Setting up Samba on openLDAP

This is a simple walkthrough on making a Linux server act as a Windows Domain Controller using openLDAP. By using LDAP, you can scale the server to support a larger number of users. This guide is specifically tailored for CentOS and RHEL distributions. Please note that this is a first draft of the guide, and it will be improved over time.

Please note text appearing like this is either a command or text that needs to be added to a configuration file.

First, we need to install all the required packages on the server.

yum install samba-* *openldap* -y

Next, we need to copy the schema for LDAP usage. Adjust the command to match the version you have installed.

cp /usr/share/doc/samba-4.9.1/LDAP/samba.schema /etc/openldap/schema/samba.schema

Now, let’s edit a few lines in the LDAP configuration file. Add the following line to either /etc/openldap/slapd.conf or ldap.conf, along with the rest of the includes at the top of the file.

include /etc/openldap/schema/samba.schema

Add Access-Rights in slapd.conf in the appropriate section.

access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn.children="ou=admin,dc=example,dc=com" write
by self write
by anonymous auth
by * none

access to *
by dn.children="ou=admin,dc=example,dc=com" write
by * read

Adjust the suffix and rootdn in slapd.conf:

suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"

Use the slappasswd command to create a password hash and add it to the slapd.conf file:

rootpw {SSHA}QL9L55wK/tOnsHs9flW+jJlWmws7aR6d

Enable indexing to improve speed:

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

Next, download the smbldap-tools from the epel-release repository, or install the repository using the command below.

yum install epel-release -y

After installing the EPEL Repository, install smbldap-tools to create accounts in LDAP.

yum install smbldap-tools

Retrieve the SID of the server by running the following command:

net getlocalsid

Now, edit /etc/smbldap-tools/smbldap.conf and add the SID to the config file:

SID="S-1-5-21-2716683063-1859637689-668750523"

Change the suffix, binddn, and LDAP TLS in the configuration file:

suffix "dc=example,dc=com"
binddn "cn=Manager,dc=example,dc=com"
ldapTLS="0"

There are other options in the config file to pay attention to; please read the documentation for each parameter as it is self-explanatory.

Now, edit /etc/smbldap-tools/smbldap_bind.conf and change Master/SlaveDN and Master/SlavePW to 127.0.0.1 and your LDAP password, respectively.

Start LDAP:

systemctl start slapd

or

service slapd start

Create LDAP-Groups and

-Users:

smbldap-populate

Create an Admin Account File. After entering your password, the line will be blank. Start entering the dn: on this line. Remember to hit return twice after each dn statement so that ldapadd will accept it.

ldapadd -cxW -D "cn=Manager,dc=example,dc=com"

Password: securepassword
dn: ou=admin,dc=example,dc=com
objectclass: organizationalUnit
ou: admin

dn: cn=samba,ou=admin,dc=example,dc=com
objectclass: person
cn: samba
sn: Samba-Admin-User
userPassword: verysecure

Use Ctrl+C to exit ldapadd.

Use Authconfig to add LDAP as both User and Password source:

authconfig --enableldap --enableldapauth --ldapserver=127.0.0.1 --ldapbasedn=dc=excample,dc=com --update

Adjust your smb.conf options:

Worgroup=domainmname
Ldap admin dn=cn=samba,ou=admin,dc=example,dc=com
ldap suffix=dc=example,dc=com

Add the following options to smb.conf:

Passdb backend=ldapsam:ldap://127.0.0.1/
Domain master=yes
Domain logon=yes
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap password change = yes

Edit the following line:

passwd program = /usr/sbin/smbldap-passwd %u

Comment out this line:

unix password sync = yes

Add the LDAP Admin password:

smbpasswd -w securepassword

Start Samba:

systemctl start smb

or

service smb start

See Also