This document provides steps to implement DNS and LDAP in Tiguin for a Samba PDC. It involves: 1. Installing and configuring Bind9 to setup DNS for the "eclipse.com" domain. 2. Installing slapd and adding LDAP schemas to setup an LDAP server for the "eclipse.com" domain. 3. Installing Samba and configuring it to use the LDAP server for user/group authentication and authorization. This allows central management of users and groups.

1. Implementing DNS in Tiguin for Samba PDC
Login from the root user .Here in this documentation “enjay” is a hostname. “eclipse.com” is a
name of domain , and 192.168.1.242 is IP address of the Domain server. And “enjay123” is the
password of my DNS server. Create a DNS server for domain follow the steps given below :
1 . Install bind9 package
CMD apt­get install bind9 dnsutils bind9­doc
2. Basic bind Configuration
Make changes for the below lines :
CMD nano /etc/bind/named.conf.options
Change forwarders {
8.8.8.8;
8.8.4.4;
};
3. Create forward and reverse zone files. so that when we are using ping or nslookup command
, we can ping via IP address as well as via Domain Name . And mentioned file will be called.
Make changes for the below lines.
CMD nano /etc/bind/named.conf.local
Add zone "eclipse.com"{
type master;
file "/etc/bind/db.eclipse.com";
};
zone "1.168.192.in­addr.arpa"{
type master;
notify no;
file "/etc/bind/db.192";
};

2. 4. Building Your DNS Forward Zone
Now edit new forward zone file . Make the changes for the below lines.
CMD cp /etc/bind/db.local /etc/bind/db.eclipse.com
CMD nano /etc/bind/db.eclipse.com
Add/Edit @ IN SOA enjay.eclipse.com. root.localhost. (
@ IN NS enjay.eclipse.com.
enjay IN A 192.168.1.242
server01 IN CNAME enjay.eclipse.com.
5. Building Your Reverse Lookup and edit the reverse lookup file .
CMD cp /etc/bind/db.127 /etc/bind/db.192
CMD nano /etc/bind/db.192
Add/Edit @ IN SOA enjay.eclipse.com. root.localhost. (
@ IN NS enjay.eclipse.com.
242 IN PTR enjay.eclipse.com.
6. Starting your DNS Server.
CMD /etc/init.d/bind9 start
7. Testing your DNS Server
Make the changes in the Network Manager window. Select IPV4 tab.
DNS Server eclipse.com
Search Domain eclipse.com
8. Now that we have DNS setup we can use ping to test that everything is working. Both

3. nslookup and ping are great tools for troubleshooting and testing.
CMD Output
nslookup
192.168.1.242
Server: 192.168.1.242
Address: 192.168.1.242#53
242.1.168.192.in­addr.arpa name = enjay.eclipse.com.
CMD Output
nslookup
eclipse.com
Server: 192.168.1.242
Address: 192.168.1.242#53
Name: eclipse.com
Address: 127.0.0.1
Implementing ldap in Tiguin for Samba PDC
After the successful result from nslookup proceed further with the following steps.
1.
CMD apt­get install slapd ldap­utils
ldapadd ­Y EXTERNAL ­H ldapi:/// ­f /etc/ldap/schema/cosine.ldif
ldapadd ­Y EXTERNAL ­H ldapi:/// ­f /etc/ldap/schema/nis.ldif
ldapadd ­Y EXTERNAL ­H ldapi:/// ­f /etc/ldap/schema/inetorgperson.ldif
2. You will need to modify the following to include your password and domain name.
CMD nano /etc/ldap/schema/backend.ldif
Add / Edit dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap

4. olcModuleload: back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=eclipse,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=eclipse,dc=com
olcRootPW: enjay123
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=eclipse,dc=com"
write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=eclipse,dc=com" write by * read
CMD ldapadd ­Y EXTERNAL ­H ldapi:/// ­f /etc/ldap/schema/backend.ldif
3. Install Samba
CMD apt­get install samba samba­doc libpam­smbpass smbclient
smbldap­tools
CMD nano /etc/samba/smb.conf
ADD/EDIT [global]
# Customize these entries as needed
# Replace with your domain name
workgroup = eclipse
# Replace with your server name
netbios name = enjay
# Replace "eclipse" with the workgroup name you're using
ldap suffix = dc=eclipse,dc=com
ldap admin dn = cn=admin,dc=eclipse,dc=com

5. # Roaming profiles enabled. Replace "enjay" to match your netbios name
logon path = enjayprofiles%U%a
# No roaming profiles, uncomment
; logon path =
# Server Information
server string = SMB Server
# Specify global admin user, will have root in all shares
; admin users =
# PW Backend
obey pam restrictions = Yes
unix password sync = no
ldap passwd sync = yes
passdb backend = ldapsam:ldap://localhost
pam password change = Yes
# SMBLDAP Scripts
add user to group script = /usr/sbin/smbldap­groupmod ­m '%u' '%g'
add user script = /usr/sbin/smbldap­useradd ­m '%u'
add machine script = /usr/sbin/smbldap­useradd ­w '%u'
add group script = /usr/sbin/smbldap­groupadd ­p '%g'
delete group script = /usr/sbin/smbldap­groupdel '%g'
delete user script = /usr/sbin/smbldap­userdel %u
delete user from group script = /usr/sbin/smbldap­groupmod ­x '%u' '%g'
set primary group script = /usr/sbin/smbldap­usermod ­g '%g' '%u'
# LDAP Configuration
ldap ssl = no
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
# Logon script located in netlogon share. Individual logon scripts
uncomment
;logon script = %U.bat
logon script = allusers.bat
# Logging
max log size = 1000
syslog = 0

6. log file = /var/log/samba/log.%m
# Printing
printing = cups
printcap name = cups
load printers = yes
# Domain Controller
domain master = Yes
domain logons = Yes
wins support = true
os level = 35
server signing = no
server schannel = Auto
panic action = /usr/share/samba/panic­action %d
dns proxy = No
; logon drive = H:
; logon home = %N%U
# Allow file permissions change to group members
acl group control = yes
# Inherit permissions from parent
; inherit acls = yes
; inherit owner = yes
; map acl inherit = yes
; inherit permissions = yes
# Do NOT inherit permissions from parent
inherit acls = no
inherit owner = no
map acl inherit = no
inherit permissions = no
# Do not show files that are unreadable
hide unreadable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# to allow user 'guest account' to print.
guest ok = yes

7. writable = no
printable = yes
create mode = 0700
[Home]
security mask = 0770
writeable = yes
path = /home/userhome
force security mode = 0
force directory security mode = 0
directory security mask = 0770
[netlogon]
comment = Network Logon Service
writeable = yes
public = yes
path = /home/netlogon
[profiles]
browseable = no
printable = no
writable = yes
path = /home/profiles
store dos attributes = no
guest ok = no
comment = Users Profiles
# fixes everyone having read
create mode = 0700
directory mode = 0700
CMD cp /etc/samba/smb.conf /etc/samba/smb.conf.original
CMD Everytime you edit your smb.conf you should run the below command.
testparm /etc/samba/smb.conf
If you see an rlimit_max: error you can ignore it.
CMD smbpasswd ­W
Enter the same password you’ve been using for “enjay123”
CMD service smbd restart
CMD smbclient ­L localhost
Hit enter, do not type in password. This should show your
server/workgroup information without error.
Output:
root@enjay:~# smbclient ­L localhost
Enter root's password:
Anonymous login successful

8. Domain=[ECLIPSE] OS=[Unix] Server=[Samba 3.6.3]
Sharename Type Comment
­­­­­­­­­ ­­­­ ­­­­­­­
Home Disk
netlogon Disk Network Logon Service
IPC$ IPC IPC Service (SMB Server)
Anonymous login successful
Domain=[ECLIPSE] OS=[Unix] Server=[Samba 3.6.3]
Server Comment
­­­­­­­­­ ­­­­­­­
Workgroup Master
­­­­­­­­­ ­­­­­­­
ENJAY.COM MRP
MSHOME MICROSOFTPC
TIGUIN ENJAY
WORKGROUP ENJAY
Create profiles and netlogon directory.
CMD mkdir ­v ­m 1777 /home/profiles
CMD mkdir ­v ­m 1777 /home/netlogon
CMD cp /usr/share/doc/samba­doc/examples/LDAP/samba.schema.gz
/etc/ldap/schema/
CMD gzip ­d /etc/ldap/schema/samba.schema.gz
CMD nano /etc/ldap/schema/schema_convert.conf
ADD include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema

9. include /etc/ldap/schema/samba.schema
then create directory in /tmp
mkdir /tmp/ldif_output
CMD slapcat ­f /etc/ldap/schema/schema_convert.conf ­F /tmp/ldif_output ­n0 ­s
"cn={12}samba,cn=schema,cn=config" > /tmp/schema_samba.ldif
nano /tmp/schema_samba.ldif
ADD/EDIT At the top, edit
dn: cn{12}=samba,cn=schema,cn=config
to show
dn: cn=samba,cn=schema,cn=config
Edit
cn: {12}samba
to show
cn: samba
Delete the following from the end:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca­083f­102d­9fff­2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z
CMD ldapadd ­Y EXTERNAL ­H ldapi:/// ­D cn=admin,cn=config ­W ­f
/tmp/schema_samba.ldif
Enter Password “enjay123”, or the same one you’ve been using.
CMD nano /tmp/samba_indexes.ldif
ADD dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq

10. olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
CMD ldapmodify ­Y EXTERNAL ­H ldapi:/// ­D cn=admin,cn=config ­W ­f
/tmp/samba_indexes.ldif
Enter Password “enjay123”, or the same one you’ve been using.
CMD The following should execute without error:
ldapsearch ­Y EXTERNAL ­H ldapi:/// ­D cn=admin,cn=config ­b cn=config
­W olcDatabase={1}hdb
Enter Password “enjay123”, or the same one you’ve been using.
Verify olcSuffix:, olcAccess:, olcAccess:, olcRootDN:, olcRootPW:.
CMD net getlocalsid
Should run without error and look similar to
SID for domain ENJAY is: S­1­5­21­625349716­4089457091­4047952833
To get configure.pl
Download Package: smbldap­tools 0.9.1.tgz and extract .
Reference Link: http://www.filewatcher.com/m/smbldap­tools­0.9.1.tgz.295169­0.html
then copy configure.pl file from the package files.
then copy the configure.pl file to the location specified in the below command.
CMD cp configure.pl /usr/share/doc/smbldap­tools/
CMD perl /usr/share/doc/smbldap­tools/configure.pl
Here hit Enter at all times except:
"Logon Home", put a “.” (period without quotes)
"Logon Path", put a "."
Default passwd validation time, I put 3650
When prompted for password, use your password or “enjay123”.
CMD smbldap­populate
Enter Password “enjay123”, or the same one you’ve been using.
It will shows following output with error.

11. O/P:
Use of qw(...) as parentheses is deprecated at
/usr/share/perl5/smbldap_tools.pm line 1423, <DATA> line 522.
Changing UNIX and samba passwords for root
New password:
Retype new password:
Solution:
Replace qw(...) with (qw(...)) in /usr/share/perl5/smbldap_tools.pm
Repeat the command
smbldap­populate
CMD mkdir ­v /home/userhome
CMD cp /etc/smbldap­tools/smbldap.conf /etc/smbldap­tools/smbldap.conf.original
CMD nano /etc/smbldap­tools/smbldap.conf
ADD/EDIT Locate and change to: userHome="/home/userhome/%U"
CMD /etc/init.d/slapd stop
CMD slapindex
CMD chown openldap:openldap /var/lib/ldap/*
CMD /etc/init.d/slapd start
CMD smbldap­groupmod ­m 'root' 'Administrators'
CMD apt­get ­­yes install ldap­auth­client
For LDAP server Uniform Resource Identifier, leave it as it is "ldapi:///"
For Distinguished name of the search base, put"dc=eclipse,dc=com"
for version 3
LDAP Database required YES
For LDAP account for root, put"cn=admin,dc=eclipse,dc=com"
Unpriviliged Database user,put"cn=admin,dc=eclipse,dc=com"
When it asks for LDAP password use "enjay123" or the pw you’ve been using.

12. CMD auth­client­config ­t nss ­p lac_ldap
CMD pam­auth­update ldap
CMD Make sure there’s an asterisk next to all listed.
getent group
O/P:
Should show similar to:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:root
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
CDM Reboot
Create a Domain user called test :­
CMD smbldap­useradd ­a ­m ­P test that lead to an error
ERROR root@enjay:~# smbldap­useradd ­a ­m ­P test
Failed to execute: /usr/sbin/smbldap­passwd.cmd: No such file or directory at
/usr/sbin/smbldap­useradd line 668.
Solution ln ­s /usr/sbin/smbldap­passwd /usr/sbin/smbldap­passwd.cmd
CMD smbldap­useradd ­a ­m ­P test
give password as “123”
CMD smbldap­groupmod ­m test 'Domain Admins'
Now Connect the user from windows XP.
Settings are as per below:
1. Enter Prefered DNS Server as 192.168.1.242
2 Open Advanced Options in the IP settings window.
3. Click on WINS tab. CLick on Add button and enter 192.168.1.242 as WINS Server.

13. 4. Enable NetBIOS over TCP/IP radio button in WINS Tab.
5. RIght click on My Computer ­> Properties.
6. Select Computer name Tab.Cicik on change button.
7. In domain Add the name of the Domain “eclipse”.
8. It will ask for username and password. enter Username “root” and password “enjay123”.
9. Reboot the system
10. Add username as “test” ,password as “123” and select “eclipse” as a domain.
1. Documentation ­ Implementing Smbldap­tools in Tiguin for Samba PDC
2. Documentation ­ Implementing ldap in Tiguin for Samba PDC
3. Documentation ­ Creating Users for Samba PDC Authentication in Tiguin