20040804 samba and ldap - plembo/onemoretech GitHub Wiki

title: Samba and LDAP link: https://onemoretech.wordpress.com/2004/08/04/samba-and-ldap/ author: lembobro description: post_id: 764 created: 2004/08/04 04:06:00 created_gmt: 2004/08/04 04:06:00 comment_status: open post_name: samba-and-ldap status: publish post_type: post

Samba and LDAP

Someone with an eye for detail might have noticed that the smb.conf I had in an earlier post was configured to use the tdbsam instead of the ldapsam backend. While tdbsam is a good alternative to the older smbpasswd backend that mimics a Windows LSA (Local Security Authority) database, it is understandable that one would assume that eldapo would opt for the LDAP backend. Although I’ve tried this in previous installations of both Samba 2 and Samba 3 (while the latter was still in development), my goal this time around was to get the service up and running as quickly and cleanly as possible.

With a little time on my hands today, I in fact did take the next step and convert over to the ldapsam backend. After pouring over the doc for awhile I thought I understood what to do, which I did — pretty much.

First, I added the samba 3 schema file to my OpenLDAP instance’s schema subdirectory and made the necessary changes to my slapd.conf (including adding an access control and indexes to support the new objectclass and attributes needed by Samba). Then I edited my smb.conf to add the LDAP related directives. Finally, I moved the Samba account information for my existing users over from tdbsam to LDAP.

For slapd.conf, the following lines got added:

At the top of the file:

include /usr/local/etc/openldap/schema/samba.schema

Above the database settings section:

# Limited access to Samba account attributes
access to attr=sambalmpassword,sambantpassword,sambapwdlastset,
sambaacctflags,sambalogontime,sambalogofftime,sambakickofftime,
sambapwdcanchange,sambapwdmustchange,sambahomepath,sambahomedrive,
sambaprofilepath,sambauserworkstations,sambaprimarygroupsid,
sambadomainname,sambasid
    by group/groupofuniquenames/uniquemember="cn=Administrators,
    dc=example,dc=com" write
    by self write

Note: The line continuation characters (”") in the above example are used here due to the limitations of page formatting, in the actual config file those lines ending with these characters would be continuous and unbroken.

At the end of the database settings section:

# Samba v3 schema attributes
index sambasid eq
index sambaprimarygroupsid eq
index sambadomainname eq

I ran the command slapindex -f /usr/local/etc/openldap/slapd.conf to create the new indexes on the directory.

Here are the additional lines in the global section of smb.conf:

passdb backend = ldapsam
ldap admin dn = "cn=manager,dc=example,dc=com"
ldap ssl = start tls
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix =  ou=Computers
ldap idmap suffix = ou=Domains
ldap suffix = dc=example,dc=com
ldap filter = (uid=%u)

Pretty standard stuff. I did have to use smbpasswd as root to add the “cn=manager” root directory account’s password to the database before switching over. To migrate the existing tdbsam data to ldapsam I used the Samba pdbedit tool thusly:

pdbedit -i tdbsam -e ldapsam

For those users who did not have a previous account on tdbsam I used the smbpasswd utility to add them, which then wrote the requisite information into the user’s corresponding LDAP entry.

Note that for now at least I have not enabled “ldap sync” to maintain both Samba and LDAP passwords automatically. This is mostly due to initial caution on my part. I know this feature does in fact work.

What I’m really interested in in synching the Samba and UNIX passwords. Previously I was running FreeBSD 4.x, which does not support PAM (Pluggable Authentication Modules), a critical part of that feature.

Now that I’ve moved everything to FreeBSD 5.2, I’m going to be researching how to configure PAM for this purpose. For now, I’ll continue to maintain the 3 different passwords independantly, using native tools (passwd for UNIX, ldappasswd for LDAP and smbpasswd).