Saturday, December 18, 2010

LDAP SAMBA to Primary Domain Controller - Part 1

LDAP SAMBA to Primary Domain Controller (PDC)

################################################################################################################
Step 1: DNS Service
a. Install
#cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    192.168.44.150  server.hbn.local        server
    127.0.0.1       localhost.localdomain   localhost
    ::1             localhost6.localdomain6 localhost6
#yum install -y bind-chroot
#chmod 755 -R /var/named/
#cp /usr/share/doc/bind-*/sample/var/named/named.local /var/named/chroot/var/named/
#cp /usr/share/doc/bind-*/sample/var/named/named.root /var/named/chroot/var/named/
#cp /usr/share/doc/bind-*/sample/var/named/localhost.zone /var/named/chroot/var/named/
#touch /var/named/chroot/etc/named.conf
#chkconfig --level 35 named on
#service named start

b.Configuration:
#vim /var/named/chroot/etc/named.conf
options {
        directory "/var/named";

        forwarders {203.162.0.181; 203.162.0.11; 210.245.0.11; 210.245.0.58; 208.67.222.222; 208.67.220.220; 8.8.8.8; 8.8.4.4;};
};

zone "." IN {
        type hint;
        file "named.root";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
};

zone "44.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.44.0.db";
};

zone "hbn.local" {
        type master;
        file "hbn.local";
};

save and quit

# cd /var/named/chroot/var/named/
#vim 192.168.44.0.db
$TTL    86400
@       IN      SOA     hbn.local. root.hbn.local.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      ns1.hbn.local.
100           IN      PTR     dns.hbn.local.
250            IN        PTR        winxp.hbn.local.

#vim hbn.local
$TTL 14400
@       IN      SOA     root.hbn.local.      hostmaster.hbn.local. (
                                                2009102800
                                                14400
                                                3600
                                                1209600
                                                86400 )

       IN      NS      hbn.local.
       IN      NS      hbn.local.

ftp             IN      A       192.168.44.150
hbn.local.      IN      A       192.168.44.150
localhost       IN      A       127.0.0.1
mail            IN      A       192.168.44.150
pop             IN      A       192.168.44.150
smtp            IN      A       192.168.44.150
www             IN      A       192.168.44.150
dns             IN      A       192.168.44.150
ldap            IN      A       192.168.44.150
winxp           IN      A       192.168.44.250
hbn.local.      IN      MX      10 mail



hbn.local.    14400   IN      TXT     "v=spf1 a mx ip4:192.168.44.150 ~all"

# vim /etc/resolv.conf
search hbn.local
nameserver 192.168.44.150
nameserver 192.168.44.2
c.Test:
# nslookup
> hbn.local 
Server:         192.168.44.150
Address:        192.168.44.150#53

Name:   hbn.local
Address: 192.168.44.150
> dns.hbn.local
Server:         192.168.44.150
Address:        192.168.44.150#53

Name:   dns.hbn.local
Address: 192.168.44.150
> winxp.hbn.local
Server:         192.168.44.150
Address:        192.168.44.150#53

Name:   winxp.hbn.local
Address: 192.168.44.250
> ldap.hbn.local
Server:         192.168.44.150
Address:        192.168.44.150#53

Name:   ldap.hbn.local
Address: 192.168.44.150
> exit

################################################################################################################
Step 2: PDC with LDAP - Samba

a.Install
Add Dag repository
#wget http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
#rpm --import RPM-GPG-KEY.dag.txt
#rm -f RPM-GPG-KEY.dag.txt
#vim /etc/yum.repos.d/dag.repo
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el5/en/$basearch/dag/
gpgcheck=1
enabled=0

#yum --enablerepo=dag install -y openldap openldap-clients openldap-devel openldap-servers openldap-clients compat-openldap python-ldap ldapjdk php-ldap nss_ldap samba samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String smbldap-tools


#cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
# cd /etc/openldap/
# vim slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

loglevel -1

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################


# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName     eq

database        bdb
suffix          "dc=hbn,dc=local"
rootdn          "cn=Manager,dc=hbn,dc=local"

rootpw          123456
# rootpw                {crypt}ijFYNcSNctBYg

directory       /var/lib/ldap


#Access control List information
access to attrs="userPassword,sambaLMPassword,sambaNTPassword"
        by selfwrite
        by anonymous auth
# users can authenticate and change their password
access to attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=nssldap,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by anonymous auth
        by self write
        by * none

# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by * read

# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by self write
        by * read

# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by self read
        by * none

# samba need to be able to create the samba domain account
access to dn.base="dc=hbn,dc=local"
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by * none

# samba need to be able to create new users account
access to dn="ou=Users,dc=hbn,dc=local"
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by * none

# samba need to be able to create new groups account
access to dn="ou=Groups,dc=hbn,dc=local"
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by * none

# samba need to be able to create new computers account
access to dn="ou=Computers,dc=hbn,dc=local"
        by dn="cn=samba,ou=DSA,dc=hbn,dc=local" write
        by dn="cn=smbldap-tools,ou=DSA,dc=hbn,dc=local" write
        by dn="uid=root,ou=People,dc=hbn,dc=local" write
        by * none

access to *
        by self read
        by * none


save and quit
-----------------------------------------------------------------------------------
#chmod 640 slapd.conf
# vim ldap.conf
BASE    dc=hbn, dc=local
URI ldap://127.0.0.1/
TLS_CACERTDIR /etc/openldap/cacerts

#cp DB_CONFIG.example /var/lib/ldap/
#cd /var/lib/ldap/
#mv DB_CONFIG.example DB_CONFIG

# /etc/init.d/ldap start
Checking configuration files for slapd:  config file testing succeeded
[  OK  ]
Starting slapd: [  OK  ]
# /etc/init.d/nscd start
Starting nscd: [  OK  ]
# chkconfig --level 35 nscd on

# setup

run Authentication Configuration

select Cache Information
Use LDAP
Use MD5 Passwords
Use Shadow Passwords
Use LDAP Authentication

Press the Next button

don't select Use TLS option
Server: ldap://127.0.0.1/
Base DN: dc=hbn,dc=local

Press OK and exit

# vim /etc/ldap.conf
host 127.0.0.1

base dc=hbn,dc=local

rootbinddn cn=manager,dc=hbn,dc=local

timelimit 120

bind_timelimit 120

idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

#net getlocalsid
SID for domain SERVER is: S-1-5-21-3926925045-1584093657-3115473201

# vim /etc/ldap.secret
123456

# chmod 600 /etc/ldap.secret

##########################################################################################
smbldap-tools configuration

#cd /etc/smbldap-tools/

# vim smbldap_bind.conf
slaveDN="cn=Manager,dc=hbn,dc=local"
slavePw="123456"
masterDN="cn=Manager,dc=hbn,dc=local"
masterPw="123456"

# vim smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################

SID="S-1-5-21-3926925045-1584093657-3115473201"

sambaDomain="hbn.local"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

slaveLDAP="127.0.0.1"

# Slave LDAP port
slavePort="389"

# Master LDAP server: needed for write operations
masterLDAP="127.0.0.1"

# Master LDAP port
masterPort="389"

suffix="dc=hbn,dc=local"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=hbn.local,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"


ldapTLS="0"

and

userSmbHome="\\PDC-SRV\%U"


userProfile="\\PDC-SRV\profiles\%U"

Videos:





Or:


http://www.mediafire.com/?r6x11wv45mqxy5m


------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...