[Samba] Samba as a PDC with LDAP and Kerberos

Ti Leggett leggett at ci.uchicago.edu
Fri Apr 22 21:06:01 GMT 2005

I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
	kdc = <kdc1 server>
	kdc = <kdc2 server>
	kpasswd = <kpasswd server>
	Realm Flags = 0x0 none
No user mappings defined.

Second, here's what I have in LDAP so far:

dn: ou=Samba,dc=example,dc=com
objectClass: organizationalUnit
ou: Samba

dn: sambaDomainName=EXAMPLE.COM,ou=Samba,dc=example,dc=com
objectClass: top
objectClass: sambaDomain
sambaSID: S-1-5-21-2230234512-1629394365-1821015051
sambaDomainName: EXAMPLE.COM

dn: uid=samba_server,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: uidObject
sn: samba_server
cn: samba_server
userPassword: <hidden>
uid: samba_server

dn: cn=Domain Admins,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 1011
memberUid: leggett
sambaGroupType: 2
description: Windows Domain Administrators
sambaSIDList: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-512

dn: cn=Domain Users,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 1012
sambaGroupType: 2
description: Windows Domain Users
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-513

dn: cn=Domain Guests,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Guests
gidNumber: 1013
sambaGroupType: 2
description: Windows Domain Guests
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-514

dn: uid=leggett,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Ti Leggett
givenName: Ti
sn: Leggett
mail: leggett at example.com
uid: leggett
uidNumber: 1001
homeDirectory: /home/leggett
loginShell: /bin/bash
gidNumber: 1000
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaLMPassword: <hidden>
sambaNTPassword: <hidden>
sambaAcctFlags: [U         ]
sambaPrimaryGroupSID: S-1-5-21-2230234512-1629394365-1821015051-512

I've done a smbpasswd -w <hidden samba_server password>

I can do a net getlocalsid and it will get the correct SID out of LDAP.

However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Not sure if these are related questions or not, but what are the
sambaAcctFlags values and meanings? And, is it necessary to have an ldap
entry of uid=WINDOWSCLIENT$,ou=people,dc=example,dc=com?

And lastly, here's relevant sections from my smb.conf:

        workgroup = EXAMPLE.COM
        realm = EXAMPLE.COM
        password server = <kpasswd server>
        netbios name = CI-PDC
        server string = Example Primary Domain Controller
        passdb backend = ldapsam:ldap://<ldap server>
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        ldap admin dn = uid=samba_server,ou=people,dc=example,dc=com
        ldap group suffix = ou=group
        ldap machine suffix = ou=hosts
        ldap suffix = dc=example,dc=com
        ldap ssl = start tls
        ldap user suffix = ou=people
        admin users = leggett

I can send logs from LDAP server if they might be helpful. Thanks a head
of time!

More information about the samba mailing list