... a single point of ...
© 2010, 2011, 2012 Dennis Leeuw dleeuw at made-it dot com
With a big Thanks! to Eric Toirkens for his help with the Windows section.
License: GPLv2 or later
This section will describe the setup of SAMBA as a PDC with the use of LDAP. The idea is that LDAP will be our single point of configuration, meaning everything related to SAMBA will be present in LDAP.
Another important note is that SAMBA needs a POSIX account for every SAMBA account. In this document we assume that an entry in LDAP will hold all details related to that entry, meaning that the POSIX and SAMBA account attributes are all located in the same object.
The basic accounts, groups and groupmappings as described in the Samba LDAP Accounts document should be present.
The idea is that the DAS tools and/or webinterface is used to create the basic account stuff, while SAMBA only maintains the user and machine passwords.
To be able to e.g. add machines to the domain we also need an account that is able to act as a domain administrator. We are using the admin account for that, which is a POSIX account which is part of the Domain Administrators group.
|Workstation||Connection Green||Samba Server||Connection Red||LDAP Server|
When a user signs in into a domain the user is first connected with its profile and additionally a netlogon script can be executed on the workstation. For this process to work there are several settings in SAMBA that need to be set.
The logon home entry in the smb.conf file is a definition for the Home-drive mapping, and the logon path is for the Profile-mapping. This can easy be viewed by using:
rpcclient -c "queryuser <User RID>" -U administrator%password pdc.example.comwhich outputs on my system, when I use my RID:
User Name : dleeuw Full Name : D Leeuw Home Drive : \\PDC\dleeuw Dir Drive : z: Profile Path: \\PDC\dleeuw\profile Logon Script: logon.bat Description : Workstations: Comment : Remote Dial : ...
The place where your Homes and your Profiles reside can be configured in the [global] sectin of your smb.conf file like this:
logon home = \\homesrv.example.com\%U logon path = \\profile.example.com\%U\%a
NOTE There is on exception to the above rule. If logon path is not set and logon home is, the Profile path is the home path plus \profile.
The logon home can be mapped to a drive letter by SAMBA. To make SAMBA tell the client which drive letter to use add logon drive to your smb.conf like this:
logon drive = z: logon home = \\%N\%U logon path = \\%N\%U\profilewhich is the configuration of our server.
The last part of the log in of a user is the connection to the [netlogon] share, which should be present on any PDC and BDC. After the connect a script is started that is defined in the logon script setting. To finish off our definition of the user log in in the [global] section add:
logon drive = z: logon home = \\%N\%U logon path = \\%N\%U\profile logon script = logon.batwhere logon.bat can of course be anything you want, as log as it is executable by Microsoft Windows.
[global] # Who are we workgroup = EXAMPLE server string = "Example PDC" netbios name = pdc netbios aliases = pdc.example.com os level = 65 # How do we find others name resolve order = lmhosts wins host bcast # WINS support: You have two options you can make # the server do WINS, or you can use another WINS server # If you are not the WINS server set: # wins support = no # wins server = ip.to.wins.server # If you want to be your own WINS server set: # wins support = yes # and remove the 'wins server' line. # DNS support dns proxy = no # What do we provide to whom smb ports = 445 139 hosts allow = 192.168. interfaces = lo, eth0 bind interfaces only = yes # Where do we write what we do log file = /var/log/samba/%m.log log level = 1 max log size = 500 syslog = 0 # What is our role local master = yes domain master = yes preferred master = yes domain logons = yes # How do we handle UIDs and GIDs map to guest = bad user # How must users login encrypt passwords = yes security = user password server = pdc.example.com # Tell our users where their stuff is logon drive = z: logon home = \\fs03.example.com\%U logon path = \\fs03.example.com\%U\profile logon script = logon.bat # Printing load printers = no # Some optimizations oplocks = no level2 oplocks = no socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 # dead time Default is 0 dead time = 15 getwd cache = yes # Backend setup passdb backend = ldapsam:ldap://ldap.example.com ldap ssl = off ldap admin dn = cn=manager,dc=example,dc=com ldap suffix = dc=example,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Devices idmap backend = ldap:ldap://ldap.example.com ldap idmap suffix = ou=idmap ldap delete dn = no ldapsam:trusted = yes ldap passwd sync = yes [netlogon] # Each PDC and BDC must provide the netlogon share comment = Network Logon Service path = /data/netlogon browseable = no guest ok = yes read only = yes
Give SAMBA access to LDAP by providing the LDAP cn=manager password:
smbpasswd -w <password>
net sam list users net sam list workstations net sam list groups
Test the group mapping functionality
net groupmap listEsp. note the mappings for Domain Admins, Domain Users, Domain Guests and Domain Computers.