[Samba] Some questions about Samba and LDAP

Olivier Nicole on at cs.ait.ac.th
Fri Apr 10 11:09:47 GMT 2009


I have been using Samba for years (login onto the PC, files and
printers sharing) and since recently I have a LDAP server running and
serving authentication to few Unix systems (mail, web, Zope, ssh,

Now that I set-up a new server to use with Samba, I would like to
integrate Samba into the existing LDAP.

All the doc I could find so far is about creating a LDAP service from
scratch which is not my case.

My questions are:

- in slapd configuration, what are the minimum accesses (ACL) that
  should be granted to the various attributes of samba schema? By
  default my LDAP server is quite protected and allows no access to
  any attribute, unless specified otherwise.

  I could find:

  ## allow the "ldap admin dn" access, but deny everyone else
  access to attrs=SambaLMPassword,SambaNTPassword
     by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write
     by * none

  But what about the other attributes?

- I have my users database existing in LDAP, how can I add Samba
  support? I understand that I should modify the objectClass of each
  user to include sambaSamAccount, but then each user must also have
  an attribute sambaSID. How can I generate that attribute?

- Is there a way to implement filter on the list of users? Nss_ldap,
  pam_ldap for example allow to configure an optional filter, so only
  the users with the correct attribute will have access to a specific
  service (I separate the users that can log to their Unix account
  onto the machine from the suers that can use a specific service on
  that machine). Is there a similar filter with Samba or should I
  differenciate with the use/unuse of objectClass sambaSamAccount?

- All what I read so far mention updating the sambaLMPassword and
  sambaNTPassword with the command smbpasswd. I already have a set of
  tools that I use to manage the users account (and that synchronize
  account/password on many systems (database, radius, etc)), what can
  I use to manage sambaLM/NTPassword within my local tools?

Best regards,


More information about the samba mailing list