[Samba] samba + openldap + kerberos + pam

Karen R McArthur kmcarthu at bates.edu
Wed Aug 23 15:30:31 GMT 2006 

RedHat enterprise v4
openldap 2.2.13-4
cyrus-sasl 2.1.19-5.EL4
samba 3.0.10-1.4E.9
krb-libs 1.3.4-27

server1: openldap and kerberos server
server2: samba server

We have openldap working as posix source for all of our *nix logins - 
with passwords stored in kerberos accessed via sasl.
We have an exiting samba server running on redhat for macintosh/windows 
user access to network storage.  Our passwords are stored in smbpasswd.  
Access works fine in this configuration.
We would like to centralize this authentication and have samba read it's 
passwords from ldap/kerberos.
I have created a new samba server - with pam enabled and no smbpasswd file.
I have created a domain record in ldap - dn: 
"sambaDomainName=SERVER2,ou=services,ou=samba,dc=bates,dc=edu", 
sambaSID: S-1-0-0
I have a testuser account in ldap with all posixAccount information and 
objectClass: sambaSamAccount and sambaSID: S-1-0-0-{uid*2 + 1000}

    # net getlocalsid
    SID for domain SERVER2 is: S-1-0-0
    #

smb.conf is at the end of this email.
I can access my samba share via smbclient \\server2\testuser
I cannot access my samba share via either windows or macintosh.
 From Windows, I receive the error "\\server2\testuser is not 
accessible.  You might not have permissions to use this network 
resource.  Contact the administrator of this server to see if you have 
access permissions.  The account is not authorized to log in from this 
station."
 From Macintosh, I am given the login prompt, I type my username and 
password, then get the error "Could not connect to the server because 
the name or password is not correct."

I assume the errors are because I do not have sambaLMPassword or 
sambaNTPassword stored in my ldap database.  I do not want to do this.  
How do I set up samba to read all access from pam (as in the smbclient) 
and not require storage of passwords in ldap?

Any help would be appreciated.  I have spent hours on Google and am 
getting nowhere.
Thanks,
Karen McArthur
Bates College, Lewiston, Maine
kmcarthu at bates.edu

*******
smb.conf
*******
workgroup = BCIS
server string = Samba Server %v
hosts allow = 134.181. 127.
log file = /var/log/samba/%m.log
max log size = 50
security = user
encrypt passwords = no
obey pam restrictions = yes
ldap admin dn = "cn=smbadmin,dc=bates,dc=edu"
;ldap ssl = start tls
passdb backend = ldapsam:ldap://ldap.bates.edu:714
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap suffix = dc=bates,dc=edu
local master = no
name resolve order = host lmhosts wins bcast
wins server = x.y.z.a, x.y.z.b
dns proxy = no
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   winbind use default domain = no
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

More information about the samba mailing list