This is a simple walkthrough on making a Linux server act as a Windows Domain Controller using openLDAP. By using LDAP, you can scale the server to support a larger number of users. This guide is specifically tailored for CentOS and RHEL distributions. Please note that this is a first draft of the guide, and it will be improved over time.
Please note text appearing like this is either a command or text that needs to be added to a configuration file.
First, we need to install all the required packages on the server.
yum install samba-* *openldap* -y
Next, we need to copy the schema for LDAP usage. Adjust the command to match the version you have installed.
cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/samba.schema
Now, let’s edit a few lines in the LDAP configuration file. Add the following line to either /etc/openldap/slapd.conf
or ldap.conf
, along with the rest of the includes at the top of the file.
include /etc/openldap/schema/samba.schema
Add Access-Rights in slapd.conf
in the appropriate section.
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn.children="ou=admin,dc=example,dc=com" write
by self write
by anonymous auth
by * none
access to *
by dn.children="ou=admin,dc=example,dc=com" write
by * read
Adjust the suffix and rootdn in slapd.conf
:
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
Use the slappasswd
command to create a password hash and add it to the slapd.conf
file:
rootpw {SSHA}QL9L55wK/tOnsHs9flW+jJlWmws7aR6d
Enable indexing to improve speed:
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
Next, download the smbldap-tools
from the epel-release
repository, or install the repository using the command below.
yum install epel-release -y
After installing the EPEL Repository, install smbldap-tools
to create accounts in LDAP.
yum install smbldap-tools
Retrieve the SID of the server by running the following command:
net getlocalsid
Now, edit /etc/smbldap-tools/smbldap.conf
and add the SID to the config file:
SID="S-1-5-21-2716683063-1859637689-668750523"
Change the suffix, binddn, and LDAP TLS in the configuration file:
suffix "dc=example,dc=com"
binddn "cn=Manager,dc=example,dc=com"
ldapTLS="0"
There are other options in the config file to pay attention to; please read the documentation for each parameter as it is self-explanatory.
Now, edit /etc/smbldap-tools/smbldap_bind.conf
and change Master/SlaveDN
and Master/SlavePW
to 127.0.0.1
and your LDAP password, respectively.
Start LDAP:
systemctl start slapd
or
service slapd start
Create LDAP-Groups and
-Users:
smbldap-populate
Create an Admin Account File. After entering your password, the line will be blank. Start entering the dn:
on this line. Remember to hit return twice after each dn
statement so that ldapadd
will accept it.
ldapadd -cxW -D "cn=Manager,dc=example,dc=com"
Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admin
dn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure
Use Ctrl+C
to exit ldapadd
.
Use Authconfig to add LDAP as both User and Password source:
authconfig --enableldap --enableldapauth --ldapserver=127.0.0.1 --ldapbasedn=dc=excample,dc=com --update
Adjust your smb.conf
options:
Worgroup=domainmname
Ldap admin dn=cn=samba,ou=admin,dc=example,dc=com
ldap suffix=dc=example,dc=com
Add the following options to smb.conf
:
Passdb backend=ldapsam:ldap://127.0.0.1/
Domain master=yes
Domain logon=yes
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap password change = yes
Edit the following line:
passwd program = /usr/sbin/smbldap-passwd %u
Comment out this line:
unix password sync = yes
Add the LDAP Admin password:
smbpasswd -w securepassword
Start Samba:
systemctl start smb
or
service smb start