[Samba] LDAP + samba + unix authentication

Robert robert at toltech.nl
Sat Jan 3 15:28:14 GMT 2004

After a lot of trial and error I managed to get ldap + samba 3 running. 
Samba now authenticates through ldap. But somehow the difference between 
a unix and a samba login still exists.

I use smbldap-useradd.pl to create an ldap entry. There are two options:
With the "-a" option the entry contains the objectClass  
"sambaSamAccount", and a lot of Windows related attributes.
Without the mentioned option, the program creates an entry with 
objectClass "posixAccount" and the normal nss attributes.

Through smb.conf I have defined smbpasswd to use smbldap-useradd.pl to 
update the passwd in the ldap directory.

So, now I still have to have two entries per user in the ldap directory 
because with the sambaSamAccount userPasswd is {SHA}encrypted  and with 
the posixAccount the userPasswd is {CRYPT} encrypted. Though two entries 
in LDAP is much more maintainable than anything I have seen before, I 
still have the idea that things can be solved  more gracefull, with one 
entry and an automised password sync between unix and samba.

Any suggestions?
kind regards,

For those interested here are my ldap related smb.conf entries:

        add user script = /sbin/smbldap-useradd.pl -a -m "%u"
        delete user script = /sbin/smbldap-userdel.pl -r "%u"
        add user to group script = /sbin/smbldap-groupmod.pl -m "%u" "%g"
        delete user from group script = /sbin/smbldap-groupmod.pl -x 
"%u" "%g"
        set primary group script = /sbin/smbldap-usermod.pl -g "%g" "%u"
        add group script = /sbin/smbldap-groupadd.pl -a -p "%g"
        delete group script = /sbin/smbldap-userdel.pl "%g"
        add machine script = /sbin/smbldap-useradd.pl -w -d /dev/null -g 
nobody -c "Machine Account" -s /bin/false "%u"
        ldap suffix = dc=salsatechnologies,dc=com
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
        ldap admin dn = cn=admin,dc=salsatechnologies,dc=com
        ldap ssl = no
        ldap passwd sync = Yes

More information about the samba mailing list