Samba Domain Controller with LDAP Backend
I have followed this guide "http://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/" to try and set up samba to use ldap as the authentication. I got through the entire guide without error until i try to log into the domain or connect to the share. When trying to connect to the domain from a windows 7 client i get "An Active Directory Domain Controller for the domain "NOETIC" could not be contacted." When trying to map the share I get the error "You might not have permission to use this network resource... A device attached to the system is not functioning. I tried remaking the user account and now I am getting "Access Denied" but that is not my main issue I don't think.
I have tried looking at the SID and making sure that they match where they are supposed to go. It is probably some simple error but I am rather new to Linux and networking.
Here is my smb.conf
One thing i noticed in here that confused me was the [NETLOGON] share path. I read that this path should lead to some scripts and also that this path is different for most people. This path I have in my file does not lead to a folder with scripts in it, just an empty folder. I am not sure what this is about.Code:#======================= Global Settings ======================= #============= Configuring samba with LDAP settings ============ [global] workgroup = NOETICFS netbios name = NOETIC deadtime = 10 log level = 1 log file = /var/log/samba/log.%m max log size = 5000 debug pid = yes debug uid = yes syslog = 0 utmp = yes security = user domain logons = yes domain master = yes os level = 64 logon path =\\%N\%U\profile logon home =\\%N\%U logon drive = H: logon script =logon.cmd passdb backend = ldapsam:"ldap://ldap.hsv1.noeticstrategies.com/" ldap ssl = off ldap admin dn = cn=admin,dc=hsv1,dc=noeticstrategies,dc=com ldap delete dn = no # Sync UNIX password with Samba password ## Method 1: ldap password sync = yes ## Method 2: ;ldap password sync = no ;unix password sync = yes ;passwd program = /usr/sbin/smbldap-passwd -u '%u' ;passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" ldap suffix = dc=hsv1,dc=noeticstrategies,dc=com ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold' delete user script = /usr/sbin/smbldap-userdel '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1 ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of # workgroup = # server string is the equivalent of the NT Description field # server string = %h server (Samba, Ubuntu) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server wins support = no # name resolve order = wins lmhosts host bcast # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. # dns proxy = no #### Networking #### # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = yes #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects # log file = /var/log/samba/log.%m # Cap the size of the individual log files (in KiB). # max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. # syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. # syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # Server role. Defines in which mode Samba will operate. Possible # values are "standalone server", "member server", "classic primary # domain controller", "classic backup domain controller", "active # directory domain controller". # Most people will want "standalone sever" or "member server". # Running as "active directory domain controller" will require first # running "samba-tool domain provision" to wipe databases and create a # new domain. server role = standalone server # If you are using encrypted passwords, Samba will need to know what # password database type you are using. # passdb backend = tdbsam obey pam restrictions = no # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. # unix password sync = yes # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for # sending the correct chat script for the passwd program in Debian Sarge). # passwd program = /usr/bin/passwd %u # passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. pam password change = no # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections map to guest = bad user ########## Domains ########### # # The following settings only takes effect if 'server role = primary # classic domain controller', 'server role = backup domain controller' # or 'domain logons' is set # # It specifies the location of the user's # profile directory from the client point of view) The following # required a [profiles] share to be setup on the samba server (see # below) ; logon path = \\%N\profiles\%U # Another common choice is storing the profile in the user's home directory # (this is Samba's default) # logon path = \\%N\%U\profile # The following setting only takes effect if 'domain logons' is set # It specifies the location of a user's home directory (from the client # point of view) ; logon drive = H: # logon home = \\%N\%U # The following setting only takes effect if 'domain logons' is set # It specifies the script to run during logon. The script must be stored # in the [netlogon] share # NOTE: Must be store in 'DOS' file format convention ; logon script = logon.cmd # This allows Unix users to be created on the domain controller via the SAMR # RPC pipe. The example command creates a user account with a disabled Unix # password; please adapt to your needs ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u # This allows machine accounts to be created on the domain controller via the # SAMR RPC pipe. # The following assumes a "machines" group exists on the system ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u # This allows Unix groups to be created on the domain controller via the SAMR # RPC pipe. ; add group script = /usr/sbin/addgroup --force-badname %g ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Some defaults for winbind (make sure you're not using the ranges # for something else.) ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash # Setup usershare options to enable non-root users to share folders # with the net usershare command. # Maximum number of usershare. 0 (default) means that usershare is disabled. ; usershare max shares = 100 # Allow users who've been granted usershare privileges to create # public shares, not just authenticated ones usershare allow guests = no #======================= Share Definitions ======================= # Un-comment the following (and tweak the other settings below to suit) # to enable the default home directory shares. This will share each # user's home directory as \\server\username ;[homes] ; comment = Home Directories ; browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. ; read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. ; create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. ; directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. # Un-comment the following parameter to make sure that only "username" # can connect to \\server\username # This might need tweaking when using external authentication schemes ; valid users = %S #===================== moved copy pasta ================= [NETLOGON] path = /var/lib/samba/netlogon guest ok = yes read only = yes browseable = no #share modes = no [PROFILES] path = /var/lib/samba/profiles browseable = no writeable = yes create mask = 0611 directory mask = 0700 profile acls = yes csc policy = disable map system = yes map hidden = yes guest ok = no browseable = no #===================== moved copy pasta ================= # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; read only = yes # Un-comment the following and create the profiles directory to store # users profiles (see the "logon path" option above) # (you need to configure Samba to act as a domain controller too.) # The path below should be writable by all users so that their # profile directory may be created the first time they log on ;[profiles] ; comment = Users profiles ; path = /home/samba/profiles ; guest ok = no ; browseable = no ; create mask = 0600 ; directory mask = 0700 #[printers] # comment = All Printers # browseable = no # path = /var/spool/samba # printable = yes # guest ok = no # read only = yes # create mask = 0700 # Windows clients look for this share name as a source of downloadable # printer drivers #[print$] # comment = Printer Drivers # path = /var/lib/samba/printers # browseable = yes # read only = yes # guest ok = no # Uncomment to allow remote administration of Windows print drivers. # You may need to replace 'lpadmin' with the name of the group your # admin users are members of. # Please note that you also need to set appropriate Unix permissions # to the drivers directory for these users to have write rights in it ; write list = root, @lpadmin #Share for all files [shares] comment = Shared Files path = /etc/shares browsable = yes guest ok = no read only = no create mask = 0755 valid users = "@Domain Users"
Here is my smbldap.conf
The SID is not actually all 1's. It is set to the return i get from net getlocalsid. I read other things and saw that some people had to set their domain SID to this SID using net setdomainsid "SID........". I did this so net getdomainsid returns both domain SID and local SID as this same one. I am not positive that this is correct either but it did not seem to create any new errors.Code:# $Id: smbldap.conf 139 2012-08-07 11:11:37Z fumiyas $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return SID="S-1-1-11-1111111111-1111111111-111111111" # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" sambaDomain="NOETICFS" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server URI # Ex: slaveLDAP=ldap://slave.ldap.example.com/ # If not defined, parameter is set to "ldap://127.0.0.1/" #slaveLDAP="ldap://ldap.example.com/" # Master LDAP server URI: needed for write operations # Ex: masterLDAP=ldap://master.ldap.example.com/ # If not defined, parameter is set to "ldap://127.0.0.1/" masterLDAP="ldap://ldap.hsv1.noeticstrategies.com/" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you must also used the LDAP URI "ldap://...", not "ldaps://...") # If not defined, parameter is set to "0" ldapTLS="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="none" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.hsv1.noeticstrategies.com.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.hsv1.noeticstrategies.com.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="dc=hsv1,dc=noeticstrategies,dc=com" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=Users,${suffix}" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=Computers,${suffix}" # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=Groups,${suffix}" # Where are stored Idmap entries (used if samba is a domain member server) # Ex: idmapdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=Idmap,${suffix}" # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Default scope Used scope="sub" # Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) # If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation. password_hash="SSHA" # if password_hash is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! password_crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash" # Home directory # Ex: userHome="/home/%U" userHome="/home/%U" # Default mode used for user homeDirectory userHomeDirectoryMode="700" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="515" # Skel dir skeletonDir="/etc/skel" # Treat shadowAccount object or not shadowAccount="1" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="45" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" userSmbHome="\\192.168.1.62\%U" # The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" userProfile="\\192.168.1.62\profiles\%U" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" userHomeDrive="H:" # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos userScript="logon.bat" # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" mailDomain="noeticstrategies.com" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but # prefer Crypt::SmbHash library with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" # Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" # comment out the following line to get rid of the default banner # no_banner="1"
Any help is appreciated. Thank you.
Adv Reply
Bookmarks