[Samba] Samba file server using ldap backend without AD or PDC?
Gaiseric Vandal
gaiseric.vandal at gmail.com
Fri Nov 30 09:15:46 MST 2012
On 11/30/12 09:42, Brian Gold wrote:
>
>
> On 2012-11-30 9:22 am, Gaiseric Vandal wrote:
>> Can you clarify one thing - why are you using the sambaNTPassword in
>> openldap if openldap is not currently used samba authentication? I
>> would have thought that you would use the standard password field.
>
> We are using the standard userPassword field for most things, but for
> radius authentication via PEAP/MSCHAPv2, we needed to use
> sambaNTPassword instead.
That makes sense
>
>
>> I use Samba 3.x DC's with an ldap back end. I also use the ldap
>> backend for unix authentication as well as authentication to various
>> other systems that support LDAP authentication. If you are using
>> one or more BDC's you really do have to use an LDAP back end. But
>> there is no reason why member server's can use an LDAP backend.
>> If the underlying unix account for each samba account is in
>> /etc/passwd and not LDAP, you should consolidate it all into LDAP.
>
> We currently don't want to deploy a PDC or BDC if we don't need to.
> All we want to do is have a file server that can authenticate using
> the username/password stored in openldap.
>
Should be no problem.
>
>> Do the sambaNTPassword (and other samba attributes) in LDAP match
>> those in the tdb backend? You may find you want to blast away the
>> existing sambaNTPassword entries in LDAP before you migrate the TDB
>> data to LDAP.
>
> No, our current Samba file server has a totally separate set of
> passwords. When we transition over to this new Samba file server, we
> will be having all our users use their openldap password instead. We
> do not want to sync their existing tdb passwords over to LDAP.
No, you wouldn't sync passwords to TDB. Does your LDAP entry for
each user currently have a SambaSID value? Also, when you type "pdbedit
-Lv someuser" you should see the unix account for the user. The unix
account is either explicitly created (e.g. in /etc/passwd or ldap or
nis) or dynamically created by winbind.
# pdbedit -Lv someuser
Unix username: someuser
NT username: someuser
Account Flags: [U ]
User SID: S-1-5-21-xxxxx
Primary Group SID: S-1-5-21-xxx
Full Name: Some User
Home Directory: \\someserver\users\someuser
HomeDir Drive: X:
Logon Script: logon.bat
Profile Path:
Domain: SOMEDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: 0
Password last set: Fri, 30 Sep 2011 09:40:43 EDT
Password can change: Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#
Assuming you are not using winbind to allocate uid's and gid's for samba
users, your LDAP user entry will eventually look something like
dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-xxxx
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaPwdLastSet: 1291843237
st: xxxxxx
street: xxxxxxxxx
telephoneNumber: xxxxxxxxx
userPassword:: xxxxxxxxxxxx
Although the login script and network home directory probably not
relevant in a non-DC setup.
More information about the samba
mailing list