[Samba] Re: Need help configuring Samba3/LDAP PDC

Aaron Ogden aogden at gxt.com
Mon Jun 14 20:44:52 GMT 2004

Craig White wrote:

>On Fri, 2004-06-11 at 13:16, rwallace at thewallacepack.net wrote:
>>Aaron Ogden wrote:
>>>On a related note, I've imported lots of NIS data into this LDAP 
>>>directory, so I have lots of valid Unix accounts.  These are working 
>>>properly on LDAP-enabled linux machines, but how do I 'convert' them 
>>>for use with Samba?  Ideally I would like to have one record for each 
>>>user that contains all of the samba data as well as the unix data.  Is 
>>>there an easy way to add the appropriate samba fields to 'normal' 
>>>posixAccounts?  Is there a FAQ that covers the procedure?  Any help 
>>>would be welcome.
>>That's a good question and I hope someone has an answer.  I tried to do 
>>the same a while back and didn't have any luck either.  You can't use 
>>the smbldap-useradd scripts or smbpasswd -a 'cause those will only tell 
>>you that the entry already exists.  Oooo... but it looks like you can 
>>use "smbldap-usermod -a" to add the necessary objectclass and whatnot.  
>>Play around with that and see what happens.
>I have not played with smbldap-usermod -a but that might very well work.
>What I did play with was webmin - www.webmin.com
>Properly configured, webmin's LDAP Users & Groups can add all of the
>samba properties desired to any user by editing the user and clicking
>the samba button. I found this to be a very valuable tool for less than
>versant office manager to add/delete accounts, edit passwords, etc. This
>is the best solution that I have found to date (though LAM looks pretty
Thanks Craig.  I discovered the joys of Webmin a few weeks ago and I
agree, it's a great tool for managing LDAP data, especially for people
who don't completely understand LDAP yet.  I found another tool called
LDAP Browser/Editor which has worked really well... it's java based so
it runs on anything and it allows one to easily edit or delete any
object in the LDAP tree.  I have used Webmin to add the Samba fields to
my account and it works great.  The problem is that I have lots of users
and I don't want to give myself carpal tunnel syndrome by clicking that
many times.  Another problem is that I want to preserve the old Samba
passwords instead of resetting them to some default value.  :-)  I
worked out a way to do this via shell script, I have used it to enable
samba access for 250 accounts.  Works like a charm.

# create_samba_accounts.sh 2004-06-14 AAO
USERLIST=`grep -v '^#' $SMBPASSWD | awk -F':' '{print $1}'`
LDAPADMIN="<LDAP admin dn>"
LDAPPASSWD="<LDAP admin password>"
PEOPLEOU="<LDAP ou for user accounts>"
   # grab password hashes from smbpasswd file
   USERID=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print $2}'`
   LMPASSWD=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print 
   NTPASSWD=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print 
   # create LDIF file for modifications
   printf "dn: uid=$USER,$PEOPLEOU\nchangetype: modify\nreplace: 
sambaLMPassword\nsambaLMPassword: $LMPASSWD\n-\nreplace: 
sambaNTPassword\nsambaNTPassword: $NTPASSWD\n-\n" > $LDIF
   # print variables to stdout (sanity check)
   printf "username: $USER\nuser id : $USERID\nLM password: 
$LMPASSWD\nNT password: $NTPASSWD\n"
   # printf "contents of $LDIF:\n"
   # cat $LDIF
   # printf "\n"
   # check for existing account
   if /usr/bin/ldapsearch -x "uid=$USER" | grep uidNumber 2>&1 > /dev/null;
      printf "$USER: account exists in LDAP database\n" >> $LOGFILE
      printf "$USER: account not found, creating account now...\n" >> 
      ./smbldap-useradd.pl $USER
   # check for existing samba records
   if /usr/bin/ldapsearch -x "uid=$USER" | grep sambaSamAccount 2>&1 > 
      printf "$USER: already has samba records\n" >> $LOGFILE
      # add sambaSamAccount records to user account
      printf "$USER: samba records not found, adding them now...\n" >> 
      ./smbldap-usermod.pl -a $USER
   # enable user account and set initial password
   /usr/bin/smbpasswd -a -e $USER $USER
   # use ldapmodify to set password
   /usr/bin/ldapmodify -x -w $LDAPPASSWD -D "$LDAPADMIN" -f $LDIF
   # delete LDIF file
   rm $LDIF
   # check for null passwords
      # user has null password; log it and continue
      printf "$USER: sambaLMPassword is not set\n" >> $LOGFILE
      # user has null password; log it and continue
      printf "$USER: sambaNTPassword is not set\n" >> $LOGFILE


More information about the samba mailing list