OS : CentOS 6.5
HOSTNAME : ldap.example.com
LDAP PASSWORD : jiit
root password : jiit
Edit The /etc/hosts file
[root@ldap ~]# gedit /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 ldap ldap.example.com
(1) INSTALL THE LDAP SERVER
Router# yum install openldap*
Steps to Configure ldap server
Enter the ldap paddwd
[root@ldap]r~# slappasswd
Enter the new password:
renter the password:
{SSHA}Fa2h91Po+wGEqObvg1rJmHf45d15RX3X
(encrypted password)
[root@ldap]~# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}Fa2h91Po+wGEqObvg1rJmHf45d15RX3X
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
[root@ldap ~]# rm -rf /etc/openldap/slapd.d/*
[root@ldap ~]# rm -rf /var/lib/ldap/*
[root@ldap ~]# cp /usr/share/openldap-servers /DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldap ~]# slaptest -u
config file testing succeeded
[root@ldap ~]#echo "" | slapadd -f /etc/openldap/slapd.conf
[root@ldap ~]#slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
[root@ldap ~]#chown -Rf ldap. /etc/openldap/slapd.d/
[root@ldap ~]# chown -Rf ldap. /var/lib/ldap/
[root@ldap ~]#chmod 700 /var/lib/ldap/
[root@ldap ~]#chmod 700 /etc/openldap/slapd.d/
[root@ldap ~]#service slapd start
Starting slapd: [ OK ]
[root@ldap ~]# chkconfig slapd on
Starting slapd: [ OK ]
[root@ldap ~]# chkconfig slapd on
Start the slapd process and service at system bootup
[root@ldap ~]# service slapd start
Starting slapd: [ OK ]
[root@ldap ~]# chkconfig slapd on
[root@ldap ~]# service slapd start
Starting slapd: [ OK ]
[root@ldap ~]# chkconfig slapd on
[root@ldap ~]# service slapd status
slapd (pid 2242) is running...
[root@ldap ~]# netstat -ntlup | grep slapd
[root@ldap ~]# netstat -ntlup | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
EN 2242/slapd
tcp 0 0 :::389 :::* LISTEN
EN 2242/slapd
(If you the get the output as above it means, your slapd is running without any problem)
[root@ldap ~]#gedit /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://127.0.0.1/
#HOST 127.0.0.1
#ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#TLS_CACERTDIR /etc/openldap/certs
TLS_CACERTDIR /etc/openldap/cacerts
[root@ldap ~]# service slapd start
Starting slapd: [ OK ]
(2) INSTALL THE SAMBA SERVER
[root@ldap ~]# yum install samba*
[root@ldap ~]# gedit /etc/samba/smb.conf
# Global parameters
[global]
workgroup = LINUX
netbios name = ldap
security = user
enable privileges = yes
#interfaces = 192.168.5.11
#username map = /etc/samba/smbusers
server string = Samba Server %v
#security = ads
encrypt passwords = Yes
#min passwd length = 3
#pam password change = no
#obey pam restrictions = No
ldap ssl = no
# method 1:
unix password sync = no
ldap passwd sync = yes
# method 2:
#unix password sync = yes
#ldap passwd sync = no
#passwd program = /usr/sbin/smbldap-passwd -u "%u"
#passwd chat = "Changing *\nNew password*" %n\n "*Retype newpassword*" %n\n"
log level = 0
syslog = 0
log file = /var/log/samba/log.%U
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
domain master = Yes
os level = 65
preferred master = Yes
wins support = yes
# passdb backend = ldapsam:"ldap://"
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=example,dc=com
#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
#add user script = /usr/sbin/useradd "%u" -n -g users
#add group script = /usr/sbin/groupadd "%g"
#add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
#delete user script = /usr/sbin/userdel "%u"
#delete user from group script = /usr/sbin/userdel "%u" "%g"
#delete group script = /usr/sbin/groupdel "%g"
# add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
ldap idmap suffix = ou=Idmap
add user script = /usr/sbin/smbldap-useradd -m "%u"
#ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
# printers configuration
#printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
#force create mode = 0640
#force directory mode = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
; to maintain capital letters in shortcuts in any of the profile folders:
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
#force user = %U
# next line allows administrator to access all profiles
#valid users = %U "Domain Admins"
[printers]
comment = Network Printers
#printer admin = @"Print Operators"
guest ok = yes
printable = yes
path = /home/spool/
browseable = No
read only = Yes
printable = Yes
print command = /usr/bin/lpr -P%p -r %s
lpq command = /usr/bin/lpq -P%p
lprm command = /usr/bin/lprm -P%p %j
# print command = /usr/bin/lpr -U%U@%M -P%p -r %s
# lpq command = /usr/bin/lpq -U%U@%M -P%p
# lprm command = /usr/bin/lprm -U%U@%M -P%p %j
# lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
# lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
# queuepause command = /usr/sbin/lpc -U%U@%M stop %p
# queueresume command = /usr/sbin/lpc -U%U@%M start %p
[print$]
path = /home/printers
guest ok = No
browseable = Yes
read only = Yes
valid users = @"Print Operators"
write list = @"Print Operators"
create mask = 0664
directory mask = 0775
[public]
path = /tmp
guest ok = yes
browseable = Yes
writable = yes
[root@ldap ~]smbpasswd -w jiit (password of ldap set in first step)
[root@ldap ~]# net getlocalsid
SID for domain LDAP is: S-1-5-21-1834966309-3405184030-1647912285
(“ this is imp step ouput should be without errors )
Now download the EPEL Repositiory from https://fedoraproject.org/wiki/EPEL and install the rpm
[root@ldap ~]#rpm -ivh “path to rpm file
[root@ldap ~]# yum install smbldap-tools
[root@ldap ~]# cd /usr/share/doc/smbldap-tools-0.9.6/
[root@ldap smbldap-tools-0.9.6]# ls
ChangeLog COPYING INSTALL slapd.conf smbldap.conf
configure.pl FILES migration_scripts smb.conf smbldap-tools.pdf
CONTRIBUTORS INFRA README smbldap_bind.conf TODO
[root@ldap smbldap-tools-0.9.6]# chmod 777 configure.pl
[root@ldap smbldap-tools-0.9.6]# ./configure.pl
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')
. you can leave the configuration using the Ctrl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] > ^C
Configure interactive file configuration, these configuration will reflect in /etc/smbldap-tools/
(1) smbladap.conf
(2) smbldap_bind.conf
Now populate the LDAP server to have windows like groups
[root@ldap smbldap-tools]# smbldap-populate
Populating LDAP directory for domain LINUX (S-1-5-21-1834966309-3405184030-1647912285)
(using builtin directory structure)
entry dc=example,dc=com
entry ou=Users,dc=example,dc=com .
entry ou=Groups,dc=example,dc=com
entry ou=Computers,dc=example,dc=com
entry ou=Idmap,dc=example,dc=com
entry uid=root,ou=Users,dc=example,dc=com
entry uid=nobody,ou=Users,dc=example,dc=com
entry cn=Domain Admins,ou=Groups,dc=example,dc=com
entry cn=Domain Users,ou=Groups,dc=example,dc=com
entry cn=Domain Guests,ou=Groups,dc=example,dc=com
entry cn=Domain Computers,ou=Groups,dc=example,dc=com .
entry cn=Administrators,ou=Groups,dc=example,dc=com
entry cn=Account Operators,ou=Groups,dc=example,dc=com
entry cn=Print Operators,ou=Groups,dc=example,dc=com
entry cn=Backup Operators,ou=Groups,dc=example,dc=com
entry cn=Replicators,ou=Groups,dc=example,dc=com
entry sambaDomainName=LINUX,dc=example,dc=com Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
(set your root password for Domain Join )
Now Download the LAM from https://www.ldap-account-manager.org/lamcms/releases
install the lam rpm
[root@ldap ~]# rpm -ivh “path to rpm file”
Open your Browser to configure LAM
enter the url 127.0.0.1/lam or localhost/lam or your IP-ADDRESS/lam
On the Right hand Corner go to LAM Configuration the default password is lam
Edit the server setting with default password and in general setting set server address
localhost:389
Tree suffix = dc=example.dc=com
Security settings cn=Manager,dc=example,dc=com
then save.
Go to Account Tab set the these parameter
Users:
LDAP Suffix ou=Users,dc=example,dc=com
Groups:
LDAP Suffix ou=Groups,dc=example,dc=com
Hosts:
LDAP Suffix ou=Computers,dc=example,dc=com
Samba domains:
LDAP Suffix dc=example,dc=com
Save the setting and login to Lam with LDAP password which you set in first step, after the login
it will ask you to creates OU just click yes.
In User Tab you will see only too users nobody and root user (I have made some users these are reflecting in print screen)
In groups tabs you will see the Windows like Groups
samba domain you will see the Samba Domain with SID
Now comes the Important Topic to enable to LDAP logins ( took me 2 weeks to identify the issues)
[root@ldap ~]#yum install pam_ldap
[root@ldap ~]#yum install nss-pam-ldapd
[root@ldap ~]#gedit /etc/nslcd.conf
Use the same ldap root password which u set in first step
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://127.0.0.1/
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base dc=example,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=manager,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw jiit
# The distinguished name to perform password modifications by root by.
#rootpwmoddn cn=admin,dc=example,dc=com
# The default search scope.
#scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# NDS mappings
#map group uniqueMember member
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group uniqueMember msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group uniqueMember posixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
#map group uniqueMember member
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group uniqueMember member
#map group gidNumber gid
uid ldap
gid ldap
[root@ldap ~]#gedit /etc/pam_ldap.conf
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# The man page for this file is pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1
# The distinguished name of the search base.
base dc=example,dc=com
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw jiit
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
#port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
#Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
[root@ldap ~]#gedit /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
#passwd: ldap files
#shadow: ldap files
#group: ldap files
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
#hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
#bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
[root@ldap ~]#gedit /etc/sysconfig/authconfig
IPADOMAINJOINED=no
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=md5
FORCELEGACY=no
USEFPRINTD=yes
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=no
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USEDB=no
USEPASSWDQC=no
[root@ldap ~]#gedit /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_access.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so md5 use_authok
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_ldap.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@ldap ~]#gedit /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
s
ession required pam_unix.so
ession required pam_unix.so
Now restart the Services
[root@ldap ~]# service nslcd start
Starting nslcd: [ OK ]
[root@ldap ~]# service slapd restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]
[root@ldap ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@ldap ~]# service nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]
[root@ldap ~]# service winbind restart
Shutting down Winbind services: [FAILED]
Starting Winbind services: [ OK ]
Create Windows like administrator in LDAP using LAM
(1) Login in LAM in firefox using localhost/lam and click on user tab
(2)Write last name as administrator
(3) Now click on Unix tab and set the primary group as Account operator and addition group as
administrator
(4) Click on shadow and shadow extension
(4) Click on shadow and shadow extension
(5) Click on Samba and add samba Extension
(6) Click on set password and set password
(7) Click on Save
(8)user is added Successfully
ocheck user are replicated as unix user
[root@ldap ~]# getent password
Unknown database: password
Try `getent --help' or `getent --usage' for more information.
…...........
.
.
.
root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
administrator:x:10000:548:administrator:/home/administrator:/bin/bash
you can check too
[root@ldap ~]# ssh administrator@ IP -ADDRESS OF YOUR System
administrator@IP -ADDRESS's password:
Could not chdir to home directory /home/administrator: No such file or directory
-bash-4.1$
For Windows 7 & System use the REGISTRY Editing
The following registry change work with any Samba version that isn't already discontinued:
Windows
Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
Do the changes manually in regedit.exe or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it sambafix.reg. Make sure, that the file has the ending .reg. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions. After the next reboot you can join the machine to your domain, but you may still encounter an error: Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".The error was:The specified domain either does not exist or could not be contacted .But this error can safely be ignored or, if you run Windows 7, silenced by a hotfix, that was published by Microsoft: KB2171571: You incorrectly receive an error message when you join a computer that is running Windows 7 or Windows Server 2008 R2 to a Samba 3-based domain.
Now Add the Windows 7 Machine to our domain
Go to my computer properties and click change setting,click on change
Use The User name As administrator and password You set for administrator user
Click Ok if error comes not to worry and restart the system
You can check the System name in Host lab in LAM
Create another User test to login into the system as steps describe above just using primary group as domain user and no additional group in unix tab of lam
Type Username and password to login into windows 7 system
roubleshooting :
Stopping slapd: [ OK ]
/var/lib/ldap/__db.004 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.006 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.005 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.002 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.001 is not owned by "ldap" [WARNING]
/var/lib/ldap/__db.003 is not owned by "ldap" [WARNING]
^CInterrupt (core dumped)
Session terminated, killing shell... ...killed.
Run the Command
[root@ldap ~]# chown -Rf ldap. /var/lib/ldap/
After The Installation my LAM stops working on localhost therefore I changed the localhost to 127.0.0.1
Reference and Thanks
Samba.org
For any Queries feel free to mail me at :
abhishek.verma7@gmail.com
No comments:
Post a Comment