[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?

Igor Belyi sambauser at katehok.ac93.org
Wed Sep 29 02:08:00 GMT 2004

Jim C. wrote:
> Folks have been telling me that it is best for one's Domain Controller 
> if it has it's own dn for accessing the ldap server rather than using 
> the ldap server's root dn. One of the issues is scalability. If you have 
> several balancing domain controllers, how do you know which one has made 
> changes to the database?  They will all show up in the logs as the root 
> dn unless you have it set up otherwise.
> What I've been hearing is that one does this by adding the 
> simpleSecurityObject to a host record so that it now has a password. 
> Then you include the dn of that host record as a member of the group 
> 'Domain Controllers' and set up the LDAP ACLs so that this group has 
> access.
> I can't get it to work to save my life.  For one thing, when I set it up 
> I frequently have problems with devfsd on startup.  Basically it simply 
> never completes so the startup process hangs.  If I comment out the line 
> below in /etc/devfsd.conf then devfsd will start but I don't know the 
> security implications so I would rather avoid it.

I still don't know what you have tried, and what it has to do with devfs 
(shouldn't you be moving away from it to udev?!) But here's what I would do:

# Create your hashed password:
% slappasswd
New password:
Re-enter new password:

# Create your Samba admin DN:
% ldapadd -W -D <rooddn>
Enter LDAP Password:
dn: cn=dadmin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: dadmin
userPassword: {SSHA}<hashed-password>

# Verify that you can login with it by looking at yourself:
% ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b 
Enter LDAP Password:
dn: cn=dadmin,dc=yourdomain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: dadmin
userPassword: <base64 of the {SSHA}<hashed-password>>

# Verfiy that you don't have access to password fields yet.
# Don't worry if you have - it's just a security breach.
# You'll fix it in the next steps.
% ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b 
Enter LDAP Password:
dn: uid=user,ou=People,dc=yourdomain,dc=com"
uid: user
cn: Simple User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 11740
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/zsh
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user
gecos: Simple User,,,
sambaSID: <your domain SID>-3000
sambaPrimaryGroupSID: <your domain SID>-3001
displayName: Simple User,,,
00000000000000000000000000000000000000000000000000000000 00000000
sambaAcctFlags: [U          ]
sambaKickoffTime: 0
sambaPwdCanChange: 1095895480
sambaPwdMustChange: 1097709880
sambaPwdLastSet: 1095895480

# Add the following lines for your 'backend' in your slapd.conf
# Those a special lines for LM and NT password and restricted
# write access to trees written in your smb.conf as ldap suffixes.
# If you already have records for those fields you'll just need
# to add 'by dn='cn=dadmin,dc=yourdomain,dc=com" write' to them.
# read man slapd.access for details

access to attrs=SambaLMPassword,SambaNTPassword
	by dn="cn=dadmin,dc=yourdomain,dc=com" write
	by self write
	by * none

access to dn.subtree="ou=People,dc=yourdomain,dc=com"
	by dn="cn=dadmin,dc=yourdomain,dc=com" write
	by * read

access to dn.subtree="ou=Group,dc=yourdomain,dc=com"
	by dn="cn=dadmin,dc=yourdomain,dc=com" write
	by * read

access to dn.subtree="ou=Computers,dc=yourdomain,dc=com"
	by dn="cn=dadmin,dc=yourdomain,dc=com" write
	by * read

# Restart slapd and see if your "cn=dadmin,dc=yourdomain,dc=com"
# can see now LM and NT password fields of
# "cn=user,ou=People,dc=yourdomain,dc=com" by repeating the last
# search

# You can also check that "cn=dadmin,dc=yourdomain,dc=com" has write
# access by changing something:
% ldapmodify -W -D "cn=dadmin,dc=yourdomain,dc=com"
Enter LDAP Password:
dn: cn=user,ou=People,dc=yourdomain,dc=com
changetype: modify
replace: gecos
gecos: Not that Simple User,,,,


# Now edit your smb.conf to change 'ldap admin dn':
ldap admin dn = cn=dadmin,dc=yourdomain,dc=com

# Update password Samba uses with this DN:
% smbpasswd -w <you cn=dadmin secret>

# Restart Samba and it will use this new none Root DN

# After that you can start playing with LDAP groups.
# By I'm not that familiar with them. I suspect that
# you will need to change your access line
# 'by dn='cn=dadmin,dc=yourdomain,dc=com" write'
# for all access statements to the following:
  by group="cn=Domain Controllers,dc=yourdomain,dc=com" write

# Then add this group to LDAP with your Admin DN in its member field:
% ldapadd -W -D <rootdn>
Enter LDAP Password:
dn: cn=Domain Controllers,dc=yourdomain,dc=com
objectClass: groupOfNames
cn: Domain Controllers
member: cn=dadmin,dc=yourdomain,dc=com

# Restart slapd and check that you still have access to
# LM and NT passwords and can change fields in records.
# By this time you should have accomplish what you wanted to do.

# It's that simple! ;o)

Hope it helps,

More information about the samba mailing list