[Samba] LDAP + samba + unix authentication

Robert robert at toltech.nl
Sat Jan 3 15:28:14 GMT 2004 

Hi,
After a lot of trial and error I managed to get ldap + samba 3 running. 
Samba now authenticates through ldap. But somehow the difference between 
a unix and a samba login still exists.

I use smbldap-useradd.pl to create an ldap entry. There are two options:
With the "-a" option the entry contains the objectClass  
"sambaSamAccount", and a lot of Windows related attributes.
Without the mentioned option, the program creates an entry with 
objectClass "posixAccount" and the normal nss attributes.

Through smb.conf I have defined smbpasswd to use smbldap-useradd.pl to 
update the passwd in the ldap directory.

So, now I still have to have two entries per user in the ldap directory 
because with the sambaSamAccount userPasswd is {SHA}encrypted  and with 
the posixAccount the userPasswd is {CRYPT} encrypted. Though two entries 
in LDAP is much more maintainable than anything I have seen before, I 
still have the idea that things can be solved  more gracefull, with one 
entry and an automised password sync between unix and samba.

Any suggestions?
kind regards,
Robert

Extra:
For those interested here are my ldap related smb.conf entries:

        add user script = /sbin/smbldap-useradd.pl -a -m "%u"
        delete user script = /sbin/smbldap-userdel.pl -r "%u"
        add user to group script = /sbin/smbldap-groupmod.pl -m "%u" "%g"
        delete user from group script = /sbin/smbldap-groupmod.pl -x 
"%u" "%g"
        set primary group script = /sbin/smbldap-usermod.pl -g "%g" "%u"
        add group script = /sbin/smbldap-groupadd.pl -a -p "%g"
        delete group script = /sbin/smbldap-userdel.pl "%g"
        add machine script = /sbin/smbldap-useradd.pl -w -d /dev/null -g 
nobody -c "Machine Account" -s /bin/false "%u"
        ldap suffix = dc=salsatechnologies,dc=com
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
        ldap admin dn = cn=admin,dc=salsatechnologies,dc=com
        ldap ssl = no
        ldap passwd sync = Yes

More information about the samba mailing list