


Other links that might be of interest:


And this project may be of interest to another
project - Openxchange on SME - see these links:


How to SAMBA+PDC+OpenLDAP
Author: Henry Gómez Noguera
Email:gomezhenry2302@yahoo.com.mx
Website: http://www.isfalpiz.com/
Release Tested: e-smith 5.6, SME 5.6
License: GPL
Last updated: March 17, 2005 03:54 PM



All rpms you will need is in ftp://ftp.redhat.com/pub/redhat/linux/updates/7.3/en/os/i386/

You can find more information at next link:
http://hu.samba.org/samba/docs/man/Samba-Guide/index.html
In my opinion the best.

What you will need:
.. Read all this paper and understand what are you going to do.
.. Don’t use production environment.
.. You may need Internet connection in order to install Perl modules.
.. Parameters when you are installing e-smith:
.. LDAP : idealx.org
.. Name of server : PDC-SRV
.. Enable remote access (Secure shell access).
.. Change Windows workgroup from "mitel-networks" to "IDEALX-NT"
.. "Workgroup and Domain Controller" set to yes.

.. Create root SAMBA User:


smbadduser root:Administrador
pico /etc/smb.conf

# Add the lines in green to the EOF

[everything]
comment = Root File System
path = /
read only = No
guest ok = Yes

service smb restart


it is in order to access root file system via NEBIOS using root this SAMBA account.
Paste http://www.isfalpiz.com/howtos/cpan.tar.gz into \\pdc-srv\everything\root\. Unpack
it, it will create a folder name “.cpan”.


rpms that you will need:
.. e-smith-service-control-1.1.0-06.noarch.rpm



.. sme-phpldapadmin-0.1-1MstSlp.noarch.rpm
.. cpan.tar.gz
.. glibc-kernheaders-2.4-7.14.i386.rpm
.. glibc-devel-2.2.5-34.i386.rpm
.. cpp-2.96-110.i386.rpm
.. gcc-2.96-110.i386.rpm
.. pam-0.75-46.7.3.i386.rpm
.. pam-devel-0.75-46.7.3.i386.rpm
.. pam_smb-1.1.6-9.7.i386.rpm
.. krb5-libs-1.2.4-11.i386.rpm
.. krb5-devel-1.2.4-11.i386.rpm
.. nscd-2.2.5-44.i386.rpm
.. nss_ldap-189-4.i386.rpm
.. openldap-2.0.27-2.7.3.i386.rpm
.. openldap-2.0.23-4es2
.. openldap-devel-2.0.27-2.7.3.i386.rpm
.. openldap-clients-2.0.27-2.7.3.i386.rpm
.. openldap-servers-2.0.27-2.7.3.i386.rpm
.. samba-3.0.10.tar.gz




pico /etc/profile
add next line to the end of file, below last export "export PATH USER LOGNAME...."
export PERLLIB=$PERLLIB:/usr/local/sbin

REASON:The file /usr/local/sbin/smbldap_conf.pm will need it to work fine.

disconnect and connect again to take changes

1.- Install compilers

rpm -Uvh glibc-kernheaders-2.4-7.14.i386.rpm
rpm -Uvh glibc-devel-2.2.5-34.i386.rpm
rpm -Uvh cpp-2.96-110.i386.rpm
rpm -Uvh gcc-2.96-110.i386.rpm

2- Install perl, CPAN bundles

cd /usr/local/
ln -s /usr/bin/openssl openssl
export PERL_READLINE_NOWARN=''

perl -MCPAN -e -shell

>Let it run. Answer “no” when it asks about Manual configuration.
>Once it stops you'll be at the cpan prompt....type

install Bundle::CPAN

>this will install many perl modules for you. Answer “yes” to any dependency questions.


>When you get the question Do you want to modify/update your configuration (y|n) ? [no]
>the answer is “no” Once you are finished...hit “enter” to exit....it'll run for a
>few seconds more and then bring you back to the cpan prompt. For good measure let's
>type

reload cpan

install Net::SSLeay

> The install will fail, we will continue and next we will fix it...

install Net::LDAP

> The install will fail, we will continue and next we will fix it...
> when it ask you: Auto-install the 1 optional module(s) from CPAN? [n] "y"
> and Answer “y” to any dependency questions.

> Type exit to quit from the cpan prompt.

Now we will fix Net::SSLeay and Net::LDAP:

cd /root/.cpan/build/Net_SSLeay.pm-1.25
perl Makefile.PL
make
make test
cd /root/.cpan/build/Net_SSLeay.pm-1.25/blib/lib
cp -r * /usr/lib/perl5/5.6.1

cd /root/.cpan/build/IO-Socket-SSL-0.96
perl Makefile.PL
make
make test
cd /root/.cpan/build/IO-Socket-SSL-0.96/blib/lib
cp -r * /usr/lib/perl5/5.6.1

Get into perl again:

perl -MCPAN -e -shell

install Net::SSLeay

install Net::LDAP

>Answer “y” to any dependency questions.

install Unicode::MapUTF8

>Answer “yes” to any dependency questions. This module will be necessary if you ever
>choose to use
>the idxldapaccounts webmin module.

install Crypt::SmbHash

install Convert::BER



exit

3.- Install service manager

rpm -Uvh e-smith-service-control-1.1.0-06.noarch.rpm

Refresh your sever manager and unmark the fallowing services:

.. Macintosh file & print sharing
.. FTP server
.. Mail retrieval
.. Mail transport
.. Web proxy


4.- Install sme-phpldapadmin-0.1-1MstSlp.noarch.rpm

rpm -ivh sme-phpldapadmin-0.1-1MstSlp.noarch.rpm

It's in /opt/phpLdapAdmin
and you can access it by https://pdc-srv/phpldapadmin/
check it please, you should see "dc=idealx,dc=org"

“shutdown –r now”

Test LDAP access is ok

ldapsearch -h localhost -p 389 –x

OUTPUT:
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# idealx, org
dn: dc=idealx,dc=org
objectClass: organization

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

service ldap restart



slapcat

OUTPUT:
dn: dc=idealx,dc=org
objectClass: organization

NOTE: When you run “ldapsearch” command it lock “/var/lib/ldap/id2entry.gdbm” file,
“slapcat” command cannot access it. Check it with “slapcat –d -1” in order to it work you
must restart LDAP service.

5.- Install pam-devel-0.75-46.7.3.i386.rpm

rpm -Uvh pam-0.75-46.7.3.i386.rpm
rpm -Uvh pam-devel-0.75-46.7.3.i386.rpm
mv /etc/pam_smb.conf /etc/pam_smb.conf.old
rpm -Uvh pam_smb-1.1.6-9.7.i386.rpm
pico /etc/pam_smb.conf

delete the word WORKGROUP and copy the lines in green

IDEALX-NT
PDC-SRV

6.- Instalar krb5-devel

rpm -Uvh krb5-libs-1.2.4-11.i386.rpm
rpm -Uvh krb5-devel-1.2.4-11.i386.rpm

7.-Install nscd rpms, in order to run "authconfig"

mv /etc/ldap.conf /etc/ldap.conf.old
rpm -Uvh nscd-2.2.5-44.i386.rpm
rpm -Uvh nss_ldap-189-4.i386.rpm

NOTE: The last rpm create the file /etc/ldap.conf this file is very important in order to
reach our goals, if you made something wrong here you can lost access to your server.
Take care with it.

let's to configure /etc/ldap.conf file:


mv /etc/ldap.conf /etc/ldap.conf.hgn
mkdir -p /etc/e-smith/templates-custom/etc/ldap.conf
cp /etc/ldap.conf.hgn /etc/e-smith/templates-custom/etc/ldap.conf/template-begin
cd /etc/e-smith/templates-custom/etc/ldap.conf

pico template-begin
.. Comment out the line with #base dc=example,dc=com and write bellow the next
line

base { esmith::util::ldapBase ($DomainName); }

.. Find the line with this comment # nss_base_XXX {base?scope?filter}



In my case was the num 129, delete the symbols { and } in order to expand the
template without problems.

.. In the “The search scope Option”, uncomment the “#scope sub”, ie, delete the
numeral symbol.
.. Make a white line under line within text

#nss_base_passwd ou=People,dc=example,dc=com?one and add next 3 lines

nss_base_passwd { esmith::util::ldapBase ($DomainName); }?sub
nss_base_shadow { esmith::util::ldapBase ($DomainName); }?sub
nss_base_group ou=Groups, { esmith::util::ldapBase ($DomainName); }?one

If next 2 lines doesn’t exist into this file (template-begin) just add it

ssl no
pam_password md5

/sbin/e-smith/expand-template /etc/ldap.conf

8.- Update openldap rpms.

rpm -ivh --force openldap-2.0.27-2.7.3.i386.rpm
rpm -e --nodeps openldap-2.0.23-4es2
rpm -Uvh openldap-devel-2.0.27-2.7.3.i386.rpm
rpm -Uvh openldap-clients-2.0.27-2.7.3.i386.rpm
rpm -Uvh openldap-servers-2.0.27-2.7.3.i386.rpm

Last one made the file /etc/openldap/slapd.conf.rpmnew, don't worry about it.

service ldap restart

ldapsearch -h localhost -p 389 –x

OUTPUT:
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# idealx, org
dn: dc=idealx,dc=org
objectClass: organization

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



service ldap restart

slapcat


OUTPUT:
dn: dc=idealx,dc=org
objectClass: organization

and check your web ldap brouser ( https://pdc-srv/phpldapadmin/ ) if you can see it
everything goes alright.


A very important moment, let's to configure nscd:

authconfig

Math to next information

Cache Information
Use LDAP (* when you mark "Use LDAP" in your right must be *)
dont select 'Use TSL' (* appear Server and Base DN information that you *)
Server: 127.0.0.1 (* put into /etc/ldap.conf *)
Base DN: dc=idealx,dc=org
Use Shadow Passwords
Use MD5 Passwords
Use LDAP Authentification (* when you mark "Use LDAP Authentification" in *)
Server : 127.0.0.1 (* your right must be appear Server and Base DN *)
Base DN: dc=idealx,dc=org

when you select Ok, it will start "nscd" service.

chkconfig nscd on

Next is another very important moment

9.- update SAMBA to 3.0.10, we will built the rpm in order to update it.

get samba-3.0.10.tar.gz and put it in \\pdc-srv\admin\samba or whatever using user
"admin" in ssh:

cd /home/e-smith/files/users/admin/home/samba/
gunzip samba-3.0.10.tar.gz
tar -xvf samba-3.0.10.tar
cd samba-3.0.10/packaging/RedHat
pico samba.spec

Add next 5 lines in option section, don't forget "\" at the EOL of --with-libsmbclient
 --with-acl-support \
 --with-profile \


--disable-static \
 --with-msdfs \
 --with-ldapsam

sh makerpms.sh

if everything ok let go to update samba.

cd /usr/src/redhat/RPMS/i386/
rpm -Uvh samba-3.0.10-1.i386.rpm

this is the output:

[root@linux i386]# rpm -Uvh samba-3.0.10-1.i386.rpm
Preparing... ########################################### [100%]
 1:samba warning: /etc/samba/smb.conf created as /etc/samba/smb.conf.rpmnew

########################################### [100%]
Moving tdb files in /var/cache/samba/*.tdb to /var/lib/samba/*.tdb
Moving /var/cache/samba/brlock.tdb to /var/lib/samba/brlock.tdb
Moving /var/cache/samba/connections.tdb to /var/lib/samba/connections.tdb
Moving /var/cache/samba/locking.tdb to /var/lib/samba/locking.tdb
Moving /var/cache/samba/messages.tdb to /var/lib/samba/messages.tdb
Moving /var/cache/samba/ntdrivers.tdb to /var/lib/samba/ntdrivers.tdb
Moving /var/cache/samba/ntforms.tdb to /var/lib/samba/ntforms.tdb
Moving /var/cache/samba/ntprinters.tdb to /var/lib/samba/ntprinters.tdb
Moving /var/cache/samba/printing.tdb to /var/lib/samba/printing.tdb
Moving /var/cache/samba/sessionid.tdb to /var/lib/samba/sessionid.tdb
Moving /var/cache/samba/share_info.tdb to /var/lib/samba/share_info.tdb
Moving /var/cache/samba/unexpected.tdb to /var/lib/samba/unexpected.tdb
Installing stack version of /etc/pam.d/samba...
error: execution of %postun scriptlet from samba-2.2.5-10 failed, exit status 1
[root@linux i386]#

10.- Let's Configure OPENLDAP files:

.. /etc/openldap/ldap.conf:

cd /etc/e-smith/templates/etc/openldap/ldap.conf
mkdir -p /etc/e-smith/templates-custom/etc/openldap/ldap.conf
cp * /etc/e-smith/templates-custom/etc/openldap/ldap.conf
cd /etc/e-smith/templates-custom/etc/openldap/ldap.conf

In the future you can make any change here.

/sbin/e-smith/expand-template /etc/openldap/ldap.conf


.. /etc/openldap/slapd.conf:

cd /etc/e-smith/templates/etc/openldap/slapd.conf
mkdir -p /etc/e-smith/templates-custom/etc/openldap/slapd.conf
cp * /etc/e-smith/templates-custom/etc/openldap/slapd.conf
cd /etc/e-smith/templates-custom/etc/openldap/slapd.conf

pico 10schema
add green line bellow the line where appear nis.schema
include /etc/openldap/schema/samba.schema

pico 90indexes
Comment out all in this file and add the green lines




# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index member eq
index default sub


NOTE: the 91access file is a very important file of everything, you must look for
more about it.

pico 91access
Add green lines
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
 by self write
 by anonymous auth
 by * none
access to *
 by * read

cp /usr/share/doc/samba-3.0.10/examples/LDAP/samba.schema /etc/openldap/schema/
/sbin/e-smith/expand-template /etc/openldap/slapd.conf
service ldap restart



Testing how it goes:

slapcat
OUTPUT:
dn: dc=idealx,dc=org
objectClass: organization

NOTE: The system now is using PAM to authenticate user, if something is wrong and you
logoff your system then you will not enable to login.

check your page https://pdc-srv/phpldapadmin/
yet there? yes??!!! then ok.

11.- Configure smbldap-tools

Copy the smbldap-tools



Note that in /usr/local/sbin/ just there is one file: ipsec

cd /usr/share/doc/samba-3.0.10/examples/LDAP/smbldap-tools
cp *.p* /usr/local/sbin/
cd mkntpwd
make
make install
cd /usr/local/sbin/
ln -s /sbin/mkntpwd mkntpwd
chmod 753 *.pm
chmod 750 *.pl
chgrp 512 smbldap_conf.pm smbldap-useradd.pl
chgrp 512 smbldap_conf.pm *.pl

NOTE: 512 = 0x200 = Domain Admins

let's configure smbldap-tools:

cd /usr/local/sbin
pico smbldap_conf.pm

There is
Change by
$suffix = "dc=IDEALX,dc=COM";
$suffix = "dc=idealx,dc=org";
$usersou = q(_USERS_);
$usersou = q(Users);
$computersou = q(_COMPUTERS_);
$computersou = q(Computers);
$groupsou = q(_GROUPS_);
$groupsou = q(Groups);
$binddn = "cn=Manager,$suffix";
$binddn = "cn=root,$suffix";
$_userLoginShell = q(_LOGINSHELL_);
$_userLoginShell = q(/bin/bash);
$_userHomePrefix = q(_HOMEPREFIX_);
$_userHomePrefix = q(/home/e-smith/files/users);
$_userSmbHome = q(\\\\_PDCNAME_\\homes);
$_userSmbHome = q(\\\\pdc-srv\\%S);
$_userProfile = q(\\\\_PDCNAME_\\profiles\\);
$_userProfile = q(\\\\pdc-srv\\profiles\\);
$_userHomeDrive = q(_HOMEDRIVE_);
$_userHomeDrive = q(H);





NOTE: When you create a SMB User you must login like him and create the a folder
named home into linux home in order to he can see it via NETBIOS.

12.- Let's configure /etc/smb.conf file:
You can test on the file /etc/smb.conf, when you understand everything then modify the
template.

cd /etc/e-smith/templates/etc/smb.conf
mkdir -p /etc/e-smith/templates-custom/etc/smb.conf
cp * /etc/e-smith/templates-custom/etc/smb.conf
cd /etc/e-smith/templates-custom/etc/smb.conf

pico 11addLDAP
Add the green lines.
; SAMBA-LDAP declarations
passdb backend = ldapsam:ldap://127.0.0.1/


# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap admin dn = cn=root,dc=idealx,dc=org
ldap admin dn = cn=root,{ esmith::util::ldapBase ($DomainName); }
ldap suffix = dc=idealx,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
#ldap ssl = start_tls
ldap ssl = No
ldap passwd sync = Yes
ldap delete dn = Yes
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes


pico 11addUserScript
Comment out the line "add user script = /sbin/e-smith/signal-event machine-account-create '%u'"
and paste the grren lines.

add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"

pico 11unixPasswordSync
Comment out the line #unix password sync = Yes
Into file /etc/smb.conf you will see a line like next
#unix password sync = Yes

pico 11characterSet
Comment out the line "#character set = $characterSet";
Into file /etc/smb.conf you will see a line like next
#character set = ISO8859-1

pico 11clientCodePage
Comment out the line "#client code page = $clientCodePage";
Into file /etc/smb.conf you will see a line like next
#client code page = 850

pico 11DOScharacterSet
Add the next line to this file


dos charset = 850

pico 11UNIXcharacterSet
Add the next line to this file
unix charset = ISO8859-1

pico 11domainAdminGroup
Comment out the line #domain admin group = admin

/sbin/e-smith/expand-template /etc/smb.conf

pico /etc/smb.conf
Add the next 5 lines to the EOF
[everything]
comment = Root File System
path = /
read only = No
guest ok = Yes

service smb restart

cd /etc/e-smith/templates-custom/etc/openldap/slapd.conf
pico 80rootpw
Comment out #rootpw SP0e.....or whatever and put just bellow the new one.
rootpw secret

/sbin/e-smith/expand-template /etc/openldap/slapd.conf


service ldap restart
service nscd restart
service smb restart

NOTE: Now you cannot access your server via NETBIOS because smb are trying to
negotiate with LDAP. You still cannot access your system via SSH.

smbpasswd -w secret

OUTPUT:
[root@pdc-srv smb.conf]# smbpasswd -w secret
Setting stored password for "cn=root,dc=idealx,dc=org" in secrets.tdb

Hey, if you are ok at this time, your smb is ready to talk with LDAP!!!!! let's test it!!!!

You can see we write the password "secret" into file /etc/openldap/slapd.conf that mean
that https://pdc-srv/phpldapadmin/ doesn't work!!! we fix in a while let's continue...

Testing SAMBA:
smbclient -L localhost -U%
OUTPUT:
[root@pdc-srv openldap]# smbclient -L localhost -U%
Domain=[IDEALX-NT] OS=[Unix] Server=[Samba 3.0.10]



 Sharename Type Comment
 --------- ---- -------
 Primary Disk Primary site
 print$ Disk Printer drivers
 IPC$ IPC IPC Service (Mitel Networks SME Server)
 ADMIN$ IPC IPC Service (Mitel Networks SME Server)
Domain=[IDEALX-NT] OS=[Unix] Server=[Samba 3.0.10]

 Server Comment
 --------- -------
 PDC-SRV Mitel Networks SME Server

 Workgroup Master
 --------- -------
 IDEALX-NT PDC-SRV

You can see something like that? Good you are on the right way.

Let's to fix https://pdc-srv/phpldapadmin/
cd /opt/phpLdapAdmin
cp config.php config.php.hgn
pico config.php
There is
Change by
 $servers[$i]['login_pass'] = 'SP0euyhfVU..or whatever....';
$servers[$i]['login_pass'] = 'secret';
$servers[$i]['default_hash'] = 'crypt';
$servers[$i]['default_hash'] = '';



check https://pdc-srv/phpldapadmin/ again...it's working again..

let's continue...

net getlocalsid
OUTPUT:
SID for domain PDC-SRV is: S-1-5-21-3359933246-2108200770-1561940351

This is SID for my system now, you must know that your will be different copy your SID
and paste into /usr/local/sbin/smbldap_conf.pm file, there is a place in it to do it.

pico /usr/local/sbin/smbldap_conf.pm
paste the new SID

service ldap restart
service nscd restart
service smb restart

LDAP Initialization and Creation of User and Group Accounts:
smbldap-populate.pl
OUTPUT:
Using builtin directory structure


adding new entry: dc=idealx,dc=org
failed to add entry: Already exists at /usr/local/sbin/smbldap-populate.pl line 323, <GEN1> line 2.
adding new entry: ou=Users,dc=idealx,dc=org
adding new entry: ou=Groups,dc=idealx,dc=org
adding new entry: ou=Computers,dc=idealx,dc=org
adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=org
adding new entry: uid=nobody,ou=Users,dc=idealx,dc=org
adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Administrators,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Users,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Guests,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Power Users,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Account Operators,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Server Operators,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=org
adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=org

Testing:

Test Num 1: Verify group mapping

net groupmap list

OUTPUT:
Domain Admins (S-1-5-21-318969787-2811654421-2933099056-512) -> Domain Admins
Domain Users (S-1-5-21-318969787-2811654421-2933099056-513) -> Domain Users
Domain Guests (S-1-5-21-318969787-2811654421-2933099056-514) -> Domain Guests
Administrators (S-1-5-21-318969787-2811654421-2933099056-544) -> Administrators
users (S-1-5-21-318969787-2811654421-2933099056-545) -> Users
Guests (S-1-5-21-318969787-2811654421-2933099056-546) -> Guests
Power Users (S-1-5-21-318969787-2811654421-2933099056-547) -> Power Users
Account Operators (S-1-5-21-318969787-2811654421-2933099056-548) -> Account Operators
Server Operators (S-1-5-21-318969787-2811654421-2933099056-549) -> Server Operators
Print Operators (S-1-5-21-318969787-2811654421-2933099056-550) -> Print Operators
Backup Operators (S-1-5-21-318969787-2811654421-2933099056-551) -> Backup Operators
Replicator (S-1-5-21-318969787-2811654421-2933099056-552) -> Replicator
Domain Computers (S-1-5-21-318969787-2811654421-2933099056-553) -> Domain Computers

Test Num 2: Verify LDAP Search

ldapsearch -h localhost -p 389 –x

slapcat

If “slapcat” command cannot access id2entry.gdbm file, then run “service ldap restart”
and try again. You should see something like this:

dn: cn=Replicator,ou=Groups,dc=idealx,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicator
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-21-4274089402-4106609864-1284629750-552
sambaGroupType: 2
displayName: Replicator
creatorsName: cn=root,dc=idealx,dc=org


createTimestamp: 20050316203350Z
modifiersName: cn=root,dc=idealx,dc=org
modifyTimestamp: 20050316203350Z

dn: cn=Print Operators,ou=Groups,dc=idealx,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-21-4274089402-4106609864-1284629750-550
sambaGroupType: 2
displayName: Print Operators
creatorsName: cn=root,dc=idealx,dc=org
createTimestamp: 20050316203350Z
modifiersName: cn=root,dc=idealx,dc=org
modifyTimestamp: 20050316203350Z

dn: uid=Administrator,ou=Users,dc=idealx,dc=org
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
gidNumber: 512
uid: Administrator
uidNumber: 998
homeDirectory: /home/e-smith/files/users
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\pdc-srv\%S
sambaHomeDrive: H
sambaProfilePath: \\pdc-srv\profiles\
sambaPrimaryGroupSID: S-1-5-21-4274089402-4106609864-1284629750-512
sambaLMPassword: XXX
sambaNTPassword: XXX
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-4274089402-4106609864-1284629750-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
creatorsName: cn=root,dc=idealx,dc=org
createTimestamp: 20050316203348Z
modifiersName: cn=root,dc=idealx,dc=org
modifyTimestamp: 20050316203348Z
……..
……..

NOTE:
Check https://pdc-srv/phpldapadmin/ you must see something like next graph, users
nobody and Administrator was created by smbldap-populate.pl script you only need
add password to Administrator user to use it.

cd /usr/local/sbin

smbldap-passwd.pl Administrator
mkdir –p /home/e-smith/files/users/Administrator/home
chown -R Administrator:"Domain Admins" /home/e-smith/files/users/Administrator





In “cmd” use “net use /del *”
Try via NETBIOS \\pdc-srv using “Administrator” user and password you create above

Test Num 3: Create a Unix (Posix) user account

smbldap-useradd.pl -m testuser1
smbldap-passwd.pl testuser1
ssh testuser1@pdc-srv

Test Num 3: Create an Samba user account

smbldap-useradd.pl -a -m -c "John Doo" jdoo
smbldap-passwd.pl jdoo
ssh jdoo@pdc-srv
mkdir home

In “cmd” use “net use /del *”
Try via NETBIOS \\pdc-srv using “jdoo” user and password you create above




You must now make certain that the NSS resolver can interrogate LDAP also. Execute the
following commands:

getent passwd

OUTPUT: At the end you should see something similar to this:
Administrator:x:998:512:Netbios Domain Administrator:/home/e-
smith/files/users:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
testuser1:x:1000:513:System User:/home/e-smith/files/users/testuser1:/bin/bash
jdoo:x:1001:513:John Doo:/home/e-smith/files/users/jdoo:/bin/bash

getent group | grep Domain

Domain Admins:x:512:Administrator
Domain Users:x:513:testuser1,jdoo
Domain Guests:x:514:
Domain Computers:x:553:

To join clients to DOMAIN:

In workgroup from https://pdc-srv/server-manager you can now enable “Roaming profiles”

chmod 1777 /home/e-smith/files/samba/profiles

The RequireSignOrSeal and RequireStrongKey registry keys (gathered from the Samba-
tng lists) are needed for Windows 2000 and XP clients to join and logon to a Samba
domain:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"requirestrongkey"=dword:00000000
"requiresignorseal"=dword:00000000

Create root user into LDAP:

This user will be the only one user that will can join Windows 2000 and XP workstation
clients to domain. You can create others “domain Admins” but I don’t know .
To create this false user (false because the user root should be present on you're system
files, not in LDAP), just issue the following commands:

smbldap-useradd.pl -a -m -g 512 root
smbldap-passwd.pl root
mkdir –p /home/e-smith/files/users/root/home
chown -R root:"Domain Admins" /home/e-smith/files/users/root

smbldap-useradd.pl -a -m -g 512 hgomez
smbldap-passwd.pl hgomez
mkdir –p /home/e-smith/files/users/hgomez/home
chown -R hgomez:"Domain Admins" /home/e-smith/files/users/hgomez




Delete Test users:

smbldap-userdel.pl -r jdoo
smbldap-userdel.pl -r testuser1

I don’t know what will happen if you delete root user from LDAP Server!!!!! If you want to
try do it and tell me…
FINAL NOTE:
I know is possible that posix user can access their home folder via NETBIOS, in
certain view point both are same thing, but by now only SAMBA user will be enable
to reach resources into SAMBA Server.

Enjoy....


Henry Gómez N.