[Samba] understanding the ldap backend

Adam Williams awilliam at mdah.state.ms.us
Wed Feb 20 07:33:53 GMT 2008

ml at bortal.de wrote:
> Hello List,
> i am trying to understand the LDAP-backend i just set up. Maybe 
> someone can help me a little understanding the whole magic.
> In smb.conf i have my smbldap-tools scripts:
>  # use the smbldap-tools scripts
>  add user script = /usr/sbin//smbldap-useradd -m "%u"
>  delete user script = /usr/sbin//smbldap-userdel "%u"
>  add machine script = /usr/sbin//smbldap-useradd -w "%u"
>  add group script = /usr/sbin//smbldap-groupadd -p "%g"
>  delete group script = /usr/sbin//smbldap-groupdel "%g"
>  add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
>  delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
>  set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"
> and some ldap specific stuff:
>  passdb backend = ldapsam:ldap://
>  ldap admin dn = cn=Manager,dc=example,dc=net
>  ldap suffix = dc=example,dc=net
>  ldap group suffix = ou=Groups
>  ldap user suffix = ou=Users
>  ldap machine suffix = ou=Computers
>  ldap idmap suffix = ou=Users
>  idmap backend = ldap://
>  #ldap ssl = start tls
>  ldap delete dn = Yes
> 1.) Now how does the authentification excatly work? Does samba talk 
> directly to the ldap database and verifies user/password?
> 2.) I guess changing/deleting passwords/users is beeing made by the 
> smblda-tools.
> 3.) How does samba get the user ids? By contacting the ldap database 
> directl again?
> 4.) How does samba get he user/group of files and folders? By nss?
> 5.) Has samba got anything to do with nss/libnss-ldap?
> Thanks, Mario

1) yes
2) you can use smbldap-passwd to change a user's password if you want to 
set the passwd chat, unix password sync, etc.  or you can just set ldap 
passwd sync = yes and let samba handle the password changing directly
4) yes
5) i think so, i have nss_ldap working because my users need shell 
access for database/html work.  i've never tried getting samba going 
without using nss_ldap for user auth.  i don't know if samba can look up 
the users directly or if it gets their user, group, machine accounts via 
nss_ldap.  but nss_ldap is trivial to get working.

More information about the samba mailing list