[Samba] Re: Some questions about Samba and LDAP

jamrock news_jamrock at yahoo.com
Sat Apr 11 14:02:27 GMT 2009

"Olivier Nicole" <on at cs.ait.ac.th> wrote in message
news:200904101109.n3AB9lAi026084 at banyan.cs.ait.ac.th...
> - in slapd configuration, what are the minimum accesses (ACL) that
>   should be granted to the various attributes of samba schema? By
>   default my LDAP server is quite protected and allows no access to
>   any attribute, unless specified otherwise.
>   I could find:
>   ## allow the "ldap admin dn" access, but deny everyone else
>   access to attrs=SambaLMPassword,SambaNTPassword
>      by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write
>      by * none

You may want to add the following:

by self write
by * auth

This should allow the user to change his password and authenticate against
his password.

>   But what about the other attributes?

>From what I have seen the users do not need access to the other attributes.
Samba checks them but not the user.

> - I have my users database existing in LDAP, how can I add Samba
>   support?

I don't know of any easy way.  I would do it the other way around.  I would
create a new Samba ldap directory using the standard approach.  I would then
add the Samba accounts.  I would dump out the existing ldap directory to a
ldif file and then use ldapmodify to add the other attributes to the samba

I have never tested this but this is the approach I would try.

>I understand that I should modify the objectClass of each
> user to include sambaSamAccount, but then each user must also have
>   an attribute sambaSID. How can I generate that attribute?

The smb-ldap tools are the best way to create the initial ldap entries for
Samba.  They create the standard Windows groups such as domain
administrators, guests, domain users, etc.  In addition, they allow you to
manage the addition and deletion of Samba accounts via ldap.

The SID is created the first time you start Samba.  The scripts add the
SID to each ldap account.

See chapter 5 "Making Happy Users" of Samba by Example.  The book is
available on www.samba.org.

> - Is there a way to implement filter on the list of users? Nss_ldap,
>   pam_ldap for example allow to configure an optional filter, so only
>   the users with the correct attribute will have access to a specific
>   service (I separate the users that can log to their Unix account
>   onto the machine from the suers that can use a specific service on
>   that machine). Is there a similar filter with Samba or should I
>   differenciate with the use/unuse of objectClass sambaSamAccount?

AFAIK, accounts that do not have the Samba specific attributes will not be
recognized by Samba.

> - All what I read so far mention updating the sambaLMPassword and
>   sambaNTPassword with the command smbpasswd. I already have a set of
>   tools that I use to manage the users account (and that synchronize
>   account/password on many systems (database, radius, etc)), what can
>   I use to manage sambaLM/NTPassword within my local tools?

I use the Windows NT tools User Manager for Domains and Server Manager.
They should be located on a Samba share and accessed from a Windows

I manage user passwords differently from you.  I put the following line in
my smb.conf file

ldap passwd sync = yes

When a user changes his Windows password, it changes the standard passwd
value in ldap.

> Best regards,
> Olivier
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list