Spirit of Change » Server

User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE/SLES Part 2 (Finish)

Masim "Vavai" Sugianto — Wed, 31 Mar 2010 10:08:47 +0000

This is part 2 of 2 article. Previous article : User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE/SLES Part 1

MANAGING SAMBA DOMAIN WITH ZIMBRA ADMIN

Restart samba service with the following command :

service smb restart

Login to Zimbra Admin and see that these are 2 new entry on left panel menu : Posix Groups and Samba Domain. If you click on Samba Domain, there should be existing entry, your Samba domain (in my sample : vavai.co.id). Please restart your computer if you found nothing on the Samba Domain menu.
`

MANAGING LINUX AND SAMBA GROUPS USING ZIMBRA ADMIN

Login to Zimbra Admin
Choose Posix Groups
Click New. Fill in you new group, ie : Accounting. Move to Samba Group tab and choose your domain from combo box. Fill in 2 (default entry for group) on group type text box.
Click Save

Test the configuration whether Samba successfully read new added groups or no by using this command on konsole/terminal :

su
getent group

Samba should be response by display list of groups and your new group should be listed on the list.

Create new user account by using following procedure :

Open Zimbra Admin
Click Account
Click New
Fill in account profile and description. Account name, First Name, Last Name and Password are mandatory, mark with *. Scroll down to bottom of account wizard to change password.
Click Next until finish. These are should be 2 add-on tabs/wizard at the end of Account configuration: Posix Groups and Samba Domain. Add your new account as your new group member and Samba domain member
Click finish

Test the configuration whether Samba successfully read new added user account or no by using following command on konsole/terminal :

su
getent passwd

Samba should be response by display list of user account and your new user should be listed on the user list.

UPDATE PROFILE FOR EXISTING ACCOUNT

Run the following command to update profile of existing Zimbra user (user created before Samba-Zimbra joined). Replace Samba SID with your own (Look at Zimbra Admin | Samba Domain) :

zmprov ma admin@vavai.co.id +objectClass posixAccount uidNumber 10003 gidNumber 10001 homeDirectory /home/admin loginShell /bin/bash
zmprov ma admin@vavai.co.id +objectClass sambaSamAccount sambaDomainName vavai.co.id sambaSID S-1-5-21-3745602466-621825477-2613676135-21006 sambaAcctFlags [UX]

MAKING WINDOWS NT DOMAIN GROUP

We will use this group as Administrative user for join client as domain member :

Login to Zimbra Admin
Choose Posix Groups, click New
Fill ini group name : Domain Admins. Move to Samba tab, pick your domain name from combo box and then choose Special Windows group – Domain Admins
Click Save
Run the following command to give this group domain administrative permission :

net rpc rights grant "vavai.co.id\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege

Create a new user with Zimbra domain and add it as “Domain Admins” group member

ADDING WINDOWS NT/2000/XP MACHINE TO SAMBA DOMAIN

Login to your Windows workstation with your Administrator user/permission
Right click on My Computer
Choose Properties
Move to Computer Name tab
Click Change
Fill in your computer name
Fill in vavai.co.id as member of domain (not workgroup. Replace vavai.co.id with your domain name)
Click OK
Windows will be asked about Administrator user name and password. Use Zimbra user and password who is joined as Domain Admin group member

Finish. You should be able to restart your computer and then login with Zimbra user name and password. You may also use LDAP client as user authentication on Linux client. Modify share permission, share folder, profile, etc to fit with your environment setting.

Related Entries

User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE/SLES

Masim "Vavai" Sugianto — Wed, 31 Mar 2010 02:33:08 +0000

Note : This is part one of 2 article. I decided to split the tutorial to make it easier to read (and to write )

This tutorial describes how you can configure Zimbra Mail Server & Collaboration Suite and Samba to act as a primary domain controller (PDC) that uses Zimbra LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The integration process will make it easier for administrators to manage Zimbra Mail Server and Samba PDC / Active Directory account because it use same LDAP database. If applied in corporate environments or institutions who have been using Windows Server, this guide can be used to set up Linux servers to replace the Windows Active Directory Server and Microsoft Exchange Server.

The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. You may also use Zimbra External Authentication with Samba PDC. External authentication are a little bit easy to be setting up, but we must manage the mailbox profile in Zimbra and it doesn’t seamlessly integrate Zimbra into Samba PDC+OpenLDAP. It is highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation.

This tutorial are based on Zimbra wiki article : UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 but has been tune up to works successfully on openSUSE/SLES environment. The original wiki using Ubuntu/RedHat environment which doesn’t automatically fit with openSUSE/SLES configuration.

I’m using Zimbra Mail Server 6.0.5 64 bit with the following configuration :

Domain & Hostname

Domain   : vavai.co.id
Hostname : zcspdc.vavai.co.id

IP Address

IP Address    : 192.168.10.1
Name Server 1 : 192.168.10.1
Name Server 2 : 8.8.8.8  (Google public DNS Server)
Name Server 3 : 208.67.222.222 (OpenDNS public DNS Server)
Router        : 192.168.10.254 (ADSL Modem)

File /etc/hosts

127.0.0.1       localhost
192.168.10.1    zcspdc.vavai.co.id zcspdc

ZIMBRA INSTALLATION

Please use following article to install Zimbra on SLES 11 : Installing Zimbra 6.0.5 64 bit on SUSE Linux Enterprise Server (SLES) 11 64 bit or use this tutorial : Installing Zimbra 6.0.4 on openSUSE 11.1 64 bit for Zimbra+openSUSE version.

ZIMBRA LDAP CONFIGURATION

The following script will automatically configure Zimbra LDAP as below :

Add Samba Schema into Zimbra LDAP
Add proper index into Zimbra LDAP Schema
Add 2 user (zmposix and zmposixroot) as Zimbra LDAP Administrative Account with default password : rahasia
Adjust Zimbra LDAP ACL to allow administrative task regarding Samba-Zimbra integration
Add Admin Extension Zimbra Posfix Account and Zimbra Samba Extension

Thanks to Peracchi and Lithorus on the following thread on Zimbra Forum for idea and a great script.

To run the automated script, run the following commandon console/terminal :

su
cd /srv
wget -c http://vavai.com/wp-content/uploads/zcs-samba.tar.gz
tar -zxvf zcs-samba.tar.gz
su - zimbra
cd /srv/zcs-samba
./zcs-samba.sh

NOTE : The script will automatically use ‘rahasia’ (Indonesian word means ‘secret’ ) as default password for zmposixroot and zmposix password. Please modify script to use your own password by change the following code on /srv/zcs-samba/zcs-samba.sh :

# set password for the posix ldap accounts
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s rahasia`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s rahasia`
echo "Domain : $DOMAIN"
echo "Hostname : $HOSTNAME"
echo "Zimbra LDAP Password : $ZIMBRA_LDAP_PASSWORD"
echo "LDAP Prefix : $LDAP_PREFIX"
echo "ZMPOSIX_LDAP_PASSWORD : rahasia"

Change ‘rahasia’ on the above line with your own password.

SAMBA INSTALLATION

Open YAST | Network Service | Samba Server. YAST will automatically added Samba package if you never install it.
On the first wizard, fill in the workgroup/domain name. I’m using vavai.co.id as my domain name as shown on top of the tutorial. Click Next.
On Samba Server Type, Choose Primary Domain Controller (PDC) and then click Next
On start-up, choose Service Start During Boot so Samba will automatically be activated during boot. Don’t forget to open your Firewall port
Move to LDAP Setting tab.
Click on Use LDAP Password Back-End option
Change LDAP Server URL from default entry ldap://127.0.0.1 to be ldap://192.168.10.1 (remember my IP address configuration above). Use same address to IdMap Back-End
Change Search Base DN to Zimbra LDAP DN, mine are dc=vavai,dc=co,dc=id
Fill in Administrator DN and the password: uid=zmposixroot,cn=appaccts,cn=zimbra). Click Test Connection to test the connection between Zimbra and Samba machine.
Click Advanced Setting | Expert LDAP Setting
Change user suffix to be ou=people
Change group suffix to be ou=groups
Change Machine suffix to be ou=machines
Click OK to close Expert LDAP Setting windows
Click OK to close Samba Server wizard. Fill in password for Samba root /Administrator password. To prevent any confused setting, I’m using same password between zmposixroot, zmposix and Samba root password

SAMBA CONFIGURATION

Open /etc/samba/smb.conf with your preferred text editor (vi, gedit, kate or kwrite)
Give it a # (comment mark) on the following line (if you do not use dhcp on your Samba configuration) :

include = /etc/samba/dhcp.conf

Save the configuration

LDAP CLIENT CONFIGURATION

Click YAST | Network Services | LDAP Client
Click Use LDAP on User Authentication
Change Address to use Zimbra IP (192.168.10.1)
Fill in LDAP Base DN (dc=vavai,dc=co,dc=id)
Leave others as is
Click Advanced Configuration
Change Password Change Protocol to MD5
Leave Group Member Attribute = Member setting
Click on Administration Setting tab
Fill in uid=zmposixroot,cn=appaccts,cn=zimbra on Administrator DN text box. Leave Append Base DN setting unchecked
Leave Create Default Configuration Objects setting unchecked
Click OK
Click OK

NSS-LDAP & PAM-LDAP CONFIGURATION

Open file /etc/ldap.conf with your preferred text editor and change the following line (remove # mark)

host 192.168.10.1
base dc=vavai,dc=co,dc=id
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw rahasia
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://192.168.10.1/
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
tls_checkpeer no
pam_password md5
nss_base_passwd         ou=people,dc=vavai,dc=co,dc=id?one
nss_base_shadow         ou=people,dc=vavai,dc=co,dc=id?one
nss_base_group          ou=groups,dc=vavai,dc=co,dc=id?one
nss_base_hosts          ou=machines,dc=vavai,dc=co,dc=id?one

Save the configuration
Edit /etc/nsswitch.conf and change the following line :

passwd: compat
group: compat

with

passwd: files ldap
group: files ldap

Edit /etc/pam.d/common-account and change the configuration as below :

account sufficient pam_unix.so
account sufficient pam_ldap.so

Edit /etc/pam.d/common-auth and change the configuration as below :

auth sufficient pam_ldap.so
auth sufficient pam_unix.so

Edit /etc/pam.d/common-password and change the configuration as below :

password sufficient pam_unix.so
password sufficient pam_ldap.so

Edit /etc/pam.d/common-session and change the configuration as below :

session sufficient pam_unix.so
session sufficient pam_ldap.so

Tutorial will be continue to part 2 of User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE / SLES.

Related Entries

How To : Samba PDC+OpenLDAP on openSUSE/SLES Part 2 (Finish)

Masim "Vavai" Sugianto — Tue, 30 Mar 2010 08:52:46 +0000

Previous tutorial : Samba PDC+OpenLDAP on openSUSE/SLES Part 1, Setting LDAP Server

SETTING LDAP CLIENT

Click YAST | Network Services | LDAP Client
Click Use LDAP pada User Authentication
Fill in Address with server IP or by using 127.0.0.1 as default address
Mark LDAP TLS/SSL option checked if you choose to use TLS/SSL on previous tutorial, or vice versa, leave it unchecked if you choose to not use TLS on previous tutorial
Fill in LDAP Base DN (dc=namadomain, dc=tld, ex : dc=vavai,dc=co,dc=id). You may also get the LDAP Base DN by clicking Fetch DN button
Leave others option as is
`
Click Advanced Configuration
Change Password Change Protocol to MD5
Leave option Group Member Attribute = Member unchanged
`
Click Administration Setting
Fill in cn=Administrator on Administrator DN. Don’t forget to give a check on Append Base DN option
Mark a check on Create Default Configuration Objects option
`
Click OK
Click OK

SETTING SAMBA SERVER PRIMARY DOMAIN CONTROLLER (PDC)

Open YAST | Network Services | Samba Server
Fill in workgroup/domain name on first wizard. I’m usingdomain vavai.co.id as my workgroup name. Click Next
`
On Samba Server Type option, choose Primary Domain Controller (PDC). Click Next
On start-up tab, choose Service Start During Boot option, so Samba will automatically started on boot. Don’t forget to click Open Port in Firewall if you use firewall on intranet zone
`
Move to LDAP Setting tab.
Click on Use LDAP Password Back-End
Fill in Administrator DN and password setting (cn=Administrator,dc=vavai,dc=co,dc=id, adjust it with your domain name). Click Test Connection to test LDAP server connection. If test result is failed, recheck your configuration setting.
`
Click OK and then fill in Samba root /Administrator password
`

SETTING USER NAME & PASSWORD

Click on YAST | Security and Users | User & Group Management
Click Expert Options | LDAP User & Group Configuration option on bottom-right-corner menu
Fill in LDAP Admin password (see whether your bind DN configuration has setup correctly)
Move to Configuration Module, and then choose userconfiguration
`
Change susemaxpasswordlength with your maximum password length
Change suseminpasswordlength with your minimum password length
Change susepasswordhash from SSHA to SMD5
Click OK
Click on Set Filter option on top-right-corner menu and choose LDAP Users. This will display all LDAP user list, currently are empty because we have create any user yet
Click Add
Fill in user profile and password
`
Click OK

Restart all service (or reboot your computer) to test all the service. f you wish to join Windows workstation into Samba PDC+LDAP domain, use the Samba root user name and password as Administrator user. Share folder, Profile, netlogon and custom setting could be modified within YAST | Network Services | Samba Server. Samba LDAP user could be added or modify with the above procedure using YAST | Security & Users | User & Group Management.

Related Entries

How To : Samba PDC+OpenLDAP on openSUSE/SLES Part 1

Masim "Vavai" Sugianto — Tue, 30 Mar 2010 03:40:49 +0000

I have written Samba PDC+OpenLDAP tutorial on openSUSE on previous article but the tutorial are based on manual configuration and need too many steps to make it usable. Now, I want to share how to make Samba PDC+OpenLDAP on openSUSE or SLES with automatic configuration using the YAST way . The tutorial should be easy to understand and and need a few step to make it ready for testing.

INSTALLING OPENSUSE

Install openSUSE 11.2 with or without GUI, choose which one suitable for your purpose. I’m using a GUI example because this tutorial intended for student . a Minimal server selection (text mode) maybe a better option for production server. Please refer to openSUSE 11.2 installation guide if you need an assistance regarding openSUSE installation.

Lucky for Indonesian , I’ve written a PDF tutorial with clear explanation regarding openSUSE installation for this purpose : Tutorial Instalasi openSUSE 11.2 Versi Server Berbasis GUI

INSTALLING LDAP SERVER

Follow these wizard to install and configure LDAP server :

Open YAST | Software | Software Management
`
Choose View | Pattern
Scroll to Server Function
Give a checked mark on File Server, DHCP and DNS Server, Directory Server (LDAP)
`
Click Accept
openSUSE should be automatically detect dependency package. Click Continue to install selected package
`
Close YAST and then open again. I take this step to make sure YAST refresh new package installation and add to it’s menu
Choose YAST | Network Service | LDAP Server
Click Yes on Start LDAP Server. Give it a check mark on Open Port in Firewall if you use firewall. Leave others as is and then click Next
`
Click Enable TLS and then create TLS Certificate by using Launch CA Management Module button and follow the wizard. Leave it unchecked if you wish to use LDAP without TLS connection.
`

On basic database setting fill in the default database setting :

Database Type : hdb
Base DN : dc=domainname, dc=tld
Example :
If my  domain = vavai.co.id, configuration will be like this : Base DN = dc=vavai, dc=co, dc=id
If my domain = vavai.com, configuration will be like this : Base DN = dc=vavai, dc=com
Administrator DN : cn= Administrator. Leave  Append Base DN option checked
Don't forget to fill your  LDAP Password

Also, leave a check mark on  "Use this database as the default for OpenLDAP"

Click Next if all setting has been completed.
`

Click Finish
`

ADD SAMBA SCHEMA

Open YAST | Network Services | LDAP Server
Click Schema Files on left pane menu
Click Add and add Samba3.Schema so we will have following LDAP Schema : schema, core, cosine, inetorgperson, rfc2307bis,yast and samba3
`
Click OK

Next Tutorial are LDAP Client Configuration

Related Entries

Zimbra Mail Server with External Authentication using Samba PDC+OpenLDAP

Masim "Vavai" Sugianto — Mon, 29 Mar 2010 20:57:09 +0000

Zimbra mail server using LDAP as default account database, but we may also use external LDAP/AD as Zimbra user authentication. This tutorial will cover how to use openSUSE/SLES PDC+OpenLDAP user as Zimbra user authentication.

SAMBA PDC CONFIGURATION

I’m using openSUSE 11.2 with Samba PDC+OpenLDAP but tutorial may also applied on another openSUSE version or on SLES. In this example, server hostname is host pdc.vavai.info (192.168.0.6), with bind DN cn=Administrator, dc=vavai, dc=info and using 2 LDAP ports : standard port 389 and SSL port 636. Don’t forget to add these ports as an allowed port on firewall.

ZIMBRA CONFIGURATION

Login to Zimbra Admin
Go to Domain on left pane menu
Choose domain to be configure. If we have multi domain schema on Zimbra, we must configuring external authentication for each domain, even if all domain using same LDAP server
Choose Configure Authentication menu.
On Authentication Mode choose External LDAP
Fill in the configuration of Samba LDAP. Take a look on the following picture for a configuration example
Adjust the configuration with your own setting and then click Next.
Next wizard are LDAP bind DN configuration. Bind DN is the configuration of admin user/manager used for accessing LDAP data. Click on Use DN/Password to bind to external server check box and then fill the bind DN text box. I’m using cn=Administrator,dc=vavai,dc=info as Samba PDC+openLDAP bind DN. Don’t forget to fill in the bind DN password (admin user/LDAP manager password)
On next wizard, use Samba PDC user account as user name and password and then click Test for testing Samba PDC+OpenLDAP connection. Zimbra will response with Authentication Test Result : Authentication test successful message if Samba PDC+OpenLDAP has connected successfully.
`

Please remember that the above configuration still need an inbox account on Zimbra mail server so you must create the appropriate account with no password on Zimbra to map user on Samba PDC with their mailbox. Zimbra account do not need password because password will be pass to LDAP account on Samba PDC.

If you wish to integrating Samba & Zimbra user as fully single user name, mailbox and password, please refer to UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI

Related Entries

Installing Zimbra 6.0.5 64 bit on SLES 11 64 bit

Masim "Vavai" Sugianto — Wed, 10 Feb 2010 08:34:06 +0000

Zimbra has published a new update for Zimbra Mail Server & Collaboration Suite, Zimbra 5.0.22 and Zimbra 6.0.5. This is the first update since VMWare acquired Zimbra. I would like to test it to see whether status & logger problem on Zimbra 6.0.4 has been officially solved or not.

I’m currently testing Zimbra 6.0.5 64 bit installation on SLES 11 64 bit, using Xen Hypervisor Guest (paravirtualization). The installation went smooth with only a few modification on SLES as describe below :

Install SLES on text or server mode to prevent any unused services
Edit your /etc/hosts so it will looks like below (change 127.0.0.2 with your Zimbra IP, mine is 192.168.0.31) :
```
127.0.0.1       localhost
192.168.0.31 hostname.domain.tld hostname
```
Add sysstat package using YAST | Software | Software Management or by using Zypper. Zimbra need another package such as cron, fetchmail etc, but the installation process has installed all of them by default.
```
zypper in sysstat
```
Set your DNS so A and MX records address will point to Zimbra. I’ve published an article regarding DNS Server configuration to meet with Zimbra Requirement.

Disable Postfix :

service postfix stop
chkconfig postfix off

Download Zimbra binary installer

cd /opt
wget -c http://h.yimg.com/lo/downloads/6.0.5_GA/zcs-6.0.5_GA_2213.SLES11_64.20100202233758.tgz

decompress, run the installation script and then follow the wizard

tar -zxvf zcs-6.0.5_GA_2213.SLES11_64.20100202233758.tgz
cd zcs-6.0.5_GA_2213.SLES11_64.20100202233758
sh install.sh

Related Entries

Need a Feedback : Zimbra Appliance on openSUSE

Masim "Vavai" Sugianto — Fri, 15 Jan 2010 09:28:53 +0000

I’m thinking about a project for a week end. Updating Zimbra Appliance to the latest version seems to be nice but I need a few feedback about the specification of appliance.

On previous version, I’m using Zimbra 5.0.18 on openSUSE 11.1 JeOS. It has minimum specification but it works pretty well (please let me know if you’ve failed on installing the Appliance). My colleagues in Indonesia sent me some feedback whether it’s possible or no to add the minimal GUI environment to manage the administration and give some testing.

Below are my plans for next appliance :

Build on openSUSE 11.1 32 bit with KDE3 basis with text editor and browser (FF or Chrome) installed by default. The previous version has no GUI installed and build on JeOS (Just Enough Operating System) basis.
Zimbra has installed by default with predefined domain, IP and DNS records but also give you a chance to change domain, IP and DNS. The previous version build with predefined install script to install Zimbra
Bundle with predefine setting on Zimbra anti spam improvement. The previous version didn’t have any anti spam improvement and built with standard setup
Use Zimbra version 5.0.21. The previous version using version 5.0.18. 5.0.21 is a stable and currently latest version. In other project, I’m also thinking about building Zimbra 6.0.4 64 bit on openSUSE 11.1.

So, which one you agree,

Minimal JeOS or minimal GUI
32 bit or 64 bit
Pre-installed Zimbra or an install script only
Predefined anti spam or leave it as is
Zimbra 5.0.21 or Zimbra 6.0.4
VMWare VMX format or VirtualBox VDI format (or maybe an ovf format)

Please give the feedback on my comment form. I’ll be starting to update the Zimbra appliance tomorrow and upload the appliance into my host server as soon as possible.

Related Entries

VMWare Acquired Zimbra

Masim "Vavai" Sugianto — Fri, 15 Jan 2010 02:14:06 +0000

Rumors that Yahoo will selling Zimbra has been discussed on mail server world for a month or two. The rumors caused some controversy regarding the issue that Yahoo will released Zimbra to Microsoft. The rumors has finally ended : Yahoo selling Zimbra but not for Microsoft, Yahoo sell it to VMWare instead.

As announced by VMWare and Zimbra, the acquisition will further VMware’s mission of taking complexity out of the datacenter, desktop, application development and core IT services, and delivering a fundamentally more efficient and new approach to IT. Steve Herrord has published his blog post regarding the reason why Zimbra decided to acquire Zimbra.

I’ve read a positive response to the acquisition. It may (and should be) better than lets Zimbra acquired by Microsoft. Microsoft has their own product : Microsoft Exchange Server. One of the stronger competitors for their product are Zimbra. The Dual License providing by Zimbra (Network Edition and Open Source Edition) mat not be really appropriate for Microsoft business model.

Beside the positive response, we must wait an update for VMWare strategy to expanding Zimbra popularity and market share. Hope VMWare has better attention for Zimbra than what Yahoo shows off for 2 years.

Related Entries

Tutorial : Samba PDC + OpenLDAP on openSUSE 11.1 – Part 4

Masim "Vavai" Sugianto — Sat, 09 Jan 2010 16:50:46 +0000

Previous Tutorial :

Setting Dynamic DHCP & DNS Server
Dynamic DHCP & DNS Server will be working together to register the client hostname and ip address, so every client could be interchange data using their netbios name. DNS setting will also passing the client-server authorization a lot easier because client identity has been registered on server.

Beware, I’ll be use manual setting on dynamic DHCP & DNS server in this tutorial. Do not mixed the process with automatic setting with YAST | Network Services | DNS Server. Combine both setting my broken your dynamic DHCP & DNS configuration.

Preparation

You should have DHCP & DNS pattern installed. Please refer to previous tutorial to check which package & pattern should be install
Dynamic DNS Server need a key. Use the following command to generate dynamic key :

cd /etc
genDDNSkey

Default result is /etc/named.key. Place it on etc folder. If you are using chroot jail mode, you should copy/move the file into appropriate folder, ie “/var/lib/named/etc” and “/var/lib/dhcp/etc”

Configuring Dynamic DHCP Server

Edit ”/etc/sysconfig/dhcpd” and change the following line DHCPD_INTERFACE=”" to looks like :
```
DHCPD_INTERFACE="eth0"
```
Note : Replace ”’eth0”’ with your running network card id.

Edit’/etc/dhcpd.conf” and change the content with the following configuration. Don’t forget to adjust your IP address and subnet

# File with key we shall use to securely update zone files
###########################################################
include "/etc/named.keys";

# Our server is authority
#########################################################
server-identifier server.vavai.net;
authoritative;

# Zone specification
###########################################
zone vavai.forward {
primary 192.168.1.254;
key DHCP_UPDATER;
}
zone vavai.reverse {
primary 192.168.1.254;
key DHCP_UPDATER;
}

# Various options
########################################
default-lease-time 86400;
max-lease-time 172800;

option domain-name "vavai.net";
option domain-name-servers 192.168.1.254;
option netbios-name-servers 192.168.1.254;

ignore client-updates;
ddns-domainname "vavai.net";
ddns-updates on;
ddns-update-style interim;

# Declaration of network properties ( range ... )
#################################################
subnet 192.168.1.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.1.10 192.168.1.254;
zone vavai.net { primary 127.0.0.1; key DHCP_UPDATER; }
zone 1.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; }
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
one-lease-per-client on;
}

Confguring Dynamic DNS Server

Edit “/etc/named.conf” and change the content with following configuration. Don’t forget to replace appropriate part/setting with yours :

# Include file with key
#################################################
include "/etc/named.keys";

# Access Control Lists
#################################################
acl mynet {
192.168.1.0/24;
127.0.0.1;
};

# Various Options
#################################################
options {
directory "/var/lib/named";
allow-query { mynet; };
forwarders { 192.168.1.1; };
};

# Misc zone declarations
#################################################
zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

zone "." in {
type hint;
file "root.hint";
};

# Forward vavai.net zone declaration
#################################################
zone "vavai.net" {
type master;
file "dyn/vavai.forward";
allow-update { key DHCP_UPDATER; };
allow-transfer { mynet; };
check-names ignore;
};

# Active Directory Declarations
#############################################
zone "_tcp.vavai.net" IN {
type master;
file "master/_tcp.vavai.net.db";
allow-update { mynet; };
check-names ignore;
};

zone "_msdcs.vavai.net" IN {
type master;
file "master/_msdcs.vavai.net.db";
allow-update { mynet; };
check-names ignore;
};

zone "_sites.vavai.net" IN {
type master;
file "master/_sites.vavai.net.db";
check-names ignore;
allow-update { mynet; };
};

zone "_udp.vavai.net" IN {
type master;
file "master/_udp.vavai.net.db";
check-names ignore;
allow-update { mynet; };
};

# Reverse vavai.net zone declaration
#################################################
zone "1.168.192.in-addr.arpa" {
type master;
file "dyn/vavai.reverse";
allow-update { key DHCP_UPDATER; };
allow-transfer { mynet; };
};

Create a new folder ”/var/lib/named/dyn”. Folder will be used for zone location

Create a new file ”/var/lib/named/dyn/vavai.forward” (change vavai with your domain) with the following content :

$ORIGIN .
$TTL 5D
vavai.net               IN SOA  server.vavai.net. root.vavai.net. (
200524085  ; serial
3H         ; refresh
1H         ; retry
1W         ; expire
5D )       ; minimum

NS      server.vavai.net.
A       192.168.1.104

$ORIGIN vavai.net.
$TTL 5D
server                      A      192.168.1.104

Create a new file ”/var/lib/named/dyn/vavai.reverse” with the following content :

$TTL 5D
@                      IN SOA  server.vavai.net. root.vavai.net. (
200524086  ; serial
3H         ; refresh
1H         ; retry
1W         ; expire
5H )       ; minimum

@                        NS      server.vavai.net.

104                     PTR     server.vavai.net.

Create a new file ”/var/lib/named/dyn/_tcp.vavai.net.db” (this file will be use for active directory) with the following content :

$ORIGIN .
$TTL 432000     ; 5 days
_tcp.vavai.net               IN SOA  server.vavai.net. root.vavai.net. (
200524091  ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
432000     ; minimum (5 days)
)
IN      NS      server.vavai.net.
$ORIGIN _tcp.vavai.net.
$TTL 600        ; 10 mins
_ldap._tcp.vavai.net.        SRV     0 0 389 server.vavai.net.
_kerberos._tcp.vavai.net.    SRV     0 0 88 server.vavai.net.

Create a new file ”/var/lib/named/dyn/_udp.vavai.net.db” (this file will also be used for active directory) with the following content :

$ORIGIN .
$TTL 432000     ; 5 days
_udp.vavai.net               IN SOA  server.vavai.net. root.vavai.net. (
200524090  ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
432000     ; minimum (5 days)
)
IN      NS      server.vavai.net.
$ORIGIN _udp.vavai.net.
$TTL 600        ; 10 mins

Create a new file ”/var/lib/named/dyn/_sites.vavai.net.db” (this file will also be used for active directory) with the following content :

$ORIGIN .
$TTL 432000     ; 5 days
_sites.vavai.net               IN SOA  server.vavai.net. root.vavai.net. (
200524090  ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
432000     ; minimum (5 days)
)
IN      NS      server.vavai.net.
$ORIGIN _sites.vavai.net.
$TTL 600        ; 10 mins

Create a new file ”/var/lib/named/dyn/_msdcs.vavai.net.db” (this file will also be used for active directory) with the following content :

$ORIGIN .
$TTL 432000     ; 5 days
_msdcs.vavai.net             IN SOA  server.vavai.net. root.vavai.net. (
200524091  ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
432000     ; minimum (5 days)
)
IN      NS      server.vavai.net.
$ORIGIN _msdcs.vavai.net.
$TTL 600        ; 10 mins
_ldap._tcp.dc._msdcs.vavai.net.      SRV 0 0 389 server.vavai.net.
_kerberos._tcp.dc._msdcs.vavai.net.  SRV 0 0 88 server.vavai.net.

We will reach to the final setting on next 2 tutorial. I’ll be continue with next tutorial : Samba PDC + OpenLDAP on openSUSE 11.1 – Part 5, TESTING SAMBA, SERVICE LDAP & CONFIGURING CLIENT

Related Entries

Tutorial : Samba PDC + OpenLDAP on openSUSE 11.1 – Part 3

Masim "Vavai" Sugianto — Thu, 07 Jan 2010 08:51:34 +0000

Previous Tutorial :

CONFIGURING SMBLDAP-TOOLS

Smbldap-tools are a CLI (Command Line Interface) and used as a command tools for insert, update or delete a data on Samba and LDAP. Installing smbldap-tools on openSUSE only need a few step because the package already available on openSUSE Build Service. Let’s do it.

Goto openSUSE Build Service Package Search.
Install the updated smbldap-tools version with one-click-install

Edit /etc/smbldap-tools/smbldap.conf with the following content (don’t forget to replace the Samba SID and domain name, see previous tutorial):

SID="S-1-2-33-4444444444-555555555-6666666666"
sambaDomain="VAVAI.NET"
slaveLDAP=127.0.0.1
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
verify=""
cafile=""
clientcert=""
clientkey=""
suffix="dc=vavai,dc=net"
usersdn="ou=People,ou=Users,${suffix}"
computersdn="ou=Computers,ou=Users,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=VAVAI.NET,ou=Domains,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format=""
userHome="/data/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\server\%U"
userProfile="\\server\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="vavai.net"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"

Edit /etc/smbldap-tools/smbldap_bind.conf and copy-paste the following content :

slaveDN="cn=Manager,dc=vavai,dc=net"
slavePw="zezevavai26032006"
masterDN="cn=Manager,dc=vavai,dc=net"
masterPw="zezevavai26032006"

Starting Samba service

service smb restart
service nmb restart
service ldap restart
service winbind restart

Insert default password for Samba-LDAP

su
smbldap-useradd -m -a root
smbldap-passwd root
smbpasswd -a
smbldap-groupmod -m root Domain\ Admins

CONFIGURING LDAP ACCOUNT MANAGER (LAM)

LDAP account manager has similar function with smbldap-tools but provided a web interface to manage the LDAP data. You should have a running Apache server for host the LAM service. Click here if you need a tutorial to setting up Apache web server on openSUSE.

Goto Packman page for LDAP Account Manager and install the LAM package with one-click-install (or by using zypper using Packman Repository)

Backup & create the lam configuration

su
mv /srv/www/htdocs/lam/config/config.cfg_sample /srv/www/htdocs/lam/config/config.cfg
touch /srv/www/htdocs/lam/config/lam.conf
chown wwwrun:www /srv/www/htdocs/lam/config/lam.conf

Copy-paste the following content for LAM configuration : /srv/www/htdocs/lam/config/lam.conf

# LDAP Account Manager configuration
serverURL: ldap://localhost:389
admins: cn=Manager,dc=vavai,dc=net
# password to change these preferences via webfrontend (default: lam)
passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==

treesuffix: dc=vavai,dc=net

# default language (a line from config/language)
defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)

# Path to external Script
scriptPath:

# Server of external Script
scriptServer:

# Access rights for home directories
scriptRights: 750

# Number of minutes LAM caches LDAP searches.
cachetimeout: 5

# Module settings

modules: posixAccount_minUID: 10000
modules: posixAccount_maxUID: 20000
modules: posixAccount_minMachine: 10000
modules: posixAccount_maxMachine: 20000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA

# List of active account types.
activeTypes: user,group,host,smbDomain

types: suffix_user: ou=People,dc=vavai,dc=net
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount

types: suffix_group: ou=group,dc=vavai,dc=net
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup,sambaGroupMapping

types: suffix_host: ou=machines,dc=vavai,dc=net
types: attr_host: #cn;#description;#uidNumber;#gidNumber
types: modules_host: account,posixAccount,sambaSamAccount

types: suffix_smbDomain: ou=domains,dc=vavai,dc=net
types: attr_smbDomain: sambaDomainName:Domain name;sambaSID:Domain SID
types: modules_smbDomain: sambaDomain

Restart Apache service
```
service apache2 restart
```
Access the LAM service from http://yourhostname/lam or http://your-server-ip/lam, ex : http://server.vavai.net/lam or http://192.168.1.254/lam

Next Tutorial : Samba PDC + OpenLDAP on openSUSE 11.1 – Part 4, Configuring Dynamic DHCP & DNS