[Samba] SMB/LDAP: Confused...

Sensei senseiwa at tin.it
Tue Sep 27 16:01:04 GMT 2005


I have an existing departmental network based on AFS, Kerberos 5 and  
LDAP. All unixes work nicely, logging in remotely. So, Samba acting  
as a PDC with OpenLDAP. Now I'd like to interoperate with all windows  
workstations. I chose the LDAP way, since it's the most flexible and  
secure way... or at least, it seems to me more flexible than using a  
single /etc/passwd file on a distributed environment.

LDAP contains a root            dc=dept       and we already have  
groups and persons just working, and experimental hosts:

# group example
dn: cn=deptafs,ou=info,dc=dept
objectClass: top
objectClass: posixGroup
cn: diaafs
gidNumber: 10000
description: general afs group

# user example
dn: uid=doe,ou=info,dc=dept
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: John
uid: Doe
uidNumber: 10000
gidNumber: 10000
description: info will be here
title: Mr.
sn: Doe
o: MyUniversity
ou: Dept
st: State
l: City
mail: doe at dept.org
gecos: ,,,
givenName: John
displayName: John Doe
homeDirectory: /afs/my.dept.org/users/d/doe
loginShell: /bin/bash

# host example
dn: cn=host.dept.org,ou=host,dc=dept
objectClass: locality
objectClass: ipHost
objectClass: ieee802Device
objectClass: bootableDevice
cn: host.dept.org
macAddress: 00:00:00:00:00:00

My ldap admin is cn=sysadmin and there's just a rootdn entry in  
slapd.conf, the password is provided by kerberos via GSSAPI/SASL.

I've got many questions, but one important thing is not to mess with  
ldap database so much... I don't like to rewrite the db from scratch.  
Now my concerns :)

The smbldap-tools are of no use probably for us, since all the docs  
I've read start with smbldap-populate... but I have a db just  
working. So, I need to add the minimum required entries into ldap and  
modify the existing names in order to make all users use the remote  

My UIDs are LDAP-only. I generate them from AFS, and so they are  
unmodifiable. Of course, this shouldn't be an issue... I hope.

As long as I've understood, I must add a dn for the domain. I have no  
idea how to generate a SID, and I have no idea how RidBase works with  
samba if we do not use smbldap-tools. This is my example:

# TESTING, dia
dn: sambaDomainName=TESTING,dc=dept
sambaDomainName: TESTING
sambaSID: S-1-1-21-3138413446-3899332943-2322914696
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

All users must be modified using samba schema. Again. What I can do  
with SIDs (user and groups)? I mean, can I use *any* sid I want from  
the UID I have or I must make some kind of trick? What about LM  
password and NT password? I will use, if I understand, the  
userPassword field, not the other two. The profile can be put  
wherever I want, if I understand... so I'd like to store them under / 
afs/../username/windows, so username-dependent... this is difficult  
to understand for me: how to specity a UNC path for user profiling,  
given this unix pattern /afs/my.dept.org/users/d/doe, and putting  
profiles under windows/ on each home directory. That's my guess,  
wrong for sure:

dn: uid=doe,ou=info,dc=dept
uidNumber: 10000
gidNumber: 10000
homeDirectory: /afs/my.dept.org/users/d/doe
loginShell: /bin/bash
gecos: ,,,
description: info will be here
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: John Doe
sambaSID: S-1-5-21-4231626423-2410014848-2360679739-3000
sambaPrimaryGroupSID: S-1-5-21-4231626423-2410014848-2360679739-513
sambaLogonScript: common.bat
sambaProfilePath: \\TESTINGPDC\users\d\doe\windows
sambaHomePath: \\TESTINGPDC\users\d\doe
sambaHomeDrive: Z:
sambaLMPassword: 7584248B8D2C9F9EAAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 186CB09181E2C2ECAAC768C47C729904
sambaPwdLastSet: 1081281346
sambaPwdMustChange: 1085169346
userPassword: {SSHA}jg1v0WaeBkymhWasjeiprxzHxdmTAHd+

netbios name=TESTINGPDC
enable privileges=yes
server string=Samba-LDAP
ldap passwd sync=yes
passdb backend=ldapsam:ldap://ldap.dept.org/
ldap admin dn=cn=sysadmin,dc=dept
ldap suffix=dc=dept
ldap group suffix=ou=info,dc=dept
ldap user suffix=ou=info,dc=dept
ldap machine suffix=ou=host,dc=dept
ldap ssl=no
logon script=scripts\logon.bat
domain logons=yes
os level=64
preferred master=yes
domain master=yes

#read only=no
#create mask=0600
#directory mask=0700
#guest ok=yes
#profile acls=yes
#csc policy=disable
#force user=%U

read only=yes

Sensei <senseiwa at tin.it>

The difference between stupidity and genius is that genius has its  
limits. (A. Einstein)

More information about the samba mailing list