[Samba] Samba + LDAP integration

[John H Terpstra]

On Saturday 26 July 2008 09:36:25 Mugo Martin wrote:
> Hi people,
>
> Been doing a server installation with Samba as a primary PDC that uses an
> LDAP backend on CentOS 5.
> The thing is that I cannot be able to get Samba and LDAP to talk as they
> should and now Im really stuck.

You sure are stuck.  So let's see if we can pull you out of the hole you are 
in.

> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
> to /etc/openldap/ldap.conf too), and smbldap.conf.
> Excuse my long post; trying to be as elaborate as possible.
>
> smb.conf
> **********
> [global]
>         workgroup = MYDOMAIN
>         netbios name = MYDOMAIN

What makes you believe that it is possible to operate with the domain name 
(workgroup) and the server name (netbios name) the same?  The Samab3-HOWTO 
makes rather plain that this is a no-go - they must differ.

Suggest you set them as:
	workgroup = MYDOMAIN
	netbios name = MYSERVER

>         server string = mydomain_office
>         passdb backend = ldapsam:ldap://server.example.org

The "passwd program" and "passwd chat" parameters are not needed with the LDAP 
backend. Please delete them.
>         passwd program = /usr/local/sbin/smbldap-passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*

>         username map = /etc/samba/smbusers
>         log file = /var/log/samba/%m.log
>         max log size = 100

>         add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
change to:
	add user script =  /usr/local/sbin/smbldap-useradd -m "%u"

>         delete user script = /usr/local/sbin/smbldap-userdel "%u"
>         add group script = /usr/local/sbin/smbldap-groupadd "%g"
change to:
	add group scipt = /usr/local/sbin/smbldap-groupadd -p "%g"

>         delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
>         delete user from group script = /usr/local/sbin/smbldap-userdel
> "%u" "%g"
change to:
	delete user from group script = /usr/local/sbin/smbldap-userdel -x "%u" "%g"

>         set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
>         add machine script = /usr/local/sbin/smbldap-useradd -n -c
> "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
change to:
	add machine script =  /usr/local/sbin/smbldap-useradd -w -g Workstations "%u"

>         logon script = %m.bat
>         logon path = \\server.example.org\%U\profile
change to:
	logon path = \\MYSERVER\profiles\%U

>         domain logons = Yes
>         os level = 33
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes

>         ldap admin dn = cn=config
change this to the same as the value of "rootdn" 
from /etc/openldap/slapd.conf, eg:
	ldap admin dn = cn=Manager,dc=example,dc=org

>         ldap delete dn = Yes
>         ldap group suffix = ou=groups
>         ldap machine suffix = ou=machines
>         ldap passwd sync = Yes
>         ldap suffix = dc=example,dc=org
>         ldap user suffix = ou=people
>         idmap uid = 1000-19999
>         idmap gid = 1000-19999
> [homes]
>         comment = Home Directories
>         valid users = DOMAIN\%S
>         read only = No
>         browseable = No
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
> [netlogon]
>         comment = Network Logon Service
>         path = /var/lib/samba/netlogon
>         guest ok = Yes
>         share modes = No
Add:
 [profiles]
	comment = Profiles Folder
	path = /var/lib/samba/profiles
	read only = no
	profile acls = yes


Now do:
root# > mkdir -p /var/lib/samba/profiles
root# > chown root:users /var/lib/samba/profiles
root# > chmod 2775 /var/lib/samba./profiles

> smbldap.conf
> ************
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> /etc/ldap.conf
> **********************
> host server.example.org
> base dc=example,dc=org
> binddn cn=config
> bindpw 1w2345FJ
> rootbinddn cn=zimbra,dc=example,dc=org
>
> timelimit 120
> bind_timelimit 120
> bind_policy soft
> idle_timelimit 3600
>
> nss_base_passwd         ou=people,dc=example,dc=org?one
> nss_base_shadow         ou=people,dc=example,dc=org?one
Add:
   nss_base_passwd	ou=machines,dc=example,dc=org?one
   nss_base_shadow	ou=machines,dc=example,dc=org?one

>
> nss_base_group          ou=groups,dc=example,dc=org?one

Not this one! That will not work! Remove it.
> nss_base_hosts          ou=machines,dc=example,dc=org?one
>
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
> uri ldap://server.example.org
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5


You are repeating yourself here, it is already shown above.
> smbldap.conf
> ************
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> smbldap_bind.conf
> *****************

These DN's need to point to the same value as the "rootdn" from slapd.conf.
> slaveDN="cn=config,dc=example,dc=org"
> slavePw="1w2345FJ"
> masterDN="cn=config,dc=example,dc=org"
> masterPw="1w2345FJ"
>
> The strange thing is that I can join a computer to the Domain, but only
> using the Samba+samba_root_passwd. I can even see the computer entry in the
> LDAP database when I run ldapsearch.
> However, I cannot or log in to the domain with credentials in LDAP. Also I
> cannot add machines to domain using privileged accounts stored in LDAP.
> Strangely though, Samba commands
> getent group
> and
> getent passwd
> work just fine (obtain info in ldap) when Im user zimbra, but not as root
> (yes user root); running these as root returns only system records in
> /etc/passwd & /smbpasswd.
> I think that I have done everything correctly including running the command
> smbpasswd -w 1w2345FJ
> for samba to connect to LDAP and putting the same password in
> smbldap_bind.conf defined for "cn=config"
> My diagnosis so far is that there is something not working in smbldap-tools
>
> Please advice, will appreciate.

Please follow the documentation in Samba3-ByExample, chapter 5.
http://www.samba.org/samba/docs/Samba3-ByExample.pdf

Let me know of anything that does not work.

Cheers,
John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (512) 970-0256

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X