[Samba] Samba - OpenLDAP User Mapping

fuzzy_4711 fuzzy_4711 at gmx.de
Fri Aug 26 04:39:02 MDT 2011

Hi Daniel

-------- Original - Text --------

I have to say I run on OpenSUSE 11.4 and I hate it for doing things not
transparent to the user like shown in the config file below.

> Did you getent passwd and getent group.
> And all ldap users and groups are shown up?
I can confirm this.
> Did you do at least install an ldap-client and ldapauth on your linux box?
Yes for the ldap-client and no for ldapauth - haven't even heard of it
so far. I am able to log in using a ldap user which is not locally
defined at the samba box, if this answers the background of your question.
> Do you talk to ldap with winbind, ldapsam:editposix?

It is ldapsam, here is an extract of my smb.conf:

passdb backend = ldapsam:ldap://ldap.mytld.de
set primary group script = ldapsmb -m -u "%u" -gid "%g"
add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
ldap admin dn = cn=Manager,dc=mytld,dc=de
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=mytld,dc=de
ldap ssl = no #testing only
ldap user suffix = ou=People

Your answer opened my eyes and I started wondering about the "add
machine script" and the "set primary group script" entries in my config.
I even do not have the ldapsmb rpm installed on the file server, but it
is installed (automatically by YaST) at the ldap box. I never used it,
it must have been installed and configured by YaST automatically.

Also it is not clear to me, why one need the add machine scpript. I
digged into the code and saw that it will read my smb.conf, get the
password from secret.tdb, do a connection to my ldap server, add a user
and a machine below Computers in the DIT.

map<string,any> config_map = $[
        "bind_pw"               : passwd,
        "bind_dn"               : bind_dn,
        "user_base"             : ldap_machine_suffix+","+ldap_suffix,
        "type"                  : "ldap",
        "plugins": [ "UsersPluginLDAPAll", "UsersPluginSamba" ],
map<string,any> data_map = $[
        "uid" : value,
        "givenName" : "Machine",
        "cn" : value,
        "sn" : "Machine",
        "userPassword"  : "*",
        "loginShell" : "/bin/false",
        "homeDirectory" : "/var/lib/nobody",
        "create_home" : false,

// add the user
y2milestone (YaPI::USERS::UserAdd (config_map, data_map) );


Please tell me what is going on in the background so that I am able to
understand what to do. As said before, connecting the ldap server and
gathering information from there seems to work since I am able to see it
in the smb logs.

Is there a maybe a sequence diagramm available about what is going on
when a share wants to be opened? I saw something for winbind with unix
UID to samba SID but I got confused. It is not clear to me,  when using
winbind. Also your Question
"Do you talk to ldap with winbind, ldapsam:editposix? " in this context
is not clear to me. Does it mean either winbind or ldapsam should be
used or are they used together?

I guess I go and find me a serious job...


More information about the samba mailing list