[Samba] Samba 3.0.28a and LDAP on ubuntu 8.04

Marcello Lupo mlist at itspecialist.it
Wed Aug 25 09:12:43 MDT 2010 

Hi to all,
i'm facing some problem of integration with LDAP on the release in object.
In my scenario i want to use Samba +  LDAP to have all servers on the network to have all same UID and GID for all the shares on all Linux servers (included the shares on the main PDC server).
Clients are mixed Windows and Linux.
Samba + LDAP on the ubuntu server is acting as PDC for the domain (no windows servers on the domain) and all the other linux server should take the UID and GID form the PDC using samba+winbind using idmap backend on LDAP.
What is happening is that i'm not able to have the PDC to join in the domain itself. Not even the wbinfo -u and wbinfo -t are working. Only the wbinfo -g is returning :

BUILTIN/users
BUILTIN/administrators

I was able to let the PDC join the domain (net rpc join) only after an upgrade of the samba packages through an apt-get install of samba packages itself.
I saw during the process that the system performed something like an initialization of the passdb.tdb and secrets.tdb putting all the system and ldap users (recovered form the ldap DB) in it.
After this join i tried to change some UID in the LDAP DB nut the OS was still taking the UID in  the passdb.tdb and no the new one i updated in the LDAP.
I'm wondering if this is correct and eventually how to reproduce this kind of initialization if it is correct. I'm trying every time to start form scratch and understand the way it works deleting all the content of the samba files (/var/lib/samba and var/run/samba) .
As i know samba + LDAP should rely only on LDAP DB except for the LDAP Admin DN password that should be saved in the secrets.tdb with smbpasswd -w command. I understood that no use of passdb.tdb is made in LDAP config. Correct me if i'm wrong please.

I used smbldap tools to populate the LDAP.
I need that the PDC use winbind and idmap itself to get UID and GID of domain users so to have all aligned.
If i put the ldap parameter in /etc/nsswitch.conf the resolution of UID and GID work perfectly (getent passwd and group) . If i put winbind it is not working.

This is my config :

[global]
   log level = 100
   workgroup = DOMAIN
   server string = %h New Samba server
   wins support = yes
   dns proxy = no
   interfaces = eth0
   bind interfaces only = true
   log file = /var/log/samba/log.%m
   max log size = 10000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = ldapsam:ldap://localhost:389
   ldap suffix	  = dc=domain,dc=locale
   ldap delete dn = yes
   ldap admin dn = cn=admin,dc=domain,dc=locale
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap passwd sync = Yes
   ldapsam:trusted=yes
   ldapsam:editposix=yes
  idmap alloc backend = ldap
  idmap alloc config:ldap_url	= ldap://localhost:389/
  idmap alloc config:ldap_base_dn = ou=Idmap,dc=domain,dc=locale
  idmap backend = ldap:ldap://localhost:389
  idmap uid = 10000-20000
  idmap gid = 500-20000
  idmap domains = BUILTIN DOMAIN
  idmap config DOMAIN:backend = ldap
  idmap config DOMAIN:readonly = no
  idmap config DOMAIN:default = yes
  idmap config BUILTIN:backend = ldap
  idmap config BUILTIN:readonly = no
  idmap config BUILTIN:default = no
  template shell = /bin/bash
  template homedir = /home/users/%U
   obey pam restrictions = no
   guest account = nobody
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   delete user script = /usr/sbin/smbldap-userdel "%u"
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   lanman auth = no
   unix password sync = no
   pam password change = no
map to guest = bad user
   domain logons = yes
   logon path = \\%L\profiles\%U\.win-profile\%a
   logon drive = H:
   logon home = \\%L\profiles\%U\.win-profile\%a
   logon script = %m.bat
   socket options = TCP_NODELAY
   domain master = yes
   preferred master =yes 
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = no
   winbind separator = /
   usershare allow guests = yes

Any hint?
Thank you all.
Bye,
Marcello

More information about the samba mailing list