[Samba] pam_ldap

rossp at ppc.ucsc.edu rossp at ppc.ucsc.edu
Mon May 5 20:53:35 GMT 2003

> pam.conf)? I already searched the whole internet for more information
> regarding this, but I could find anything similar which could help me.

hehe, yeah, you won't find enough, or at least I couldn't.  There are
a number of things to understand and get working.

First off, you will need Samba 2.2.8a, nothing old.

Second off, you will need to compile it yourself and be sure to give
"--with-pam --with-pam_smbpass --with-ldapsam" to the configure script
before making and installing.

Then when your compiled version of samba is installed.  Make sure you
have the ldap options set in your smb.conf file.  There *is*
documentation on that much.

Also, do "smbpasswd -w" at your command prompt and give it the
password samba should use to access the protected password attributes
of the LDAP directory, this usually means your main LDAP admin

Now copy the samba.schema file from the "examples/LDAP" directory in
your samba source directory to some place sensical, probably next to
the rest of your LDAP schema files in "/etc/ldap/shcema/".  Add a line
to your slapd.conf file:

"include         /etc/ldap/schema/samba.schema"

...or something like that.  You probably also want to add some access
control statements in your slapd.conf file to protect the samba
password attributes.  You can find samples of these statements out
there somewhere.

Restart your slapd and smbd and then you should be able to use the
appropriate "smbpasswd -a" command to add the samba password
attributes to an existing UNIX user's LDAP entry.  Then you should be
able to log into the samba server from a windows machine.  After you
successfully log in, manually check your test users LDAP entries to
make sure it has the "lmPassword" and "ntPassword" attributes.  Then
check your smbpasswd file manually to make sure it has *no* entry for
the test user.  If so then you just successfully logged into your
samba server with an LDAP user.

Now getting the password attributes to all stay in sync no matter how
the password gets changed is a whole nother saga.  Be happy to write
that one up too, but get the log in working first.

Good luck.

Ross Patterson
rossp at ucsc.edu
1156 High St, Barn G, PP&C
Santa Cruz, CA 95064

On Mon, 5 May 2003, Schelstraete Bart wrote:

> Hello,
> I have a -maybe stupid question regardin pam_ldap and Samba,and I really
> hope that somebody can help me.
> I currently using pam_ldap so that users can login on the Unix machine
> with their LDAP userid/password.
> Now I want to configure Samba so that he also uses that pam_ldap for
> that authentication. But please note that I only want to authenticate
> tru the LDAP, so nothing else is stored in the LDAP server.
> Do somebody know if this is possible. If so , can somebody point me in
> the correct direction (what do I need to modify in smb.conf and
> pam.conf)? I already searched the whole internet for more information
> regarding this, but I could find anything similar which could help me.
> Tnx in advance,
>          Bart
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list