[Samba] Samba / LDAP on OpenBSD

Savaş İREZ si at z-sistem.com
Thu Dec 9 09:02:06 GMT 2004


I have an Open 3.5 box

What i want to do is to have a box authenticating from LDAP for 
Samba is supposed to be a PDC authenticating from LDAP.

I installed openldap-server-2.1.27 , openldap-client-2.1.27 from openbsd 
Openldap has ldbm backend, and i have a directory which i can use for 
smtp and pop authentication.

Bind is installed and dns records for myhost.com is working correctly.

Installed samba-3.0.9 from source with --with-ldap and --with-ldapsam
- The configuration files are at the end of the email.

Ran the smbldap-populate.pl and created the necessary directories,

when i try to create an account using smbldap-useradd.pl, it creates the 
ldap entries successfuly but can not create the unix user (actually i'm 
not sure if this is really necessary, since i dont want to use real 
users on my system)
./smbldap-useradd.pl -a savas (smbldap-useradd savas    didnt work either)

When i invoke command

# ../bin/net groupmap list
Domain Admins (S-1-5-21-4276031234-832571036-2739979074-512) -> Domain 
Domain Users (S-1-5-21-4276031234-832571036-2739979074-513) -> Domain Users
Domain Guests (S-1-5-21-4276031234-832571036-2739979074-514) -> Domain 
Administrators (S-1-5-21-4276031234-832571036-2739979074-544) -> 
users (S-1-5-21-4276031234-832571036-2739979074-545) -> users
Guests (S-1-5-21-4276031234-832571036-2739979074-546) -> Guests
Power Users (S-1-5-21-4276031234-832571036-2739979074-547) -> Power Users
Account Operators (S-1-5-21-4276031234-832571036-2739979074-548) -> 
Account Operators
Server Operators (S-1-5-21-4276031234-832571036-2739979074-549) -> 
Server Operators
Print Operators (S-1-5-21-4276031234-832571036-2739979074-550) -> Print 
Backup Operators (S-1-5-21-4276031234-832571036-2739979074-551) -> 
Backup Operators
Replicator (S-1-5-21-4276031234-832571036-2739979074-552) -> Replicator
Domain Computers (S-1-5-21-4276031234-832571036-2739979074-553) -> 
Domain Computers

Everything seems to be fine, but when i try to join the domain using

# ../bin/net rpc join -U Administrator
Dec  9 10:44:07 ldap smbd[14294]: [2004/12/09 10:44:07, 0] 
Dec  9 10:44:07 ldap smbd[14294]: [2004/12/09 10:44:07, 0] 
Dec  9 10:44:07 ldap smbd[14294]:   get_md4pw: Workstation LDAP$: no 
account in domain
Dec  9 10:44:07 ldap smbd[14294]:   get_md4pw: Workstation LDAP$: no 
account in domain
Could not connect to server LDAP
The username or password was not correct.

I can use shares with users' passwords, but cant join the domain

I don't have pam nor nss, i've been trying and searching the net for a 
solution but failed.
Solutions were all with pam or nss, so maybe i'm missing something which 
should be done for openbsd spesifically.

Ps: If  any information is missing, please letme know.

Any help will be greatly appreciated.


These are my conf files i used.

----- slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/qmail.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/samba.schema

#TLSCipherSuite MEDIUM
TLSCertificateFile /etc/openldap/crt.pem
TLSCertificateKeyFile /etc/openldap/key.pem

database        ldbm
suffix          "dc=myhost,dc=com"
rootdn          "cn=admin,dc=myhost,dc=com"
rootpw          "XXX"            
<-------------------------------------------- hashed with SSHA

directory       /usr/local/var/openldap/myhost.com

cachesize       40000
dbcachesize     60000000
index           cn,sn,uid,displayName           pres,sub,eq
index           uidNumber,gidNumber             eq
index           sambaSID                        eq
index           sambaPrimaryGroupSID            eq
index           sambaDomainName                 eq
index           objectClass                     pres,eq
#               old 2.x samba attrs
index           rid,primaryGroupID              eq
index           default                         sub

access  to dn=".*dc=myhost,dc=com"
        by self                         write
        by *                            read

----- end of slapd.conf

----- ldap.conf
URI ldaps://ldap.myhost.com/
tls_checkpeer yes
tls_cacert /etc/ssl/private/cacert.pem
----- end of ldap.conf

----- smb.conf
        netbios name = ldap
        server string = Samba %v on %L
        workgroup = MYHOST
; SAMBA-LDAP declarations
passdb backend = ldapsam:ldap://ldap.myhost.com/
idmap backend = ldap:ldap://ldap.myhost.com/
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
ldap admin dn = cn=admin,dc=myhost,dc=com
ldap suffix = dc=myhost,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
ldap ssl = start tls

add machine script = /usr/local/samba/smbldap-tools/smbldap-useradd -w "%u"
add user script = /usr/local/samba/smbldap-tools/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/local/samba/smbldap-tools/smbldap-userdel "%u"
add machine script = /usr/local/samba/smbldap-tools/smbldap-useradd -w "%u"
add group script = /usr/local/samba/smbldap-tools/smbldap-groupadd -p "%g"
#delete group script = /usr/local/samba/smbldap-tools/smbldap-groupdel "%g"
add user to group script = 
/usr/local/samba/smbldap-tools/smbldap-groupmod -m "% u" "%g"
delete user from group script = 
/usr/local/samba/smbldap-tools/smbldap-groupmod -x "%u" "%g"
set primary group script = 
/usr/local/samba/smbldap-tools/smbldap-usermod -g "%g" "%u"

        os level = 65
        prefered master = yes
        domain master = yes
        local master = yes
        domain logons = yes

        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 

        time server = yes

        security = user
        guest ok = no
        invalid users = bin deamon sys man postfix mail ftp
        admin users = @wheel

        encrypt passwords = yes

        logon path = \\%N\profiles\%u

        ; general logon script (in DOS format)
        logon script = logon.bat

        path = /usr/local/samba/netlogon
        guest ok = Yes
        Locking = Yes
        public = no
        writeable = no
        browsable = no

; share for storing user profiles
        path = /usr/local/samba/profiles
        writeable = yes
        create mask = 0700
        directory mask = 0700
        browsable = no
--- end of smb.conf

--- smbldap_conf.pm
$UID_START = 2000;
$GID_START = 2000;


$slaveLDAP = "";
$slavePort = "389";

$masterLDAP = "";
$masterPort = "389";

$ldapSSL = "1";

$suffix = "dc=myhost,dc=com";

$usersou = q(People);
$usersdn = "ou=$usersou,$suffix";

$computersou = q(People);
$computersdn = "ou=$computersou,$suffix";

$groupsou = q(Groups);
$groupsdn = "ou=$groupsou,$suffix";

$scope = "sub";


$binddn = "cn=admin,$suffix";

$bindpasswd = "XXXX";                 
<--------------------------------------------------- My LDAP admin password

$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;

$_userLoginShell = q(/bin/sh);

$_userHomePrefix = q(/home/);

$_userGecos = q(System User);

$_defaultUserGid = 513;

$_defaultComputerGid = 553;

$_userSmbHome = q(\\\\LDAP\\homes);

$_userProfile = q(\\\\LDAP\\profiles\\);

$_userHomeDrive = q(U:);

$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/sbin/mkntpwd";

$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";

$ldap_path = "/usr/local/bin";

#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D 
'$slaveDN' -w  '$slavePw'";
#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D 
'$masterDN' -w  '$masterPw'";
#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D 
'$masterDN' -w '$masterPw'";
#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' 
-w '$masterPw'";
#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D 
'$masterDN' -w '$masterPw'";
#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D 
'$masterDN' -w '$masterPw'";

---- end of smbldap_conf.pm

More information about the samba mailing list