• Centos Directory Server and Samba

    Install Centos Directory Server

    1. Install the directory server and extras
    centos 5: yum install centos-ds centos-idm-console
    centos 6: yum install 389-ds 389-admin-console 389-console
    centos 7: yum install  389-admin 389-admin-console 389-adminutil 389-ds 389-ds-console--enablerepo=epel-testing  [ epel-testing repo required as at August 2016]

    2. Make sure DNS is set correctly to resolve the FQDN ldap hostname (forward AND reverse)

    3. run /usr/sbin/ to setup both a new Directory Server instance AND Administration Server. Use /usr/sbin/ to setup another LDAP instance.

    4. Remember the Directory Manager (cn=Directory Manager by default) password.
    N.B. When using this to access the LDAP server for full access it does NOT sit beneath the Base DN you specifiy. So don't include the Base DN in your LDAP client connection settings when you want to access the LDAP server using these credentials.

    5. Configure PAM client and /etc/nsswitch.conf by running the following (changing the correct ldap server and ldap base dn details!):

    authconfig --enableldap --enableldapauth --disablenis \ --ldapbasedn=dc=example,dc=com  \
    --enablemkhomedir --enablelocauthorize

    Configure Samba Integration
    1. yum install smbldap-tools

    2. Include at least the following in /etc/samba/smb.conf:

    security = user
    passdb backend = ldapsam:ldap://
    ldap admin dn = cn=Directory Manager
    ldap suffix = dc=example,dc=com
    ldap user suffix = ou=People
    ldap machine suffix = ou=Computers
    ldap group suffix = ou=Groups
    ldap ssl = off
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    admin users = administrator root other_admin_users_separated_by_spaces
    wins support = yes
    dns proxy = yes

    Of course, change the ldap URI, LDAP suffix, and admin dn,  to reflect what  you set up when you installed the LDAP instance.

    3. Edit the /etc/ldap.conf (centos6: /etc/pam_ldap.conffile to reflect the values for your install and setup of the Directory Server. I set the bind dn to the Directory Manager and also set the bindpw. Then I make sure to chmod 640 /etc/ldap.conf. Update: securing /etc/ldap.conf in this way can result in some daemons failing: Amavisd-New being one of them! Also set the nss_base_ settings for the Users, Computers, Groups, etc. N.B. It is possible to have many of one type of nss_base_ line. Also since Windows considers a machine to be a user login you will need to add the nss_base_passwd line that points to your Computers OU. eg:


    nss_base_passwd ou=People,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=People,dc=example,dc=co,dc=nz?one

    nss_base_passwd ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_shadow ou=Computers,dc=example,dc=co,dc=nz?one

    nss_base_group ou=Groups,dc=example,dc=co,dc=nz?one

    nss_base_hosts ou=Computers,dc=example,dc=co,dc=nz?one

    4. Edit the /etc/smbldap-tools/smbldap_bind.conf with the correct master/slave DN and master/slave pw to allow the smbldap-tools to connect to the LDAP server. I make them both the same (master & slave).

    5. Create a samba password for the ldap admin dn: smbpasswd -w <ldap-admin-dn-password>(as root)

    6. Run net getlocalsid to retrieve the SID for your PDC

    7. Edit the /etc/smbldap-tools/smbldap.conf with the correct:

    a. SID

    b. sambaDomain
    (same as what you set for workgroup in /etc/samba/smb.conf). (I have found that this does need to be listed in this file even though the comments say it will pick it up from smb.conf - it doesn't!)

    c. slaveLDAP and port

    d. masterLDAP and port


    f. usersdn, computersdn, groupsdn

    g. Under Samba Config set the userSmbHome and userProfile to null (it will then use /etc/samba/smb.conf values)


    8. Download this samba ldif schema file and place it in /etc/dirsrv/schema (that way any extra ldap servers you create will have it included by default) AND /etc/dirsrv/slapd-instance/schema: 61samba.ldif

    9. Run smbldap-populate to fill the Directory Server with the correct entries required by Samba. And supply the root/administrator password at the end.

    10. centos6 only:Centos uses SSSD as the security broker by default. And by default this daemon requires connection to the ldap server via SSL (ldaps). This will be a headache if you have a self-signed certificate. To stop using SSSD as the go-between broker (as in centos 5) change/add FORCELEGACY=yes in the /etc/sysconfig/authconfig and run authconfig --updateall. Also if you use legacy you will need to yum install pam_ldap nss-pam-ldapd.


    N.B. Most problems I have had with implementation are the inconsistencies between what you specify for the dn of the Users, Computers, and Groups in the different configuration fles (/etc/ldap.conf, /etc/smbldap-tools/smbldap.conf, /etc/smbldap-tools/smbldap_bind.conf). Check, re-check, and re-check AGAIN!!! The OU's I normally use are ou=People, ou=Computers, ou=Groups. Something to watch also: plurality - eg: Group vs Groups!

    N.B: If you want to use Windows 7 or Windows 2008 Server clients on your samba domain you will need to install the (later than stock Centos) 3rd-party samba3 packages from (supplied by Sernet). Also some Client registry changes are required: See here for these.


  • Joining a Windows Server Std 2008 R2 (and Windows 7) system to a Samba (+LDAP) domain

    I needed to be able to join a virtual, KVM-hosted Windows Server Std 2008 R2 machine to a CentOS Samba domain with a Centos Directory Server password backend. It took me many hours to get this to work - unfortunately assuming stuff and using OLD information can lead you 'up the garden path'! These are the steps I took :

    1. Install a later version of Samba than is available from the CentOS repos. The latest is 3.4.5 as at 19 January 2010. I downloaded and used this extra repo - Download it to /etc/yum.repos.d. I also like to set enabled=0 in non-standard repo files just so that I use stock RPM's as much as possible.
    2. Then run yum --enablerepo=sernet-samba update samba

    3. Make sure net getlocalsidand net getdomainsid return the same result. See here for more info.

    4. By default samba attempts secure connection to your LDAP server using StartTLS. If you don't have this already setup, turn this off with the ldap ssl = none setting in /etc/samba/smb.conf.  If you don't then the join will not work - An 'Access is Denied' message will appear when you attempt to join. Once you have joining working, and you haven't already, then setup up secure connections between Samba and LDAP.

    5. *** THIS IS IMPORTANT *** Check, re-check and re-check again the /etc/ldap.conf, /etc/smbldap-tools/smbldap_bind.conf and /etc/smbldap-tools/smbldap.conf config files. These make or break your samba/LDAP setup. Make sure the base dn is correct, the directory manager binddn and binddnpasswd is correct. Make sure the nss_base settings are correct. Make sure the three files are consistent with each other. Then go and check again!!!!

    4. In the Windows Registry set/add the following keys. The bottom two are set the way shown by default but some sources on the internet suggest to turn them off - IF you do then the join will happen but you won't be able to login with a domain user - an error about "The trust relationship between this workstation and the primary domain failed" will occur. DO NOT TURN THESE OFF:




    5. I also changed the Local Security Policy of the joining Windows workstation, under Security Options. I set "Network Security: LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2 session security if negotiated"

    Helpful Sites
    Samba's Wiki Page re Windows 7:
    Checking SID's are the same:
  • Samba4 Domain Password Policy (QNAP NAS)

    With Samba4 becoming more relevant everyday as a drop in replacement for AD, below are the basics of password management in Samba4 using the samba-tool. The following code shows the commands dealing with passwords and account expiration.
    #Disable password expiration for the Administrator account.
    samba-tool user setexpiry Administrator --noexpiry

    #Show domain level password options.
    samba-tool domain passwordsettings show

    #Disable password complexity at the domain level.
    samba-tool domain passwordsettings set --complexity=off

    #Disable password history at the domain level.
    samba-tool domain passwordsettings set --history-length=0

    #Disable password min-age at the domain level.
    samba-tool domain passwordsettings set --min-pwd-age=0

    #Disable password max-age at the domain level.
    samba-tool domain passwordsettings set --max-pwd-age=0

    #Disable minimum password length at the domain level.
    samba-tool domain passwordsettings set --min-pwd-length=0
    QNAP NAS: This is also applicable to a QNAP NAS on version >= 4.3.x software, running in Domain Controller mode, with Domain Controller Users. For QNAP, the samba-tool is located in /usr/local/samba/bin.
    eg: I normally do at least the following on a QNAP NAS:
    cd /usr/local/samba/bin
    ./samba-tool domain passwordsettings set --max-pwd-age=0
    ./samba-tool domain passwordsettings set --history-length=2
    ./samba-tool domain passwordsettings set --min-pwd-length=5