Samba, LDAP, do I need smbpasswd to create users?

yuri_d · 07-23-2007, 09:33 AM

I seem to have done a working setup of the subj.
I only use posixAccount class for creating users and thus avoiding all the mess with winbind, rid-uid mapping etc. Way to go.

I use phpldapadmin to manage ldap - very convenient
Still some minor problems...

Can anyone please advise, do I still need to "smbpasswd -a %u" new users? Or does phpldapadmin do everything required to add users/change passwords?

jschiwal · 07-24-2007, 06:16 PM

Look at your /etc/samba/smb.conf to determine what backend that samba uses for storing usernames and passwords.

What is the authentication source of the server itself.

Look in the /etc/nsswitch.conf file. What does the line starting with "passwd:" show?
Also look at the PAM config files and the files in /etc/security/. You could be using samba or ldap as the authentication source.

The samba or samba-doc package will supply 3 or 4 books, including "Samba 3 by Example" and the "Samba 3 Howto and Reference Guide". The first has some sample ldap based configurations. The latter will explain the various password backends in more detail. Your php scripts may be doing the same thing as the perl or python scripts in their examples. If you have a server that is a domain controller or a member of a domain, then there will be mapping between unix and windows IDs but the server may not be using smbpasswd or /etc/passwd for authenticating users. This is probably handled on the fly by your php scripts.

yuri_d · 07-25-2007, 07:46 AM

Thanks for hints, got it going somehow.

The main problem was in the original design. Samba schema needs sids and rids and posix only autentication does not work with Samba+LDAP with Ldap system authentication.

smbldap-installer gives a good starting config (with an error in ACL?) which can be corrected:

Quote:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=nomis52,dc=net" write
by anonymous auth
by self write
by * none

smbpasswd is not required (it seems, not 100% sure).
Used with LDAP Admin for windows:
http://ldapadmin.sourceforge.net/
Home directories can be created with adding line to [homes] section in smb.conf:

root preexec = [ ! -e /home/%U ] && { /bin/cp -a /etc/skel /home/%U; /bin/chown -R %U."%G" /home/%U; }

Still a weird feature remains:
If i su to root i stop seeing ldap accounts with 'id $user' or 'getent passwd'. Initial login user can see them. It only affects subshells. It has no effect on functionality but is still bugging me.

Any ideas?