Samba PDC Server dengan Backend OpenLDAP – Ubuntu 11.10

# Paket yg diperlukan:
– samba (di install di awal proses instalasi ubuntu)
– smbldap-tools
– slapd
– ldap-utils
– smbclient
– ldap-auth-client
– nslcd

# Persiapan, karena secara default, user system yg di buat memiliki ‘uid’ dan ‘gid’ bernilai 1000, ini perlu di rubah menjadi nilai ‘999’ atau berapapun agar ketika membuat user untuk ldap, ‘uid’ dan ‘gid’ tidak ada masalah.

sysadmin@vserver:~$ sudo su
root@vserver:/# nano /etc/passwd

# ganti angka 1000 dan path home folder:
sysadmin:x:1000:1000:sysadmin,,,/home/sysadmin:/bin/bash

# menjadi sbb:
sysadmin:x:999:999:sysadmin,,,/sysadmin:/bin/bash
root@vserver:/# nano /etc/group

# ganti juga angka 1000 menjadi 999:
sysadmin:x:999:

# pindah home folder /home/sysadmin menjadi /sysadmin
root@vserver:/# mv /home/sysadmin /
root@vserver:/# chown -R sysadmin:sysadmin /sysadmin

# Install slapd smbldap-tools ldap-utils

root@vserver:/# apt-get install slapd smbldap-tools ldap-utils -y

# copy samba.schema.gz ke /etc/ldap/schema

root@vserver:/# cd /etc/ldap/schema
root@vserver:/etc/ldap/schema# cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz .
root@vserver:/etc/ldap/schema# gzip -d samba.schema.gz
root@vserver:/etc/ldap/schema# cd /

# buat file ldap_schema.conf

root@vserver:/# nano ~/ldap_schema.conf
## Berikut isi file ldap_schema.conf ##
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

# lakukan konversi schema file ke ldif menggunakan slapcat.

root@vserver:/# mkdir /tmp/ldif_output
root@vserver:/# slapcat -f ~/ldap_schema.conf -F /tmp/ldif_schema -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn\=samba.ldif

# hapus nilai berikut {12} di baris 1 dan 3.

root@vserver:/# nano /tmp/cn\=samba.ldif
## Berikut isi file cn=samba.ldif ##
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

# hapus baris dibawah ini, letaknya di akhir sekali.
structuralObjectClass: olcSchemaConfig
entryUUID: 8706fab4-423b-1031-9525-53716cb7b8a1
creatorsName: cn=config
createTimestamp: 20120604024836Z
entryCSN: 20120604024836.965686Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120604024836Z


# masukan file /tmp/cn\=samba.ldif ke ldap

root@vserver:/# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba,cn=schema,cn=config"

# buat file samba_index.ldif

## Berikut isi file samba_index.ldif ##
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

# Jalankan perintah ldapmodify

root@vserver:/# ldapmodify -Y EXTERNAL -H ldapi:/// -f samba_index.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1},cn=config"

# Restart service OpenLDAP.

root@vserver:/# service slapd restart
* Stopping OpenLDAP slapd    [OK]
* Starting OpenLDAP slapd    [OK]

# Lakukan perubahan pada konfigurasi default samba.

root@vserver:/# cd /etc/samba/
root@vserver:/etc/samba# mv smb.conf smb.conf.ori
root@vserver:/etc/samba# cp /usr/share/doc/smbldap-tools/examples/smb.conf .
root@vserver:/etc/samba# nano smb.conf

## lakukan perubahan dan penambahan parameter yg di perlukan spt dibawah yg lainnya biarkan sesuai aslinya.

## Berikut isi file smb.conf ##
# Global parameters
[global]
workgroup = INTRANET
netbios name = PDCSRV

#min passwd length = 5
pam password change = yes

# method 2:
ldap passwd sync = yes
Dos charset = CP932
Unix charset = UTF-8
hide dot files = yes
logon path = \\PDCSRV\profiles\%U
ldap admin dn = cn=admin,dc=virtual,dc=com
ldap suffix = dc=virtual,dc=com
delete group script = /usr/sbin/smbldap-groupdel "%g"
ldap ssl = no
admin users = administrator

[homes]
valid users = %S
browseable = No
read only = No
create mask = 0700
directory mask = 0700

[netlogon]
path = /home/samba/netlogon
browseable = No
read only = yes

[profiles]
path = /home/samba/profiles
hide files = /desktop.ini/ntuser.ini/NTUSER.*/

# Buat direktori samba dan subdirektori users, netlogon dan profiles. Jika ada penambahan parameter share sesuaikan konfigurasi kalian.

root@vserver:/etc/samba# mkdir -p /home/samba/users
root@vserver:/etc/samba# mkdir -p /home/samba/netlogon
root@vserver:/etc/samba# mkdir -p /home/samba/profiles
root@vserver:/etc/samba# service smbd restart; service nmbd restart
smbd start/running, process 6156
nmbd start/running, process 6156
root@vserver:/etc/samba#

# masukkan LDAP admin password.

root@vserver:/etc/samba# smbpasswd -W
Setting stored password for "cn=admin,dc=virtual,dc=com" in secrets.tdb
New SMB password:    # Sesuaikan dengan password admin LDAP
Retype new SMB password:

# Sebelum melakukan konfigurasi menggunakan script configure.pl dari smbldap-tools terlebih dahulu lakukan modifikasi pada file configure.pl, jika tidak, file configure.pl tidak dapat di jalankan, krn ada parameter yg kurang lengkap.

root@vserver:/# gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
root@vserver:/# nano /usr/share/doc/smbldap-tools/configure.pl

# di baris ke 314 dan 315, tambahkan tanda \ sebelum karakter $ yg terletak di kalimat terakhir.

# \$Source:/opt/cvs/samba/smbldap-tools/configure.pl,v \$
# \$Id:configure.pl, v 1.17 2005/07/05 09:05:16 jtournier Exp \$

# di baris ke 527 dan 532, tambahkan juga karakter \” sebelum dan sesudah angka 0.

# Allows not to use smbpasswd (if with_smbpasswd == \"0\" in smbldap_conf.pm)
# Allows not to use slappasswd (if with_slappasswd == \"0\" in smbldap_conf.pm)

# Setelah melakukan perubahan di atas, sekarang jalankan script configure.pl.

root@vserver:/# perl /usr/share/doc/smbldap-tools/configure.pl
$# is no longer supported at /usr/share/doc/smbldap-tools/configure.pl line 314.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smbldap-tools script configuration-=-=-=-=-=-=-=-=-=-=-=-
Before starting, check. if your samba controller is up and running.. if the domain SID is defined (you can get it with the 'net getlocalsid'). you can leave the configuration using the Crtl-c key combination. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
Looking for configuration files...
Samba Configuration File Path [/etc/samba/smb.conf] > # Enter
The default directory in which the smbldap configuration files are stored is shown. If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >   #Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
Let's start configuring the smbldap-tools scripts ....
workgroup name: name of the domain Samba act as a PDC workgroup name [INTRANET] > # Enter
netbios name: netbios name of the samba controler netbios name [PDCSRV] > # Enter
logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:' logon drive [H:] > # Enter
logon home: home directory location (for Win95/98 or NT Workstation). (use %U as username) Ex:'\\PDCSRV\%U'. logon home (press the "." character if you don't want homeDirectory) [\\PDCSRV\%U] >    # Enter
logon path: directory where roaming profiles are stored. Ex:'\\PDCSRV\profiles\%U'.logon path (press the "." character if you don't want roaming profile) [\\PDCSRV\profiles\%U] >    # Enter
home directory prefix (use %U as username) [/home/samba/users/%U] > # Enter
default users' homeDirectory mode [700] > # Enter
default user netlogon script (use %U as username) [logon.bat] >   # Enter
default password validation time (time in days) [45] > # Enter
ldap suffix [dc=virtual,dc=com] > # Enter
ldap group suffix [ou=Groups] > # Enter
ldap user suffix [ou=Users] > # Enter
ldap machine suffix [ou=Computers] > # Enter
Idmap suffix [ou=Idmap] > # Enter
sambaUnixIdPooldn: object where you want to store the next uidNumber and gidNumber available for new users and Groups sambaUnixIdPooldn object (relative to ) [sambaDomainName=INTRANET] >   # Enter
ldap master server: IP adress or DNS name of the master (writable) ldap server ldap master server [127.0.0.1] > # Enter
ldap master port [389] > # Enter
ldap master bind dn [cn=admin,dc=virtual,dc=com] > # Enter
ldap master bind password [] > # LDAP admin password
ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [127.0.0.1] > # specify LDAP slave's IP (Enter with empy if none)
ldap slave port [389] > # Enter
ldap slave bind dn [cn=admin,dc=virtual,dc=com] > # Enter
ldap slave bind password [] > # Input if there is, if not input the same one with master
ldap tls support (1/0) [0] > # Enter
SID for domain INTRANET: SID of the domain (can be obtained with 'net getlocalsid PDCSRV') SID for domain INTRANET [S-1-5-21-1654173384-968447352-780039939] >   # Enter
unix password encryption: encryption used for unix passwords, unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5   # MD5
default user gidNumber [513] > # Enter
default computer gidNumber [515] > # Enter
default login shell [/bin/bash] > # Enter
default skeleton directory [/etc/skel] > # Enter
default domain name to append to mail adress [] > # Enter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Use of uninitialized value $# in concatenation (.) or string at /usr/share/doc/smbldap-tools/configure.pl line 314,  line 33.
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old  /etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done

# Jalankan perintah smbldap-populate.

root@vserver:/# smbldap-populate
Populating LDAP directory for domain INTRANET (S-1-5-21-1654173384-968447352-780039939)
(using builtin directory structure)
entry dc=virtual,dc=com already exist.
entry ou=Users,dc=virtual,dc=com already exist.
entry ou=Groups,dc=virtual,dc=com already exist.
adding new entry: ou=Computers,dc=virtual,dc=com
adding new entry: ou=Idmap,dc=virtual,dc=com
adding new entry: uid=root,ou=Users,dc=virtual,dc=com
adding new entry: uid=nobody,ou=Users,dc=virtual,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Administrators,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Account Operators,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=virtual,dc=com
adding new entry: cn=Replicators,ou=Groups,dc=virtual,dc=com
entry sambaDomainName=INTRANET,dc=virtual,dc=com already exist. Updating it...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password: # set samba root password
Retype new password:
root@vserver:/#

# buat user administrator

root@vserver:/# smbldap-useradd -am -g "Domain Users" -G Administrators -N Administrator  -c "Administrator"  -P administrator
New password:
Retype new password:
root@vserver:/#

# Install ldap-auth-client dan nslcd, dan masukkan informasi sesuai dengan konfigurasi ldap.

root@vserver:/# apt-get install ldap-auth-client nslcd -y

# update file nsswitch.conf untuk menggunakan ldap.

root@vserver:/# auth-client-config -t nss -p lac_ldap

# jalankan perintah ini untuk mengupdate pam module dan pastikan semua terpilih, setelah itu restart service slapd.

root@vserver:/# pam-auth-update
root@vserver:/# service slapd restart
* Stopping OpenLDAP slapd    [OK]
* Starting OpenLDAP slapd    [OK]
root@vserver:/#

# ubah permissions pada /home/samba

root@vserver:/# chown -R "root:Domain Users" /home/samba
root@vserver:/# chmod -R 0700 /home/samba/users/
root@vserver:/# chmod -R 0750 /home/samba/netlogon/
root@vserver:/# chmod -R 0700 /home/samba/profiles/

# Buat group MIS dan user01 sebagai member dari group MIS dan Domain Users

root@vserver:/# smbldap-groupadd -at 2 MIS
root@vserver:/# smbldap-useradd -am -G "MIS,Domain Users" -N User -S Satu -c "User Satu" -P user01
New password: # Isi password user
Retype new password:
root@vserver:/#

# Lihat apakah sudah berhasil membuat user01, jalankan perintah ini untuk melihatnya:

root@vserver:/# getent passwd
............................
administrator:x:1000:544:System User:/home/samba/users/administrator:/bin/bash
client01$:*:1001:515:Computer:/dev/null:/bin/false
user00:x:1002:513:User Nol,,,,Email: user00@virtual.com:/home/samba/users/user00:/bin/bash
rbc$:*:1003:515:Computer:/dev/null:/bin/false
user01:x:1007:513:User Satu:/home/samba/users/user01:/bin/bash

root@vserver:/# getent group
...........................
Domain Admins:*:512:root,administrator
Domain Users:*:513:user01,user00
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:administrator
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
MIS:*:1001:user00,user01
root@vserver:/# reboot

### Tinggal melakukan join domain dari klien win XP ke Ubuntu Samba🙂, Insya Allah di post selanjutnya.

Referensi:

+======S-e-l-e-s-a-i======+

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: