[Samba] understanding the ldap backend

Lionel Pinkhard pinkhardlionel at yahoo.com
Wed Feb 20 17:28:43 GMT 2008


Can someone confirm if it's necessary to have nss? I don't have nss in my configuration (I'm running OpenBSD, so it's a little different) and it's not working, I've also tried adding LDAP users to my /etc/passwd for my samba users as an experiment, but I couldn't get them to authenticate with LDAP through a shell, nor did it help Samba in any way so I removed them again. According to the logs, login_ldap (the bsd_auth module for ldap authentication) is attempting to communicate with openldap with ldapv2, which openldap doesn't support, so it appears this technique is impossible as far as I could figure out. However, it is strange that login_ldap and openldap ship together in the same version of the bsd packages collection, yet they communicate with different versions. Anyways, I need LDAP authentication for users with shell access, but luckily not on this server, they will only need to authenticate against this server, not login to the server itself via
 SSH or shell, only log in onto the shell on Linux workstations (which can easily be configured to authenticate with my OpenBSD openldap server using ldapv3). Anyways, this is a bit off-topic I think, but does this in any way relate to Samba? If I don't have users in my /etc/passwd file can't they log in to Samba?

Btw I don't think that should break my configuration, considering that I should still be able to log in as root since root has account in both LDAP and /etc/passwd, though the problem I'm experiencing with my configuration is that I don't even get an opportunity to log in, it just bluntly throws at me "The specified network name is no longer available" (in most cases, though during this stage I cannot see anything being logged in Samba - maybe Windows caches the first attempt and then doesn't give "Access is denied" until you reboot? As usually when I reboot I get "Access is denied" again), though the first time it shows "Access is denied", the same happens with NET VIEW, yet, I'm not given a single opportunity to log in, on joining a domain (attempting to) it throws the same messages at me, dcdiag.txt also isn't much help. I have also tried setting my Windows username and password to match a Samba username and password (although I don't think this
 should be required).

Another thing, is it possible to hide a certain folder in every user's home directory from them when viewing with Samba? I've got a Maildir in each user's home directory to keep mail, but it's owned by vmail anyway (I know I should probably use virtual aliases and domains for this, but this seems to fit my scenario better), so the user can't access it, would just like them to not see it, if it's in any way possible. (Though this is not serious, since currently, my users can't even connect!)



----- Original Message ----
From: Adam Williams <awilliam at mdah.state.ms.us>
To: "ml at bortal.de" <ml at bortal.de>
Cc: samba at lists.samba.org
Sent: Wednesday, 20 February 2008 9:33:53
Subject: Re: [Samba] understanding the ldap backend

ml at bortal.de wrote:
> Hello List,
> i am trying to understand the LDAP-backend i just set up. Maybe 
> someone can help me a little understanding the whole magic.
> In smb.conf i have my smbldap-tools scripts:
>  # use the smbldap-tools scripts
>  add user script = /usr/sbin//smbldap-useradd -m "%u"
>  delete user script = /usr/sbin//smbldap-userdel "%u"
>  add machine script = /usr/sbin//smbldap-useradd -w "%u"
>  add group script = /usr/sbin//smbldap-groupadd -p "%g"
>  delete group script = /usr/sbin//smbldap-groupdel "%g"
>  add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
>  delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
>  set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"
> and some ldap specific stuff:
>  passdb backend = ldapsam:ldap://
>  ldap admin dn = cn=Manager,dc=example,dc=net
>  ldap suffix = dc=example,dc=net
>  ldap group suffix = ou=Groups
>  ldap user suffix = ou=Users
>  ldap machine suffix = ou=Computers
>  ldap idmap suffix = ou=Users
>  idmap backend = ldap://
>  #ldap ssl = start tls
>  ldap delete dn = Yes
> 1.) Now how does the authentification excatly work? Does samba talk 
> directly to the ldap database and verifies user/password?
> 2.) I guess changing/deleting passwords/users is beeing made by the 
> smblda-tools.
> 3.) How does samba get the user ids? By contacting the ldap database 
> directl again?
> 4.) How does samba get he user/group of files and folders? By nss?
> 5.) Has samba got anything to do with nss/libnss-ldap?
> Thanks, Mario

1) yes
2) you can use smbldap-passwd to change a user's password if you want to 
set the passwd chat, unix password sync, etc.  or you can just set ldap 
passwd sync = yes and let samba handle the password changing directly
4) yes
5) i think so, i have nss_ldap working because my users need shell 
access for database/html work.  i've never tried getting samba going 
without using nss_ldap for user auth.  i don't know if samba can look up 
the users directly or if it gets their user, group, machine accounts via 
nss_ldap.  but nss_ldap is trivial to get working.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Yahoo! Singapore Answers 
Real people. Real questions. Real answers. Share what you know at http://answers.yahoo.com.sg

More information about the samba mailing list