[Samba] Samba as a PDC with LDAP and Kerberos
Ti Leggett
leggett at ci.uchicago.edu
Fri Apr 22 21:06:01 GMT 2005
I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.
So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?
Here's the output from ksetup /dumpstate:
Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = <kdc1 server>
kdc = <kdc2 server>
kpasswd = <kpasswd server>
Realm Flags = 0x0 none
No user mappings defined.
Second, here's what I have in LDAP so far:
dn: ou=Samba,dc=example,dc=com
objectClass: organizationalUnit
ou: Samba
dn: sambaDomainName=EXAMPLE.COM,ou=Samba,dc=example,dc=com
objectClass: top
objectClass: sambaDomain
sambaSID: S-1-5-21-2230234512-1629394365-1821015051
sambaDomainName: EXAMPLE.COM
dn: uid=samba_server,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: uidObject
sn: samba_server
cn: samba_server
userPassword: <hidden>
uid: samba_server
dn: cn=Domain Admins,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 1011
memberUid: leggett
sambaGroupType: 2
description: Windows Domain Administrators
sambaSIDList: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-512
dn: cn=Domain Users,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Users
gidNumber: 1012
sambaGroupType: 2
description: Windows Domain Users
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-513
dn: cn=Domain Guests,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: Domain Guests
gidNumber: 1013
sambaGroupType: 2
description: Windows Domain Guests
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-514
dn: uid=leggett,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Ti Leggett
givenName: Ti
sn: Leggett
mail: leggett at example.com
uid: leggett
uidNumber: 1001
homeDirectory: /home/leggett
loginShell: /bin/bash
gidNumber: 1000
sambaSID: S-1-5-21-2230234512-1629394365-1821015051-3002
sambaLMPassword: <hidden>
sambaNTPassword: <hidden>
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-2230234512-1629394365-1821015051-512
I've done a smbpasswd -w <hidden samba_server password>
I can do a net getlocalsid and it will get the correct SID out of LDAP.
However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.
Not sure if these are related questions or not, but what are the
sambaAcctFlags values and meanings? And, is it necessary to have an ldap
entry of uid=WINDOWSCLIENT$,ou=people,dc=example,dc=com?
And lastly, here's relevant sections from my smb.conf:
[global]
workgroup = EXAMPLE.COM
realm = EXAMPLE.COM
password server = <kpasswd server>
netbios name = CI-PDC
server string = Example Primary Domain Controller
passdb backend = ldapsam:ldap://<ldap server>
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
ldap admin dn = uid=samba_server,ou=people,dc=example,dc=com
ldap group suffix = ou=group
ldap machine suffix = ou=hosts
ldap suffix = dc=example,dc=com
ldap ssl = start tls
ldap user suffix = ou=people
admin users = leggett
I can send logs from LDAP server if they might be helpful. Thanks a head
of time!
More information about the samba
mailing list