[Samba] Convert existing Samba DB to LDAP

Eric Bouliane eboulian at cbnco.com
Sat Jan 12 15:45:26 GMT 2008

The setup is as follows. We have an LDAP server which we use only for 
*nix authentication. The Windows authentication is held on everyone's 
local PC. We have samba shares located on Server1. Server1 currently has 
all samba passwords located locally. We've since integrated LDAP to 
Server1 for ssh auth and what not, but would like to do the same for Samba.

So the problem is this. Our current LDAP directory did not have the 
samba.schema file attached/included. Now we must activate the plugin and 
a user must resync their password when we do so. I'm trying to 
circumvent this, and I think a previous reply to run "pdbedit 
--export=ldapsam:ldap://ldapserver " may work I will try that out. What 
I want to do is sync the local samba accounts on Server1 to my LDAP. We 
have several servers and only 1 or 2 that use samba shares, so we want 
to limit access, but don't want 100+ people needing to resync their 
passwords at our desks when we activate the samba plugin.

adrian sender wrote:
> I thought I would just add my two cents here; I am not sure I completely understand your problem; logs are useful to help . You mentioned you are having issues with users changing passwords, I am not sure if your clients are windows or not, or a yast issue - but common problem if users cannot change passwords from windows is openldap acl's
> I have not used yast before, but what tools are you using to manage samba/openldap accounts with - ie smbldap-tools (maybe they need to be checked to)
> So you would have something like this in smb.conf ldap admin "dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" substitute "sambaadmin" or "syncuser" below with 'Manager" (depends on openldap version as well)
> Samba Openldap acl's 
> access to attrs=userPassword
>         by self write
>         by dn="cn=sambaadmin,dc=samba,dc=org" write
>         by dn="cn=syncuser,dc=samba,dc=org" read
>         by * auth
> access to attrs=sambaLMPassword,sambaNTPassword
>         by dn="cn=sambaadmin,dc=samba,dc=org" write
>         by dn="cn=syncuser,dc=samba,dc=org" read
> access to *
>         by dn="cn=sambaadmin,dc=samba,dc=org" write
>         by dn="cn=syncuser,dc=samba,dc=org" read
>         by * read
> It would be best to explain your setup a little more clear and some samba / openldap logs may give us some more info if this or the below reply do not help. As mentioned Samba 3 by Example should answer most of your questions / queries 
> Regards,
> Adrian Sender 
> Subject: Re: [Samba] Convert existing Samba DB to LDAP
> CC: samba at lists.samba.org
> Date: Fri, 11 Jan 2008 18:23:35 -0600
> To: eboulian at cbnco.com
> you'll need to config samba to use your LDAP backend.  in smb.conf 
> you'll need:
>   passdb backend = ldapsam:ldap://gomer.mdah.state.ms.us
>   ldap suffix = dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
>   ldap machine suffix = ou=People
>   ldap user suffix = ou=People
>   ldap group suffix = ou=Group
>   ldap idmap suffix = ou=Idmap
>   ldap admin dn = cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
>   idmap backend = ldap:ldap://gomer.mdah.state.ms.us
>   ldap passwd sync = yes
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
>    winbind separator = +
>    template homedir = /home/winnt/%D/%U
>    template shell = /bin/bash
>    winbind use default domain = false
>    winbind offline logon = false
> winbind enum users = yes
> winbind enum groups = yes
> and you can load your smbpasswd/tdbsam users with:
> pdbedit --import=smbpasswd:/etc/samba/smbpasswd 
> --export=ldapsam:ldap://gomer.mdah.state.ms.us
> and because the ldap passwd sync = yes, when your users do ctrl alt del 
> and click on change password, it should change it in LDAP for their unix 
> shell acct and their samba password that is in their LDAP dn.
> read chapter 5 of the Samba-3 By Example PDF, it kind of explains 
> everything.
> Eric Bouliane wrote:
>> We currently have an OpenLDAP server with many nodes authenticating to 
>> it for various things. We have an existing server that is now using 
>> LDAP to authenticate, but would like to have Samba in turn 
>> authenticate to it. We've configured the smb.conf file accordingly and 
>> can get this working.
>> Our dilemma is in adding the "Manage samba account parameters" plug-in 
>> via the Yast User/Group modification. When doing this and attempting 
>> to finish editing existing users, it errors out with "Change the 
>> passwordto create the Samba account". We would like to prevent having 
>> all of our LDAP users come to our desks to change the password 
>> individually, is there a way to globally set this and use either 
>> existing passwords within the samba/secrets.tdb file or those set 
>> within LDAP already?
>> Cheers.
> _________________________________________________________________
> New music from the Rogue Traders - listen now!
> http://ninemsn.com.au/share/redir/adTrack.asp?mode=click&clientID=832&referral=hotmailtaglineOct07&URL=http://music.ninemsn.com.au/roguetraders-- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list