[Samba] need recipe for samba to do user authentication against a centos 5.5 openldap server (NO IDMAPS! NO PDC!)

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 8 07:48:01 MDT 2011

In most cases, your users will have separate unix and windows 
passwords.  Assuming you have password sync working (various ways to do 
this) this will still appear to be a single password to the users.

Use something like Apache Directory Studio to verify that you can login 
to LDAP with the credentials specified to samba.

My smb.conf includes


         workgroup = MYDOMAIN
         server string = myserver
         netbios name = MYSERVER

         passdb backend = ldapsam:ldap://myldapserver.mydomain.com
         domain logons = yes
         preferred master = yes
         domain master =  yes
         local master = yes
         dns proxy = No
         wins support = yes

         ldap suffix=o=mydomain.com
         ldap user suffix=ou=people
         ldap machine suffix=ou=people
         ldap admin dn="cn=Directory Manager"
         ldap ssl = no
         ldap passwd sync = no

         passwd program = /etc/samba/smbldappasswd.sh %u
         passwd chat =*New* %n\n *changed*
         unix password sync = yes

         comment = Network Logon Service
         path = /export/samba/netlogon
         read only = no
         guest ok = Yes
         share modes = No
         write list = @Administrators


the ldap admin is the built in default ldap admin on my server.

You may need to explicitly create unix groups and group  mappings for 
well know windows groups

net groupmap add ntgroup="Domain Admins" unixgroup=100512 rid=512 
net groupmap add ntgroup="Domain Users" unixgroup=100513 rid=513
net groupmap add ntgroup="Domain Guests" unixgroup=100514  rid=514
net groupmap add ntgroup="Domain Computers" unixgroup=100515   rid=515
net groupmap add ntgroup="Domain Controllers" unixgroup=100516   rid=516

You also need to create a unix account for the Administrator.

will need unix and samba accts for each machine, include the PDC

# smbpasswd -a -m MACHINENAME

And I think you need to join the domain

  net rpc join -S MYSERVER -W MYDOMAIN   -U Administrator

My PDC is a solaris server.  I think on linux machines you may NOT want 
to include the quotes in the ldap admin acct name.

I couldn't get ldap password sync to work-  so I use standard unix pw 
sync which calls an external script to handle setting the ldap pw's.

On 06/03/2011 10:46 PM, Clayton Hill wrote:
> Hi all,
> Please help Ive been wasting days at this...
> I am not trying to create a PDC, I am not joining an active directory, I am
> not needing samba schema in my openldap (or do I?), I am not trying to use
> winbind and idmaps for translations from SID to UID/GID, I just want my
> samba server which shares linux home directories to authenticate
> user+password against my existing linux based openldap server.
> These are already POSIX accounts on the openldap server, so the UID and GID
> need no translation AFAIK
> All I want to do is have users log into the samba share with their openldap
> Linux accounts.
> unfortunately this is not working... at all.
> Samba ver:
> samba3x-3.3.8-0.52.el5_5.2
> openldap ver:
> 2.3   (shouldnt matter)
> my smb.conf :
> -----------------------------------------------------------------------------------
> [global]
>          server string = %h server
>          passdb backend = ldapsam:ldap://ldap.domain.com
> *# looks like this syntax is deprecated. Whats the correct syntax?  *smb.conf
> manpage is not making sense to me....
>          security = user
>          ldap passwd sync = yes
> # is this needed?
>          ldap ssl = no
>          ldap admin dn = cn=superadmin,dc=domain,dc=com
>          ldap suffix = dc=domain,dc=com
>          ldap user suffix = ou=People
>          ldap group suffix = ou=Group
> [Shared]
>          comment = Shared Directories
>          path = /shared
>          read only = No
>          create mask = 0600
>          directory mask = 0700
> --------------------------------------------------------------------------------------------------------------
> I then did
> smbpasswd -w myadmindnpasswd
> Im super confused as to why the above syntax isnt sufficient, and the howtos
> out there are all not very helpful and use depricated syntax....
> log level 2 snippet:
> -------------------------------------------------------------------------------------------------------------------------------------------
> [2011/06/03 19:25:00,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
>    smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=SV3))]
> [2011/06/03 19:25:00,  2] lib/smbldap.c:smbldap_open_connection(796)
>    smbldap_open_connection: connection opened
> [2011/06/03 19:25:00,  1] lib/smbldap_util.c:add_new_domain_info(233)
>    add_new_domain_info: failed to add domain dn=
> sambaDomainName=SV3,dc=domain,dc=com with: Invalid DN syntax
>          invalid DN
> [2011/06/03 19:25:00,  0] lib/smbldap_util.c:smbldap_search_domain_info(310)
>    smbldap_search_domain_info: Adding domain info for SV3 failed with
> [2011/06/03 19:25:00,  2] passdb/pdb_ldap.c:pdb_init_ldapsam(6259)
>    pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
> domain
>    pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
> users/groups, and will risk BDCs having inconsistant SIDs
> -------------------------------------------------------------------------------------------------------------------------------------------
> this doesnt look good at all...  btw the samba server's hostname is SV3, why
> is it using the syntax  "domain dn= sambaDomainName=SV3,dc=domain,dc=com "
> this seems to no jive with what is in the smb.conf file, and I have no such
> entry for the hostname of this samba server "SV3" or the string "dn=
> sambaDomainName" specified anywhere in the configuration... I could of
> course be interpreting this log incorrectly..
> please help! :-)
> Cheers,
> -Clayton

More information about the samba mailing list