Set up LDAP an Samba PDC

nielchiano · 02-02-2004, 05:15 PM

Hi everyone,

I'm planning to set up an nice Samba domain and want to use LDAP for all account info (also for the linux-accounts). I currently have OpenLDAP (latest stable) and Samba 3.0.1 installed.

I use Gentoo's packaging system, but that shouldn't matter too much.

Can anyone give me some support on LDAP and LDAP-Samba integration? Because I'm a newbie at those things...

What program should I use to add/remove/view LDAP entries?
What properties must/should/may be set for the linux (posix) account, for the samba account?

I currently have a samba (3.0) domain set up on another machine (acting as PDC) with the smbpasswd file as database. I'd like to transport all password(hashed) and SID's to the new setup. Is that possible, how?

Can I use a different organisational-unit for machine accounts? or should they be in the same as the users?

Should I use SSL for LDAP? also allow non-encrypted? how to setup the nsswich?

In short: can anyone guide me through that setup-stage?

rohang · 02-07-2004, 05:17 AM

Quote:

Originally posted by nielchiano
Hi everyone,

I currently have a samba (3.0) domain set up on another machine (acting as PDC) with the smbpasswd file as database. I'd like to transport all password(hashed) and SID's to the new setup. Is that possible, how?

Would you be prepared to post your smb.conf? I'm trying to get Samba 3.0 working as a PDC, but can't quite get it.

Looking at a working smb.conf would be a great help.

nielchiano · 02-07-2004, 05:42 AM

sure (with some XXX's to mask things I don't like to share):

Code:

# Global parameters
[global]
        workgroup = NILIN
        netbios name = GENIE
        netbios aliases = PS, FS
        server string = Genie

        os level = 99
        preferred master = Yes
        wins support = Yes
        domain master = Yes

        domain logons = Yes

        logon script = logon.bat
        logon path = \\fs\%U\logon-path
        logon drive = x:
        logon home = \\fs\%U\logon-home

        hosts deny = ALL
        hosts allow = 10.XXX.1.XXX/255.255.255.0, 10.XXX.2.XXX/255.255.255.248, 127.0.0.1
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

        ldap admin dn = "cn=admin,dc=nilin,dc=local"
        ldap ssl = on
        passdb backend = ldapsam:ldaps://auth.nilin.local
        ldap delete dn = No
        ldap passwd sync = Yes

        ldap suffix = dc=nilin,dc=local
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers

        ldap filter = (uid=%u)

        printing = cups
        printcap name = cups

        time server = Yes

        unix charset = ISO8859-1
        browseable = No
        hide unreadable = Yes

[homes]
        comment = Server disk
        path = /home/%U/
        read only = No
        create mask = 0700
        force create mode = 0600
        directory mask = 0700
        force directory mode = 0700
        volume = %U-home
        fstype = ext3

[printers]
        comment = All printers
        path = /var/spool/samba
        printer admin = @printadm
        printable = Yes
        browseable = Yes

[netlogon]
        comment = Logon scripts
        fstype = ext3
        path = /mnt/data/netlogon

[everyone]
        comment = Common storage
        path = /home/everyone
        read only = No
        create mask = 0770
        force create mode = 0660
        directory mask = 0770
        force directory mode = 0770
        browseable = Yes
        fstype = ext3

[mm]
        comment = Multimedia disk
        path = /mnt/data/mm
        read only = No
        create mask = 0750
        force create mode = 0640
        force directory mode = 0750
        browseable = Yes
        fstype = ext3

[install$]
        comment = Install files
        path = /mnt/data/install
        read only = No
        create mask = 0750
        force create mode = 0640
        force directory mode = 0750
        browseable = No
        fstype = ext3

rohang · 02-16-2004, 09:43 PM

Thanks for that. I can't seem to get the LDAP side of things happening though... I keep getting messages like:

2004/02/17 12:05:03, 0] lib/smbldap.c:smbldap_search_suffix(1077)
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials)
[2004/02/17 13:06:36, 0] lib/smbldap.c:fetch_ldap_pw(256)
fetch_ldap_pw: neither ldap secret retrieved!
[2004/02/17 13:06:36, 0] lib/smbldap.c:smbldap_connect_system(741)
ldap_connect_system: Failed to retrieve password from secrets.tdb
[2004/02/17 13:06:36, 1] lib/smbldap.c:smbldap_retry_open(890)
Connection to LDAP Server failed for the 1 try!
[2004/02/17 13:07:42, 0] lib/smbldap.c:smbldap_search_suffix(1077)
smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials)

Any ideas?

nielchiano · 02-17-2004, 07:08 AM

I'm not at home, so I can't check it...

I think you should tell Samda how it should bind. Tell it the dn of the account to bind as in the smb.conf
And tell the password with "smbpass -w secret"

Hope it helps

jjohnston62 · 02-17-2004, 08:22 AM

I'm starting to sound like a shill for this book, but:

http://www.amazon.com/exec/obidos/tg...glance&s=books

In it, John Terpstra details how to configure samba in LDAP mode, with multiple LDAP sources as failovers, or using LDAP for multi-site configurations.

Available toward the end of March.

I agree with Nielchiano above, sounds like you're missing the bind information in secrets.tdb

mosx86 · 01-18-2007, 10:03 PM

Quote:

Originally Posted by jjohnston62

I'm starting to sound like a shill for this book, but:

URL removed because it won't let me post it...

In it, John Terpstra details how to configure samba in LDAP mode, with multiple LDAP sources as failovers, or using LDAP for multi-site configurations.

Available toward the end of March.

I agree with Nielchiano above, sounds like you're missing the bind information in secrets.tdb

I'm trying to troubleshoot an issue where new users aren't able to authenticate off of our SAMBA-based PDC. The PDC is bound to an openldap server. Initially I thought there may be something wrong with the accounts, but they're able to successfully authenticate off of fileservers bound to the openldap server.

Unfortunately, I'm not terribly familiar with the set up and logs I assume should be there (such as log.smbd and log.nmbd) aren't.

When used as a PDC does sambe write to different log files (especially for authentication)?

Many thanks...

mosx86 · 01-23-2007, 02:00 PM

Any point in the right direction would be greatly appreciated...

The essential problem: some users are not able to log into their PCs bound to the PDC. I thought the proper logs to look at were smbd.log and nmbd.log but they don't seem to exist on this server (I inherited w/ little documentation).

I can ssh into the PDC and successfully su to any of the accounts that can't authenticate off their PCs. I don't suspect the PC set up because some users are able to log in successfully.

Ideas?

paul_mat · 02-17-2007, 10:03 AM

I have a how-to on my website http://www.opensourcehowto.org for setting up samba as a primary domain controller (PDC)

OpenLDAP LAM Samba as PDC
http://www.opensourcehowto.org/how-t...ba-as-pdc.html

and if you feeling a little bit more adventurous later on you could try getting into the policies with samba

Samba Primary Domain Controller with Group Policies
http://www.opensourcehowto.org/how-t...-policies.html