[Samba] Winbind/LDAP Backend question

[Paul Gienger]

Nik Reiman wrote:

> Hello,
> Recently, I've spent the last few days trying to get some unix client 
> boxes to authenticate logins via winbind, so all of our unix system 
> accounts can be maintained from active directory.  So far, everything 
> is working, and users can authenticate into the system, but they are 
> assigned random uid/gid values, based on the smb.conf as well as the 
> internal winbind_idmap.tdb file.
> Anyways, since users' home directories are in NFS, the uid/gid need to 
> be uniform across the network, which is where ldap comes in.  So, we 
> added a set of schema to active directory in windows, and now every 
> user has two new fields, uidNumber and gidNumber.  The only thing I 
> need to do now is somehow get samba to get this information out of the 
> AD via LDAP, and use it rather than letting samba make its own uid table.
> I set up samba with all the relevant details of how to contact our AD 
> server with LDAP (I should note that I can browse the uidNumber and 
> gidNumber fields from a command line in unix with the ldapsearch 
> tool).  However, for whatever reason, samba can't seem to authenticate 
> this way, and no information gets dumped to the error logs.  Here's 
> the smb.conf I've been working with:
>
> [global]
>         workgroup = WORKGROUP
>         security = DOMAIN
>         log level = 10
>         log file = /var/adm/samba.log
>         local master = No
>         domain master = No
>         wins server = leviathan
>         ldap server = zurg
>         ldap suffix = dc=example,dc=com
>         ldap user suffix = ou=Employees
>         ldap group suffix = ou=Groups
>         ldap filter = (uidNumber=%u)
>         ldap admin dn = cn=Administrator,cn=Users,dc=example,dc=com
>         ldap ssl = no
>         idmap backend = ldap:ldap://zurg
>         idmap uid = 1000-2000
>         idmap gid = 600-1000
>         template primary group = employee
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind use default domain = Yes
>
> Here, zurg is our AD server (running windows 2003 server).  The only 
> thing that I can think of that might be bad is that it won't allow 
> anonymous binds... yet I haven't seen any place to put in a bind 
> password for LDAP.  Does anyone know how I might be able to get this 
> up and running?

To do that part you issue a
smbpasswd -w <passwordstring>
on the command line of your samba box to set the bind password to 
associate with the ldap admin dn. 

Have you tried storing your winbind idmap on an openldap (or other ldap) 
server?  You could either manually pull the SIDs from the windows 
directory and then sync them with uids with a script, or you could 
change the uid stored in the idmap database to match the uid manually as 
the users connect.  I suppose you could store that in your AD server as 
well, no real reason you couldn't.  This wouldn't be reinventing the 
wheel quite as much and samba will work out of the box with that idmap data.

>
> Thanks,
> Nik
>
> -- 
> // Nik Reiman || nik at aboleo.net || http://www.aboleo.net \\
>

-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com