[Samba] Initial samba + ldap howto

Wim Bakker koreander at planet.nl
Mon Apr 12 15:28:35 GMT 2004

A couple of days ago I decided that I needed a samba and ldap
setup. After reading the samba mailing list , specifically the
thread "Re: [Samba] Samba and LDAP backend - howto docs problems?"
I decided to buy the Official Samba-3 HowTo and Reference guide",
(the Samba-3 By Example mentioned in that thread wasn't available
in my bookstore and they could't order it for me too) expecting
to find a workable example for a setup, as I made out more or less
from the remarks in that thread there would be, chapter 2 specifically.
That chapter has an example (page 26) but I wouldn't recommend to 
actually use it, it's very limited and inaccurate, lacks information
of what more is needed, which additional system packages etc. It says
in the beginning that a functioning os is assumed , but that's rather
vague on what implies a functioning os. From page 136 on there are
some more examples of ldap pwdbackend, but hardly sufficient.
 http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy
info on how to get samba-3 and ldap working, but that document seems
to be incomplete and transitioning from samba-2 to samba-3.
One of the posters on the aforementioned thread remarked that an accurate,
complete into detail, config file is a great help for learning to grasp
what has to be done , and how things work together, I agree and following
are the steps I took to get a working samba-3 + ldap install. I hardly know
anything of linux or samba , let alone ldap , but from the mailling list
I understood that the following is neccessary:
A goal:
get samba + ldap  on slackware 9.1 with support for acl's in a usable
state working.
The means:

I made the following install and configs, I don't know
how correct or secure or unneccessary they were, in the end 
I had a complete and correct funcioning ldap + samba setup,
that was usable.It was especially frustrating to get tls connection
working, it kept failing with the following error:
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
samba and ldap run on the same server. Besides the documented config
for slapd: (etc/openldap/slapd.conf)
TLSCertificateFile      /etc/ssl/certs/smb.ahm.nl.pem
TLSCertificateKeyFile   /etc/ssl/keys/smb.ahm.nl.key
TLSCACertificateFile    /etc/ssl/certs/ca.pem
quite important it is allso that ldap knows how to verify:
(/etc/ldap.conf symlink to /etc/openldap/ldap.conf):
TLS_CACERT /etc/ssl/certs/ca.pem
Maybe the documentation that exists mentions it, but I couldn't
find it. 
http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually
fairly helpful to get things right, including the initial populating
of the ldap database. Their site mentions two config files in 
/etc/smbldap-tools, but I think that configuration is overruled by
the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains
the same info as those config files.I moved the /etc/smbldap-tools away
and everything still worked correctly with the parameters from
Allso , I don't think pam_ldap is neccessary if you don't have linux users.
Anyways, if the following example would have been in the howto, I wouldn't 
wasted 4 days, figuring out what was wrong/incomplete with the current example
in the howto book, but could have spent that time figuring out what it all
means. Everything comes from various websites, but there is no site where
it is complete in one place.

-slackware 9.1 
standard installation without samba and ldap etc. only basic + compiler +cups.

./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install

built with prefix=/usr , defaults accepted.
perl -MCPAN -e 'shell'
install Bundle::CPAN
(chose follow for dependencies)
install Net::LDAP
install Net::SSLeay
install IO::Socket::SSL

Net::SSLeay failed because of ou of memory
during tcp tests (I built everything on a dual P233 MMX
with 104Mb of edo-ram), but manually it installed fine.

./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ 
--libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \
--localstatedir=/var  --infodir=/usr/share/info 
make install.

/etc/pam.d/passwd :
password    required      pam_cracklib.so
password    sufficient    pam_ldap.so
password    sufficient    pam_unix.so
password    required      pam_deny.so
auth        required      pam_nologin.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so shadow use_first_pass
auth        required      pam_deny.so
account     sufficient    pam_unix.so
account     sufficient    pam_ldap.so
account     required      pam_deny.so

auth            required        /lib/security/pam_env.so
auth            sufficient      /lib/security/pam_unix.so likeauth nullok
auth            sufficient      /lib/security/pam_ldap.so use_first_pass
auth            required        /lib/security/pam_deny.so
account         required        /lib/security/pam_unix.so
account         sufficient      /lib/security/pam_ldap.so
password        required        /lib/security/pam_cracklib.so retry=3 type=
password        sufficient      /lib/security/pam_unix.so nullok use_authtok 
md5 shadow
password        sufficient      /lib/security/pam_ldap.so use_authtok
password        required        /lib/security/pam_deny.so
session         required        /lib/security/pam_limits.so
session         required        /lib/security/pam_unix.so
session         optional        /lib/security/pam_ldap.so

../dist/configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
--enable-compat185 --enable-cxx 
make and make install

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
--enable-passwd --enable-perl --enable-shell --enable-crypt  --enable-rewrite 
--enable-ldap --enable-slapd --enable-dnssrv --enable-monitor 
--enable-shared; make depend ; make ; make install 

-nss_ldap and pam_ldap
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var 
make install
passwd:         files ldap
shadow:         files ldap
group:          files ldap
uri ldap://smb.ahm.nl/
base dc=ahm,dc=nl
pam_password exop
TLS certs:
% cd /etc/ssl
% ./misc/CA.sh -newca 
CA certificate filename (or enter to create) <enter> 

Country Name (2 letter code) [AU]:NL 
State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM 
Organizational Unit Name (eg, section) []:Suckers from Hell 
Common Name (eg, YOUR name) []:smb.ahm.nl 
Email Address []:. 
This creates demoCA/cacert.pem and demoCA/private/cakey.pem (CA cert and 
private key). 

Make your server certificate signing request (CSR): 

Country Name (2 letter code) [AU]:NL 
State or Province Name (full name) [Some-State]:Noordholland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AHM 
Organizational Unit Name (eg, section) []:Suckers from Hell 
Common Name (eg, YOUR name) []:smb.ahm.nl 
Email Address []:wastebin at office.desk

% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 

A challenge password []: <pass> 
An optional company name []:. 
% etc....

The result is newreq.pem. 

Have the CA sign the CSR: 

% ./misc/CA.sh -sign 
Using configuration from /etc/ssl/openssl.cnf 
Enter PEM pass phrase: <ca pass> 

Certificate is to be certified until Apr 10 18:58:58 2004 GMT (365 days) 
Sign the certificate? [y/n]:y 
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
Signed certificate is in newcert.pem 

This creates newcert.pem (server certificate signed by CA) with private key, 
Now the certificates can be moved to the desired certificate repository and 

% cp demoCA/cacert.pem /etc/ssl/certs/ca.pem 
% mv newcert.pem /etc/ssl/certs/smb.ahm.nl.pem 
% mv newreq.pem /etc/ssl/keys/smb.ahm.nl.key 
% chmod 400 /etc/ssl/keys/smb.ahm.nl.key
slappasswd -v -s secret:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/samba.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
TLSCertificateFile      /etc/ssl/certs/smb.ahm.nl.pem
TLSCertificateKeyFile   /etc/ssl/keys/smb.ahm.nl.key
TLSCACertificateFile    /etc/ssl/certs/ca.pem
TLSCipherSuite         EXPORT56
database        bdb
suffix          "dc=ahm,dc=nl"
rootdn          "cn=Manager,dc=ahm,dc=nl"
rootpw          {SSHA}O/K3UXbzgy6wmx+wx7hEuTn0MJTeOACw
directory       /var/openldap-data
cachesize       40000
index           cn,sn,uid,displayName           pres,sub,eq
index           uidNumber,gidNumber             eq
index           sambaSID                        eq
index           sambaPrimaryGroupSID            eq
index           sambaDomainName                 eq
index           default                         sub
index memberUid     eq
index   objectClass     eq
access  to dn=".*,dc=ahm,dc=nl"
         by self                         write
         by *                            read

# LDAP Defaults
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE            dc=ahm,dc=nl
#URI            ldap://smb.ahm.nl
nss_base_passwd dc=ahm,dc=nl?sub
nss_base_shadow dc=ahm,dc=nl?sub
nss_base_group  dc=ahm,dc=nl?one
ssl             no
pam_passwd      md5
TLS_CACERT /etc/ssl/certs/ca.pem

-acl-2.2.x and attr-2.4.x from sgi and kernel patches from bestbits.
Build kernel with acl support etc. and libraries. 
patched and rebuilt the coreutils after that allso.
mount filesystems with acl,user_xattr options to have it work (ext2,ext3).

./configure --with-automount --with-smbmount --with-acl-support 
--with-libsmbclient --with-configdir=/etc/samba 
--with-logfilebase=/var/log/samba --with-privatedir=/etc/samba/private 
--with-lockdir=/var/lock/samba --with-piddir=/var/run --enable-cups 
--with-ldap ; make install

        workgroup = AHM
        netbios name = LAVIE
        server string = Samba PDC running %v
        passdb backend = ldapsam:ldap://localhost
        username map = /etc/samba/smbusers
        encrypt passwords = Yes
        update encrypted = Yes
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
"%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" 
        logon script = logon.bat
        logon path = \\%L\profiles\%U
        logon drive = H:
        logon home = \\%L\%U\.profile
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        local master = Yes
        wins support = Yes
        ldap suffix = dc=ahm,dc=nl
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=People
        ldap admin dn = "cn=Manager,dc=ahm,dc=nl"
        ldap ssl = start_tls
        ldap passwd sync = yes
        ldap delete dn = Yes
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        winbind separator = +

Still not sure what idmap uid and gid now exactly do, but the
entries don't seem to be harmfull as up till now.The reference
guide and howto explain it(page 151), but I don't understand 
that explanation or it's implication. It doesn't seem to influence
the UID_START GID_START parameters of the smbldap_tools or prevent
the correct working of the net command, so I suppose it's ok to have
them there.
extracted to /usr/local/sbin
moved smbldap_conf.pm  and smbldap_tools.pm
to /usr/lib/perl5/site_perl/5.8.3/
built mkntpwd and moved to /usr/local/sbin.
smbldap_conf.pm variables:
$UID_START = 1000;
$GID_START = 1000;
# to obtain this number do: "net getlocalsid"
$SID = "S-1-5-21-4269728302-1655870493-3894479995";
$slaveLDAP = "";
$slavePort = "389";

# Master LDAP : needed for write operations
# Ex: $masterLDAP = "";
$masterLDAP = "";
$masterPort = "389";

# Use SSL for LDAP
# If set to "1", this option will use start_tls for connection
# (you should also used the port 389)
$ldapSSL = "1";
$suffix = "dc=ahm,dc=nl";
$usersou = q(People);
$usersdn = "ou=People,$suffix";
$computersou = q(Computers);
$computersdn = "ou=Computers,$suffix";
$groupsou = q(Groups);
$groupsdn = "ou=Groups,$suffix";
$scope = "sub";
$hash_encrypt = "SSHA";
$binddn = "cn=Manager,$suffix";
$bindpasswd = "secret";
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;
$_userLoginShell = q(/bin/false);
$_userHomePrefix = q(/shares/home);
$_userGecos = q(System User);
$_defaultUserGid = 513;
$_defaultComputerGid = 553;
$_skeletonDir = q(/etc/skel);
$_defaultMaxPasswordAge = 45;

$_userSmbHome = q(\\\\LAVIE\\homes);
$_userProfile = q(\\\\LAVIE\\profiles\\);
$_userHomeDrive = q(H:);
$_userScript = q(startup.cmd); # make sure script file is edited under dos
$with_smbpasswd = 0;
$smbpasswd = "/usr/local/samba/bin/smbpasswd";
$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";

$ldap_path = "/usr/bin";

if ( $ldapSSL eq "0" ) {
        $ldap_opts = "-x";
} elsif ( $ldapSSL eq "1" ) {
        $ldap_opts = "-x -Z";
} else {
        die "ldapSSL option must be either 0 or 1.\n";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' 
-w '$masterPw'";


# - The End
#I think the  $_userSmbHome and the $_userProfile should be
#q(\\\\LAVIE\\$user) and q(\\\\LAVIE\\profiles\\$user) resp.
#with the lam webinterface that gets correct.

Now starting /usr/libexec/slapd and /usr/local/samba/sbin/nmbd and

%smbpasswd -w secret
%Setting stored password for "cn=Manager,dc=ahm,dc=nl" in secrets.tdb

running smbldap_populate.pl fills ldap with the first initial
dn: sambaDomainName=AHM,dc=ahm,dc=nl
sambaDomainName: AHM
sambaSID: S-1-5-21-4269728302-1655870493-3894479995
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 41000
sambaNextGroupRid: 41001
structuralObjectClass: sambaDomain
entryUUID: 02deaf3c-2013-1028-860e-bb5268b7f8fd
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411144816Z
entryCSN: 2004041114:48:16Z#0x0001#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040411144816Z

added to /etc/group:

net groupmap list:
Domain Admins (S-1-5-21-4269728302-1655870493-3894479995-512) -> wheel
Domain Users (S-1-5-21-4269728302-1655870493-3894479995-513) -> smbusers
Domain Guests (S-1-5-21-4269728302-1655870493-3894479995-514) -> smbguests
exact (S-1-5-21-4269728302-1655870493-3894479995-3001) -> exact

smbldap-groupshow.pl exact:
dn: cn=exact,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: exact
gidNumber: 1000
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3001
sambaGroupType: 4
memberUid: gerrit,piet

net rpc group LIST global -U administrator
Domain Admins
Domain Users
Domain Guests
Power Users
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Computers

smbldap-useradd.pl -a -G 'Domain Admins' -d /shares/home/thadeus -s /bin/false 
-P -F '\\LAVIE\profiles\thadeus' -s 'Hermitage' -m -N "Thadeus Hermitage" 
-C'\\LAVIE\thadeus' thadeus :
adds thadeus to the domain admins and the domain users:
dn: uid=thadeus,ou=People,dc=ahm,dc=nl
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: Thadeus Hermitage
sn: Hermitage
uid: thadeus
uidNumber: 1004
gidNumber: 513
homeDirectory: /shares/home/thadeus
loginShell: /bin/false
gecos: System User
description: System User
structuralObjectClass: inetOrgPerson
entryUUID: e3926754-20cb-1028-9934-bb74a2f96abc
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040412125141Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-3008
sambaPrimaryGroupSID: S-1-5-21-4269728302-1655870493-3894479995-513
sambaHomeDrive: H:
sambaLogonScript: startup.cmd
sambaProfilePath: \\LAVIE\profiles\thadeus
sambaHomePath: \\LAVIE\thadeus
sambaLMPassword: 4411488B6354F2B8AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 7E07C8CA84F5765D8B5DFCF7AC5CEE04
sambaPwdLastSet: 1081774312
sambaPwdMustChange: 1085662312
userPassword:: e1NTSEF9R1FkakxPN1Bhc09OaEJQOXF5ZkNFN0dkOTBtTy96YjM=
entryCSN: 2004041212:51:52Z#0x0002#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040412125152Z

and :
dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
memberUid: thadeus
description: Netbios Domain Administrators
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: 72f46890-2011-1028-8600-bb5268b7f8fd
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411143705Z
entryCSN: 2004041212:51:42Z#0x0001#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040412125142Z

ls -l /shares/home:
drwx------+   2 gerrit   smbusers     4096 Apr 11 19:01 gerrit
drwx------+   2 hornie   smbusers     4096 Apr 12 16:40 hornie
drwx------+   2 krelis   smbusers     4096 Apr 11 20:58 krelis
drwx------+   2 thadeus  smbusers     4096 Apr 12 14:51 thadeus

The only necessity is still to add manually the groups
for groupmapping to /etc/group, otherwise the users can't access the
shares that are for groups accessible. I thought it would be 
enough to add the group smbusers to ldap with the same gid as
"Domain Users" and that the entry in nsswitch.con: group:  files ldap, 
would do the rest , is not the case, though it is for users. 
Don't understand why or how. 

smbldap-groupadd.pl has the option -t , which is the grouptype, apparently
this can take the following types, domain, local and builtin, which will
be the sambaGroupType's 2, 4 and 5 which refer to, I think , the windows
         SID_NAME_USE_NONE = 0,/* NOTUSED */
         SID_NAME_USER    = 1, /* user */
         SID_NAME_DOM_GRP = 2, /* domain group */
         SID_NAME_DOMAIN  = 3, /* domain: don't know what this is */
         SID_NAME_ALIAS   = 4, /* local group */
         SID_NAME_WKN_GRP = 5, /* well-known group */
         SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
         SID_NAME_INVALID = 7, /* invalid account */
         SID_NAME_UNKNOWN = 8  /* oops. */
as found on one of the websites.
What one should choose when creating a group is not clear to me, I suppose
that type 2 is a windows domain group , visible with windows tools and
needs to be mapped to a unix group with the same gid to function. 
Type 4 is a local unixgroup and has no groupmapping but exists in the 
ldap database and in /etc/group with the same gid. Type 5 is a riddle.
Hope this helps getting samba + ldap up and running a little faster
than I did.


More information about the samba mailing list