Before you start
In this tutorial -- about how to install and configure Samba as a primary domain controller with a secure LDAP-based authentication mechanism -- I'll:
- Introduce LDAP, show how it integrates with Samba, and discuss security concerns
- Go through the steps of configuring LDAP, including installing OpenLDAP and the IDEALX LDAP Samba toolkit; configuring OpenLDAP necessities, the slapd.conf file, the /etc/ldap.conf file, and the Pluggable Authentication Modules (PAM); and explain how to start OpenLDAP
- Next, show you how to configure Samba, including installing and starting Samba and the Logon Profile Generator; creating the required directories and the shared drives; configuring the smb.conf file and setting the LDAP database-access password; populating the database; adding the PAM and other users and adding Windows workstations to the domain; and debugging the Samba installation in case it didn't work
- Finally, cover security issues and talk about how to enable security for this system, including enabling the Transport Layer Security for OpenLDAP, PAM, and Samba and how to test the security of your system
The completed system boasts a secure file- and print-sharing setup, in addition to a robust LDAP server that could be used for purposes beyond those required by Samba. Additionally, Microsoft Windows clients are able to logon to your Samba server which acts as a primary domain controller and have shared drives automatically mounted for them based on their group membership.
This tutorial is best suited for readers with moderate UNIX or Linux familiarity and experience with basic IP networking concepts. The author used Fedora Core 3 as the Linux distribution, but other Linux distributions or UNIX variants, such as AIX, Solaris, or HP-UX, would also work for the setup described in the tutorial. All applications and utilities used in this tutorial are open source and are available from either your Linux vendor or the application vendor's homepage.
The Linux distribution is Fedora Core 3; however, there is no reason why the setup described here would not work on other Linux distributions or UNIX variants such as AIX, Solaris, or HP-UX. The software is free and obtained in a number of ways. I recommend that you get a precompiled version (such as an RPM) from your Linux vendor's ftp mirror.
Here is a list of software used in this tutorial. There is no need to get the list beforehand as the tutorial describes how to download and install them.
- Perl module Crypt::SmbHash.
- Perl module Digest::SHA1.
- Perl module IO::Socket::SSL.
- Perl module Net::SSLeay.
- IDEALX Samba LDAP tools.
Note: This tutorial identifies the specific versions of the various software components tested. You might have success with earlier versions of the software, but I cannot guarantee that they will work. In general, software that is newer than the versions described in this tutorial should work.
The network described in this tutorial is intended to be small so that you can easily duplicate the examples on a home or lab network. For this setup, I used a typical home broadband router with a built-in firewall. The following diagram depicts the physical network layout.
Figure 1. Tutorial network configuration
This Microsoft Windows network contains three classes of users -- marketing, engineering, and management. Engineering and marketing each have a shared drive where users from each group may place files for others in that same group to see; however, members from one group cannot see files on the other group's shared drive. For example, a marketing employee may not view a file on the engineering drive. Management also has a shared drive that is visible only to managers. In addition, we give managers special privileges so that they can see files from both engineering and marketing.