... a single point of ...
© 2010, 2011, 2012 Dennis Leeuw dleeuw at made-it dot com
With a big Thanks! to Eric Toirkens for his help with the Windows section.
License: GPLv2 or later
This section will describe the setup of SAMBA as a PDC with the use of LDAP. The idea is that LDAP will be our single point of configuration, meaning everything related to SAMBA will be present in LDAP.
Another important note is that SAMBA needs a POSIX account for every SAMBA account. In this document we assume that an entry in LDAP will hold all details related to that entry, meaning that the POSIX and SAMBA account attributes are all located in the same object.
The basic accounts, groups and groupmappings as described in the Samba LDAP Accounts document should be present.
The idea is that the DAS tools and/or webinterface is used to create the basic account stuff, while SAMBA only maintains the user and machine passwords.
To be able to e.g. add machines to the domain we also need an account that is able to act as a domain administrator. We are using the admin account for that, which is a POSIX account which is part of the Domain Administrators group.
| Workstation | Connection Green | Samba Server | Connection Red | LDAP Server | |
|---|---|---|---|---|---|
| Names | WS42 | PDC | ldap.example.com | ||
| Protocol | SMB/CIFS | LDAP | |||
| Account | admin | cn=manager,dc=example,dc=com |
When a user signs in into a domain the user is first connected with its profile and additionally a netlogon script can be executed on the workstation. For this process to work there are several settings in SAMBA that need to be set.
The logon home entry in the smb.conf file is a definition for the Home-drive mapping, and the logon path is for the Profile-mapping. This can easy be viewed by using:
rpcclient -c "queryuser <User RID>" -U administrator%password pdc.example.comwhich outputs on my system, when I use my RID:
User Name : dleeuw Full Name : D Leeuw Home Drive : \\PDC\dleeuw Dir Drive : z: Profile Path: \\PDC\dleeuw\profile Logon Script: logon.bat Description : Workstations: Comment : Remote Dial : ...
The place where your Homes and your Profiles reside can be configured in the [global] sectin of your smb.conf file like this:
logon home = \\homesrv.example.com\%U logon path = \\profile.example.com\%U\%a
NOTE There is on exception to the above rule. If logon path is not set and logon home is, the Profile path is the home path plus \profile.
The logon home can be mapped to a drive letter by SAMBA. To make SAMBA tell the client which drive letter to use add logon drive to your smb.conf like this:
logon drive = z: logon home = \\%N\%U logon path = \\%N\%U\profilewhich is the configuration of our server.
The last part of the log in of a user is the connection to the [netlogon] share, which should be present on any PDC and BDC. After the connect a script is started that is defined in the logon script setting. To finish off our definition of the user log in in the [global] section add:
logon drive = z: logon home = \\%N\%U logon path = \\%N\%U\profile logon script = logon.batwhere logon.bat can of course be anything you want, as log as it is executable by Microsoft Windows.
[global]
# Who are we
workgroup = EXAMPLE
server string = "Example PDC"
netbios name = pdc
netbios aliases = pdc.example.com
os level = 65
# How do we find others
name resolve order = lmhosts wins host bcast
# WINS support: You have two options you can make
# the server do WINS, or you can use another WINS server
# If you are not the WINS server set:
# wins support = no
# wins server = ip.to.wins.server
# If you want to be your own WINS server set:
# wins support = yes
# and remove the 'wins server' line.
# DNS support
dns proxy = no
# What do we provide to whom
smb ports = 445 139
hosts allow = 192.168.
interfaces = lo, eth0
bind interfaces only = yes
# Where do we write what we do
log file = /var/log/samba/%m.log
log level = 1
max log size = 500
syslog = 0
# What is our role
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
# How do we handle UIDs and GIDs
map to guest = bad user
# How must users login
encrypt passwords = yes
security = user
password server = pdc.example.com
# Tell our users where their stuff is
logon drive = z:
logon home = \\fs03.example.com\%U
logon path = \\fs03.example.com\%U\profile
logon script = logon.bat
# Printing
load printers = no
# Some optimizations
oplocks = no
level2 oplocks = no
socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
# dead time Default is 0
dead time = 15
getwd cache = yes
# Backend setup
passdb backend = ldapsam:ldap://ldap.example.com
ldap ssl = off
ldap admin dn = cn=manager,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Devices
idmap backend = ldap:ldap://ldap.example.com
ldap idmap suffix = ou=idmap
ldap delete dn = no
ldapsam:trusted = yes
ldap passwd sync = yes
[netlogon]
# Each PDC and BDC must provide the netlogon share
comment = Network Logon Service
path = /data/netlogon
browseable = no
guest ok = yes
read only = yes
Give SAMBA access to LDAP by providing the LDAP cn=manager password:
smbpasswd -w <password>
net sam list users net sam list workstations net sam list groups
Test the group mapping functionality
net groupmap listEsp. note the mappings for Domain Admins, Domain Users, Domain Guests and Domain Computers.