Site Navigation
What's This All About?
Linux Server Setup
   Initial LDAP Setup
   NFS Setup
   SAMBA Setup
   Additional LDAP Setup
Linux Client Setup
   LDAP Setup
   NFS Setup
Mac OS X Client Setup
   LDAP Setup
   NFS Setup
Windows 2000 Client/Domain Setup
Adding Users and Final Use


LDAP/SAMBA Setup Integration:

We're getting closer. We have LDAP, NFS and SAMBA all running. All the major pieces are there. Now we just need to finish linking them together. So, back on the LDAP server:

  • LDAP Configuration
    • Download this file, rename it to samba.schema, and copy it to /etc/ldap/schema/
    • Edit /etc/ldap/slapd.conf to include the samba schema. At the top of the file is the ObjectClass definitions section. Add the bottom entry, which is for samba.schema. Also, you will have to restart LDAP to reload these settings after adding this file.

      Code:

      # Schema and objectClass definitions
      include /etc/ldap/schema/core.schema
      include /etc/ldap/schema/cosine.schema
      include /etc/ldap/schema/nis.schema
      include /etc/ldap/schema/inetorgperson.schema
      include /etc/ldap/schema/samba.schema

    • Now, if you didn't before, you will now need to enable the admin account for samba. If you have not already done so, run smbpasswd -w secret_password_here command to set up the admin account for samba. warning: this command writes your password in clear text on the screen, so make sure no one is watching, and clear your command history when done. This stores the password in plain text in your secrets.tdb file. This file is like ldap.secret. Keep file permissions tight on it, or your whole server is compromised.

    • We need to create a directory in LDAP to store machine accounts, like we did before when we created the directory to store group accounts. Use this ldif file to create the machine accounts directory (One time only). Rename the file to MachineOU.ldif, and import it:

      Code:

      ldapadd -x -D 'cn=admin,dc=muppet,dc=cs,dc=dixie,dc=edu' -W -f MachineOU.ldif

    • Next create an account on the LDAP server for the windows adminstrator user with a SAMBA account. The name of this user MUST be the one specified in your smb.conf file under the domain admin group section (do this one time only). Here is a sample ldif file that has samba support to add the samba admin user. You will have to rename the file to .ldif instead of .txt, then change all the information for your servers and for the samba admin user, then import it into ldap, using ldapadd
    • On the LDAP server we need to create a machine account for EVERY windows machine which will be used in the system (this is how SAMBA knows which machines are allowed to join the domain). Here is a sample ldif file for one machine account. Rename the file to machine_account.ldif, and edit for your system. Remember, you will have to edit the file (or duplicate) for every machine in your system, or create a script that will do this for you. Also, remember that when you set up your Windows 2000 client machines, the name you use in the domain setup MUST match the name you use here, for each machine, so keep track VERY carefully as to which machine is which. Also, another thing to point out is that the uid (short user name) MUST end with a $ for machine accounts, but can NOT end with a $ for normal user accounts.

      Code:

      ldapadd -x -D 'cn=admin,dc=muppet,dc=cs,dc=dixie,dc=edu' -W -f machine_account.ldif

    • Next we need to change the setup for the users to work with samba. We must add sambaAccount attributes to any existing users (hopefully you don't have any permanant users yet so you don't have to change existing records). New users will need entries for posixAccount , shadowAccount , and sambaAccount.

    • This is a sample samba user ldif file. Rename it to samba_user.ldif, and you can use it as a template for adding your users into the system. You must change all the ldap and smb server information for your servers, then edit the user info for each user. Like the machine accounts, you must add EACH user as a separate file, or create a script to automate the process. Use the following command to import the user record into ldap:

      Code:

      ldapadd -x -D 'cn=admin,dc=muppet,dc=cs,dc=dixie,dc=edu' -W -f samba_user.ldif

    • When creating users ldif files, here is some information about the samba specific fields in the ldif file.
      • displayName - Full name, in pretty format
      • acctFlags - U == User, W == Workstation, X == no password expiration, D == Disabled.
      • rid - User's Windows User ID
      • primaryGroupID - User's Windows Group ID

    • The following formula is used in converting uid numbers into rid and primaryGroupID numbers for SAMBA. This is a Samba specific convention which MUST be used. It is hardcoded into the samba sources.
      • rid = ( uidNumber *2) + 1000
      • primaryGroupID = ( uidNumber *2) + 1001

        So, for uidNumber 11201, the rid number would be 23402, and the primaryGroupID number would be 23403.

    Holy cow, I think that's about it. That's what you need to hook up LDAP, SAMBA, and NFS. Now, after doing some VERY complete testing to make sure that EVERYTHING works they way it should for all types of users (there will always be something wrong) you can start entering your user accounts. Let's continue on to the final ldap page to look at some additional configuration and tips.




    		•