[Samba] Adding existing ldap users as Samba users

Jason Voorhees jvoorhees1 at gmail.com
Thu Mar 5 21:59:30 GMT 2009


On Thu, Mar 5, 2009 at 4:35 PM, John H Terpstra - Samba Team
<jht at samba.org> wrote:
> Jason Voorhees wrote:
>> Hi people:
>> I have a LDAP server running OpenLDAP that serves authentication
>> purposes to services like ftp, imap, openvpn, etc. Now I implemented a
>> Samba PDC based on LDAP.
>> I did the configuration with Samba 3.2.5 on Debian Etch and
>> smbldap-tools. I was able to join a WinXP workstation to my domain
>> without problems but I can't login with any existing user in my LDAP
>> directory.
>> Then I added my user to the Samba database with "smbpasswd -a myuser"
>> with the same current password of myuser. Now, I need to enable all
>> LDAP users as Samba users but I don't want to run "smbpasswd" for
>> every user because I don't know their passwords.
> Have these users previously used Samba to connect to this server?  Do
> you have an smbpasswd file or a tdbsam file?
No, they never used Samba to connect to the server nor login to the
domain. My current PDC is a Windows NT Server 4.0.
I'm using ldapsam as "passdb backend" pointing to my LDAP server that
is in my network.

> If so, there is an easy way to migrate the SambaSAM account information
> so long as the uid and gid for each user has not changed. You can then
> execute:
> pdbedit -i smbpasswd -e ldapsam
> or
> pdbedit -i tdbsam -e ldapsam
> Those actions should copy the NT passwords into a SambaSAM account
> extenstion in your LDAP directory.
This would not be applicable to my case, right? Any idea?

>> What could be the solution to convert all my ldap users as samba
>> users?
> The UNIX password hashes can not be converted into NT password hashes.
>> Simply adding the corresponding objectClass and samba
>> attributes to the users ldap entries would be enough? If this is true,
>> what value should I use for sambaNTPassword, sambaPasswordHistory,
>> sambaSID, among other samba attributes?
>> I hope some can help me a bit :(
>> Thanks :)
> Cheers,
> John T.

More information about the samba mailing list