[Samba] Problem w/ Samba 3 & LDAP

Ted Wisniewski ted at ness.plymouth.edu
Thu Apr 1 23:40:24 GMT 2004

(* > > Example LDIF (NOT WORKING)
(* > > dn: uid=notworking, ou=People, dc=plymouth,dc=edu
(* > > sambaPwdLastSet: 1080739453
(* > > sambaAcctFlags: [U          ]
(* > > displayName: Not Working
(* > > sambaPwdMustChange: 2147483647
(* > > objectClass: sambaSamAccount
(* > > objectClass: account
(* > > uid: notworking
(* > > sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472
(* > > sambapwdCanChange: 1080739453
(* > > sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303
(* > > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399
(* > > sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE

	Ldapsearch was being a pain, so just grabbed the info from a "slapcat"
instead, which was simpler.   Anyway, I did paste in the "SID" into the "Non
working" entry from the first (working) entry.   I was then able to log on as 
the non-working user.

(* ----
(* It appeared that you edited the info to the point of making it difficult
(* to trust what is actually being reported from the ldapsearch command.
(* It seems as though your smbuser in one case matches up to a unix user
(* and in the other case (where it doesn't work) doesn't match up but if it
(* works when you delete and then create the samba user, then both parts
(* are certainly done.
(* I have both posix and sambaSamAccount objectclass for all my users... a
(* typical user looks like:

	What I have is very similar.   Many of the attributes are not required.

(* NOTE:
(* sambaPrimaryGroupSID: ends in -513 ("Domain Users")
(* posix attributes not necessary with samba:
(* loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses
(* posixAccount-inetOrgPerson-shadowAccount
(* LDAP for samba should have 1 and only 1 domain (windows variety) and 1
(* SID (obtainable with net getlocalSID command).

	So, now that I know what my "problem" is/was....  I am able
to move forward.  The only issue I have now is that I have 9000 users
that I want to be able to log onto multiple domains.  By having
to have the SID match the domain....  It presents a problem...

I only want one password database to maintain...  I guess I could get
clever with LDAP replication and have multiple LDAP's...   This is a less
than Ideal solution.   At this time I have large smbpasswd files that I
would like to not use.   I guess my ideal solution would look like:

              /--- Domain A
LDAP -------+
              \--- Domain B

Since we use a web based password changer,  I could have a separate
LDAP per Domain.   I guess, in my ideal world I would have an LDAP
with multiple sambaSID's, each samba server would just pick the one
out of the LDAP that was appropriate to that Domain.   I realize
that the current schema does not allow for this and that samba is not set 
up to handle it either.   Any ides on how to accomplish something similar
without that ability.


|   Ted Wisniewski    		     E-Mail:  ted at mail.plymouth.edu        |
|   Manager, Systems Group           WEB:     http://oz.plymouth.edu/~ted/ |
|   Information Technology Services                                        |
|   Plymouth State University        Phone:   (603) 535-2661               |
|   Plymouth NH, 03264               Fax:     (603) 535-2263               |

More information about the samba mailing list