[Samba] Adding LDAP Backend to Samba

John H Terpstra jht at samba.org
Sat Feb 12 07:15:54 MST 2011

On 02/12/2011 02:16 AM, J. Echter wrote:
> Am 05.02.2011 10:33, schrieb J. Echter:

> can nobody tell my where the accounts have to be in? is it correct that
> idmap is empty?


Manageability, performance and readability are the key reasons for
putting group accounts into an ou=groups, and for having users accounts
under ou=users, and machine accounts under another ou.

It is quite possible to store all the accounts directly off the root of
the LDAP directory - it will work if everything else is configured
correctly.  This is certainly NOT a recommended configuration, but it
can work.

You need to make sure that the "everything else" of your configuration
is correct.  If you do not understand how the pieces all fit together
life gets a bit challenging.

The following need to be configured:

You need to install and configure an NSS LDAP library.  If you use
nss_ldap (from http://www.padl.com), the configuration file (ldap.conf)
must be correctly configured.  This file is often located (compile time
option) in /etc.

When this has been correctly configured you will see all LDAP user
accounts when you execute:

	getent passwd

You should also see all LDAP group accounts when you execute:

	getent group

If these two commands do not work - you need to fix that.  Samba relies
on being able to resolve POSIX user and group information by simple
calls to the getpwent() family of system calls.

Next, it is necessary to install and configure the toolset you want to
use to maintain and manage accounts in the LDAP directory.  Many people
make use of the smbldap-tools package.  After installation and
configuration, use the appropriate tool to validate account information.
 For example:

	smbldap-usershow jackb


#> smbldap-tfarmer

dn: uid=tfarmer,ou=People,ou=Users,dc=world,dc=org
cn: tfarmer
sn: tfarmer
givenName: tfarmer
uid: tfarmer
uidNumber: 1021
gidNumber: 513
homeDirectory: /users/tfarmer
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: tfarmer
sambaSID: S-1-5-21-726309263-4128913645-1188186429-3042
sambaPrimaryGroupSID: S-1-5-21-726309263-4128913645-1188186429-513
sambaLogonScript: scripts\logon.bat
sambaProfilePath: \\%L\profiles\tfarmer
sambaHomePath: \\SWEVWE\tfarmer
sambaHomeDrive: H:
sambaAcctFlags: [U]
sambaNTPassword: 4A9F7B6CEFB63E5733F4C44E3DD93362
sambaPwdLastSet: 1264562105
sambaPwdMustChange: 1268450105
userPassword: {SSHA}XrAzItbFAgDFa6BhdffC6s+L6QEyYbBL
shadowLastChange: 14636
shadowMax: 45

#> smbldap-groupshow engineers
dn: cn=Engineers,ou=Groups,dc=world,dc=org
objectClass: posixGroup,sambaGroupMapping
cn: Engineers
gidNumber: 1009
sambaSID: S-1-5-21-726309263-4128913645-1188186429-401050
sambaGroupType: 2
displayName: Engineers
description: Finely Trained Technicians
memberUid: tfarmer,dlop,jb

It is also necessary to correctly configure Samba.  Please refer to
chapter 5 of the book "Samba4-ByExample" available from your local
bookstore or on-line from:


Chapter 5 systematically steps through the process of installation and
configuration of a complete Novell SLES (OpenSUSE) -based Samba/LDAP

The example is based on SLES, but it applies for the most part also for
RHEL and Fedora.

John T.

More information about the samba mailing list