Hello
I have a Windows 2k server running the AD PDC. 60 desktops users and 6 Windows servers use it as a single sign on server to login.
As I plan to install a Centos 5.5 server with Samba for NAS and print sharing, is it possible to migrate the PDC services to the Linux server?
I want desktop users and windows servers to authenticate on the Linux server.
Is this possible?
I have never worked with LDAP services.
Worse, should I attempt this migration, it must be completed in a very short time frame.
Do you have any suggestions?

Hello,

First of all, and in my opinion very important, don't do this under pressure. If you don't have the experience necessary and you try to do this under pressure of time, then better to postpone it until you either have the time, the knowledge or both. That being said, if you have the possibility you can begin setting up a domain controller with Linux alongside the Windows one. That way you can compare the functions you're setting up before migrating.
Before starting you need to realize that Active Directory is a Windows thing and does not exist in Linux, so you'll never have the exact same functionality.
You can use LDAP for authentication, in combination with Samba for file-sharing and printer sharing. You could also use CUPS for your printers.
Do a search on Google for manuals on how to set up Samba and LDAP on Linux to use as domain controller, there are a lot of them out there. Read them, takes notes and ask questions. Prepare yourself so you don't have to jump in a deep dark hole.

Kind regards,

Eric

hi again
Currently I have the following setup on a test environment.
Host is centos 5.5 x64 with no iptables or selinux configured.
I am also using Samba version 3.3

What I am finally trying to achive is to make a system where users will authenticate and access their home share samba folders from their windows PCs and issue print commands on print shares.
When I go into production some windows servers may use this host for authentication.

Curently however I can't make Samba+openldap+TLS to work.


Here are the configuration files:


[root@centos5 etc]# egrep -v "(^#|^$)" ldap.conf
base dc=corporation,dc=com
uri ldaps://127.0.0.1:636/ ldaps://10.69.28.219:636/
port 636
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl start_tls
tls_cacert /etc/pki/tls/certs/slapd.pem
tls_cacertdir /etc/openldap/cacerts
pam_password md5

[root@centos5 etc]# egrep -v "(^#|^$)" /etc/openldap/ldap.conf
port 636
URI ldap://127.0.0.1/ ldap://10.69.28.219/
BASE dc=corporation,dc=com
ssl start_tls
ssl on
tls_cacert /etc/pki/tls/certs/slapd.pem
TLS_CACERTDIR /etc/openldap/cacerts
pam_password md5

[root@centos5 etc]# egrep -v "(^#|^$)" /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/openldap.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database bdb
suffix dc=corporation,dc=com
rootdn cn=admin,dc=corporation,dc=com
rootpw {SSHA}8NRfzZTsaQHvhJIf4vvfUGVQSKJHKokB
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
[root@centos5 etc]#


[root@centos5 etc]# egrep -v "(^;|^#|^$|#)" /etc/samba/smb.conf
[global]
load printers = yes
add group script = /usr/sbin/groupadd "%g"
socket options = TCP_NODELAY
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
interfaces = lo eth0 10.69.28.219 127.0.0.1
idmap backend = ldaps://10.69.28.219:636/
hosts allow = 127. 10.69.28.
realm = corporation
passdb backend = ldapsam:ldaps://10.69.28.219:636
cups options = raw
server string = Samba Server Version %v
password server = 10.69.28.219
workgroup = corporation
os level = 20
add user script = /usr/sbin/useradd "%u" -n -g users
security = domain
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
[public]
comment = Public Stuff
path = /home/samba
public = yes
writable = yes
printable = no
write list = +staff


I see the following error message in the /var/log/messages

Feb 21 17:36:39 centos5 smbd[22231]: [2011/02/21 17:36:39, 0] lib/smbldap.c:smb_ldap_start_tls(656)
Feb 21 17:36:39 centos5 smbd[22231]: Failed to issue the StartTLS instruction: Can't contact LDAP server

I also see error messages that nss_ldap can't access the ldap server.

However ldap server runs and in netstat I see that it listens at ports 389 and 636.

Any help?
Thank you.

Hello
more than 150 views in my thread.
Can anybody please provide some assistance?
Some hints?
Some suggestions?
Thank you.

Hi,
Just to say your are not the only one with this problem.
I am trying to bring a Debian Linux laptop as a domain member on a Win2000 Domain controller with Active directory (Ldap)
and I get the same message:" Failed to issue the StartTLS instruction: Can't contact LDAP server."
I have spent few days on this and I will definitely find a solution. The question is when ?
I am runing Samba version : 2.3.5.6 dfsfg-3Squeeze1.
Winbind version: 2.3.5.6 dfsfg-3Squeeze1.
Libpam-ldap 184-8.5
Libpam-mount 2.5-3
Libpam-modules 1.1.1-6.1
I really can not say this is a no brainer .... I need a rest

Any help would be appreciated

Cheers,

I don't know if I arrived too late with this post but this link is the best thing I found . It is the best from far.
Read attentively every line before doing it and don't miss a step.
I succeeded on the second attempt. Be carefull with the files contained in /etc/pam.d; those will affect also your local Linux authentication. Backup the whole folder before touching those. I had a lot of fun just to bring me back to the starting point after I ms located some statement. And yesy I learned that the statements order in those files is of major importance.
Here is the link, let us know how it went.

http://zeldor.biz/2010/12/debian-joi...ain/#more-1240

I have to apologize to be soooo late to post this. I have been involved to build a Postgres server and I forgot about coming back here .