[Samba] doubt in samba-ldap configuration

balijepalli srikrishnamohan bskmohan at yahoo.com
Fri Apr 21 14:02:20 GMT 2006

Hello group,

    I am trying to configure ldap backend to samba.
My samba and ldap machines are on different machines.
I am using samba3.0.22 and openldap-2.3.11.
I got two smb.conf files. 
One in /etc/samba/smb.conf and another in

Now the problem is when iam using 2nd smb.conf,
smbclient is showing the share info. for any user, i
mean if we give no username and wrong passwd it is
showing shares.
But when i use the 1st smb.conf file, smbclient is
NT_STATUS_FAILED error, for all ldap users.

I am giving the two files's contents here.
Pls tell me the reason why it is behaving like that.
Also i was able to add samba users into ldap servers.
Pls let  me know that existing ldap users and users i
added under objectclass sambaSambAccount are different
or same.If different, pls let me know how to give
username and password in ldif file.

contents of/etc/samba/smb.conf
# This is the main Samba configuration file. You
should read the
# smb.conf(5) manual page in order to understand the
options listed
# here. Samba has a huge number of configurable
options (perhaps too
# many!) most of which are not shown in this example
# Any line which starts with a ; (semi-colon) or a #
# is a comment and is ignored. In this example we will
use a #
# for commentry and a ; for parts of the config file
that you
# may wish to enable
# NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic
#======================= Global Settings

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYGROUP

# server string is the equivalent of the NT
Description field
   server string = Samba Server

# This option is important for security. It allows you
to restrict
# connections to machines which are on your local
network. The
# following example restricts access to two C class
networks and
# the "loopback" interface. For more examples of the
syntax see
# the smb.conf man page
;   hosts allow =

# if you want to automatically load your printer list
# than setting them up individually then you'll need
   printcap name = /etc/printcap
   load printers = yes

# It should not be necessary to spell out the print
system type unless
# yours is non-standard. Currently supported print
systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must
add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each
# that connects
   # log file = /var/log/samba/%m.log
# all log information in one file
   log file = /var/log/samba/log.smbd

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level
security. See
# security_level.txt for details.
   security = user
# Use password server option only with security =
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of
the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
# Do not enable this option unless you have read those
  encrypt passwords = yes
;  smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing
from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb
passwd file' above.
# NOTE2: You do NOT need these to allow workstations
to change only
#        the encrypted SMB passwords. They allow the
Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

# Using the following line enables you to customise
your configuration
# on a per machine basis. The %m gets replaced with
the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you
must list them
# here. See the man page for details.
   ;interfaces = 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#	a specific host or from / to a whole subnet (see
;   remote browse sync =
# Cause this host to announce itself to local subnets
;   remote announce =

# Browser Control Options:
# set local master to no if you don't want Samba to
become a master
# browser on your network. Otherwise the normal
election rules apply
;   local master = no

# OS Level determines the precedence of this server in
master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain
Master Browser. This
# allows Samba to collate browse lists between
subnets. Don't use this
# if you already have a Windows NT domain controller
doing this job
;   domain master = yes 

# Preferred Master causes Samba to force a local
browser election on startup
# and gives it a slightly higher chance of winning the
;   preferred master = yes

# Enable this if you want Samba to be a domain logon
server for 
# Windows95 workstations. 
;   domain logons = yes

# if you enable domain logons then you may want a
per-machine or
# per user logon script
# run a specific logon batch file per workstation
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and
#        %L substitutes for this servers netbios name,
%U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution
mechanism to be specified
# the default order is "host lmhosts wins bcast".
"host" means use the unix
# system gethostbyname() function call that will use
either /etc/hosts OR
# DNS or NIS depending on the settings of
/etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is
system configuration
# dependant. This parameter is most often of use to
prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses.
Use with care!
# The example below excludes use of name resolution
for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts
or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to
enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to
be a WINS Client
#	Note: Samba can be either a WINS Server, or a WINS
Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution
queries on
# behalf of a non WINS capable client, for this to
work there must be
# at least one	WINS Server on the network. The default
is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to
resolve NetBIOS names
# via DNS nslookups. The built-in default for versions
1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 

# Case Preservation can be handy - system default is
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS
;  default case = lower
# Be very careful with case sensitivity - it can break
;  case sensitive = no

;netbios name = machine
;domain logons = yes
;domain master = yes
passdb backend = ldapsam:ldap://
ldap admin dn = cn=Manager,dc=example,dc=com
;ldap ssl = start tls
ldap suffix = dc=example, dc=com
;ldap password = "secret"
;samba:mysql host = localhost
;samba:mysql user = root
;samba:mysql password = root
;samba:mysql database = samba_auth
;lanman pass column = lm_pw
;nt pass column = nt_pw
;plain pass column = NULL
#============================ Share Definitions
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon
directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /home/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

# Un-comment the following to provide a specific
roving profile share
# the default is to use the user's home directory
;    path = /home/profiles
;    browseable = no
;    guest ok = yes

# NOTE: If you have a BSD-style print system there is
no need to 
# specifically define each individual printer
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only,
except for people in
# the "staff" group
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   read only = yes
;   write list = @staff

# Other examples. 
# A private printer, usable only by fred. Spool data
will be placed in fred's
# home directory. Note that fred must have write
access to the spool directory,
# wherever it is.
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes

# A private directory, usable only by fred. Note that
fred requires write
# access to the directory.
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no

# a service which has a different directory for each
machine that connects
# this allows you to tailor configurations to incoming
machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all
users. Note that all files
# created in the directory by users will be owned by
the default user, so
# any user with access can delete any other user's
files. Obviously this
# directory must be writable by the default user.
Another user could of course
# be specified, in which case all files would be owned
by that user instead.
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no

# The following two entries demonstrate how to share a
directory so that two
# users can place files there that will be owned by
the specific users. In this
# setup, the directory should be writable by both
users and should have the
# sticky bit set on it to prevent abuse. Obviously
this could be extended to
# as many users as required.
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765

Contents of
# Global parameters
	workgroup = IDEALX-NT
	netbios name = PDC-SRV
	security = user
	enable privileges = yes
	#interfaces =
	#username map = /etc/samba/smbusers
	server string = Samba Server %v
	#security = ads
	encrypt passwords = Yes
	min passwd length = 3
	#pam password change = no
	#obey pam restrictions = No
	#ldap passwd sync = Yes
;	unix password sync = Yes
;	passwd program = /opt/IDEALX/sbin/smbldap-passwd -u
;	passwd chat = "Changing password for*\nNew
password*" %n\n "*Retype new password*" %n\n"
	#passwd chat debug = Yes
	log level = 0
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 100000
	time server = Yes
	socket options = TCP_NODELAY SO_RCVBUF=8192
	mangling method = hash2
	Dos charset = 850
	Unix charset = ISO8859-1

	logon script = logon.bat
	logon drive = H:
        logon home = 
        logon path = 

	domain logons = Yes
	domain master = Yes
	os level = 65
	preferred master = Yes
	wins support = yes
	passdb backend = ldapsam:ldap://
	ldap admin dn = cn=Manager,dc=example,dc=com
	#ldap admin dn = cn=samba,ou=DSA,dc=idealx,dc=org
	;ldap suffix = dc=idealx,dc=org
    ;    ldap group suffix = ou=Groups
    ;    ldap user suffix = ou=Users
    ;    ldap machine suffix = ou=Computers
	#ldap idmap suffix = ou=Idmap
    ;    add user script =
/opt/IDEALX/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
    ;    delete user script =
/opt/IDEALX/sbin/smbldap-userdel "%u"
    ;    add machine script =
/opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u"
    ;    add group script =
/opt/IDEALX/sbin/smbldap-groupadd -p "%g" 
        #delete group script =
/opt/IDEALX/sbin/smbldap-groupdel "%g"
    ;    add user to group script =
/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
    ;    delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
	;set primary group script =
/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'

	# printers configuration
	printer admin = @"Print Operators"
	load printers = Yes
	create mask = 0640
	directory mask = 0750
	#force create mode = 0640
	#force directory mode = 0750
	nt acl support = No
	printing = cups
	printcap name = cups
	deadtime = 10
	guest account = nobody
	map to guest = Bad User
	dont descend =
	show add printer wizard = yes
	; to maintain capital letters in shortcuts in any of
the profile folders:
	preserve case = yes
	short preserve case = yes
	case sensitive = no

	path = /home/netlogon/
	browseable = No
	read only = yes

	path = /home/profiles
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = No
	guest ok = Yes
	profile acls = yes
	csc policy = disable
	# next line is a great way to secure the profiles 
	#force user = %U 
	# next line allows administrator to access all
	#valid users = %U "Domain Admins"

        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold
%p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M
release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M
stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M
start %p

        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the samba mailing list