Samba-TNG Setting up Samba-TNG with OpenLDAP ----------------------------------------------------------------------- Table of Contents ------------------- 1. Introduction 2. OpenLDAP 3. Samba-TNG 4. Managing Users and Workstations 5. Mini FAQ 2. Introduction: ------------------ A pre-requisite for this documentation is a SAMBA-TNG package. Available binary packages can be found at: http://sourceforge.net/projects/samba-tng If you intend to set up LDAP with the object-class posixAccounts (based on RFC-2307) in combination with Samba-TNG, refer to the related documents on the Samba-TNG Web-site: http://www.samba-tng.org You find more information about an improved and more complex Samba-TNG setup in combination with posixAccounts in the example directory /usr/share/doc/packages/samba-tng/examples/hechenberger/, or similar, dependent on the $DOCROOT of your distribution. In order not to exceed up the framework of this document, we only discuss and explain a simple basic setup of Samba-TNG with OpenLDAP. 3. OpenLDAP ------------- Install the OpenLDAP server package shipped with your distribution or compile it from source. OpenLDAP should at least be present in version 2.0.x or higher. As a quick-start, use the example configuration files slapd.conf.example and ldap.conf.example included in this TNG-package. Check these files thoroughly! In general, it should not be necessary to change anything else than the rootdn password in sladp.conf to get a basic Samba-TNG environment up and running. Some binary packages of OpenLDAP use another database back-end as configured in the default slapd.conf.example - bdb or ldbm - change this according to your needs. After that, start the OpenLDAP server slapd. For example: /etc/init.d/ldap start Now set up a minimal directory structure for Samba-TNG. Please use basic-users.ldif and change if needed. The following command adds the necessary objects from the ldif file: ldapadd -D 'cn=root,dc=tng,dc=org' -x -W -f basic-users.ldif You will be asked for the password which you have set before in the slapd.conf file. 4. Samba-TNG -------------- Please use the example config file shipped with Samba-TNG! Check all the options in the config file step-by-step. You will find important notes about setting up TNG as a domain controller in it. If you want Samba-TNG to act as a PDC you have to change some values. At least the Samba-TNG LDAP back-end needs the the URI of your LDAP-Server ('ldap uri'), the suffix ('ldap suffix') and the settings for an DN ('ldap bind as') with the corresponding password. This DN (or call it "user") needs at least write permissions on the LDAP tree where we have set up the basic directory structure for Samba-TNG. Just use the "rootdn" from your slapd.conf. The password ('ldap passwd file') must be stored in clear-text in this file. Attention: This file should not be readable by any other user than root! Now start the Samba-TNG services - depending on your distribution the init script may be installed on a different directory: /etc/init.d/samba-tng start After setting a password for the user 'root' in the Samba-TNG domain or workgroup, your Samba-TNG Server should be up an running. If not, check the log files! 5. User and Machine Administration ------------------------------------ If you intend to add users or machines to the Samba-TNG domain you also need to add Unix/POSIX accounts on the host where TNG is running for the users/workstations! Important note: Workstations must be added with an appending '$' on the netbios name: useradd 'machine$' -s /bin/false There are some script options in smb.conf ('add user script', 'add group script', 'add group member script' and the 'del...'). Samba-TNG will be able to add or delete users and machines on-the-fly with this options. Examples for these script options can be found in examples/hechenberger/, as mentioned above. Samba-TNG comes with a very powerful administration utility, called "rpcclient". This tool allows you to control and manage all important functions of your server (or use it to manage other workstations in your network). Examples: 1. If you are root on the host where Samba-TNG is running, you get a rpcclient console with: rpcclient -S . 2. Adding a user: rpcclient -S . -c 'createuser -p ' 3. The following example connects the rpcclient with another workstation. It is not necessary that the machine is a domain controller or a samba server: rpcclient -S -U For more details about rpcclient refer to the information in the build-in help of rpcclient. The following sets the password for the administrative account in the domain, the so called "Administrator". Important note: We named this account 'root', too (see the basic-users.ldif). rpcclient -S . -c 'samuserset root -p ' This account is locked. Unlock it with the following command: rpcclient -S . -c 'samuserset2 root -c D' Side note: Only the user with the uid 0 has administrative privileges on the Samba-TNG PDC. Users in the windows group "Domain Admins" will have Administrator privileges on the windows workstations of this domain but no root permissions on the PDC! Congratulations! Your Samba-TNG server configuration is finished! 6. Mini FAQ ------------- For the topics listed below you find more information on the Samba-TNG web-site at http://www.samba-tng.org. Please check the status page http://www.samba-tng.org/status.html, too! - Adding a workstation into a domain o The same procedure as joining an M$ domain. Just add an Unix/POSIX Account for the machine. Read more about in chapter 5. - Adding a user under MS Windows (usrmgr.exe) o Surely, you can use the usrmgr.exe from a Windows client. Don't forget to add an Unix/POSIX Account! You could use the 'add user script' option if you won't do this by hand. Read more about in chapter 5. - Inter Domain Trusts: MS PDC trusts TNG PDC o Domain trusts are working reliable. Add an account for the PDC and the domain and set up the trust as would do it with any other PDC. A brief description can be found in the text by Dan Newcombe at chapter "Part Five - Creating a trust" from http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html - Password synchronisation or Single-Source-of-Sing-On o You can set up a SSOSO with Samba-TNG, nss_ldap and pam_ldap. For this the object-class posixAccounts from OpenLDAP (nis.schema) may be very helpful. There is more than only one way to get a "password synchronisation" - or at least one password for different platforms. - Printing Support o If you need printing support you are free to test the experimental printing support for CUPS. For this you need to configure and compile Samba-TNG from source with the configure option --with-cups. Note: The development of Samba-TNG is focused on the domain controller features. By the time of the 0.3 release there is no active development on printing support. - ACL Support o Samba-TNG in version 0.3 does not support file ACL support. - File locking o File locking may be broken and was set default to 'no'. It is therefore not supported in version 0.3. - Windows XP, Windows 200 and Windows NT o Samba-TNG can act as a PDC for the operating systems listed above. A more detailed status page can be found at the Samba-TNG Web-site. ======================================================================= If you have problems, or think you have found a bug please email a full, detailed report to: tng-users@samba-tng.org Informations how to write an informative bug-report can be found at: http://www.sqatester.com/bugsfixes/index.htm Regards, The Samba-TNG Team.