[Samba] How to use another attribute than the uid ?

raphael gommeaux raphael.gommeaux at gmail.com
Thu Mar 3 00:41:07 MST 2011 

Hi,

I use Samba 3.5.4 PDC with ldap backend on a sles10 server with kernel smp
2.6.16.60-0.21.

 On the ldap, the uid attribute can't be used for reasons beyond my control.
So i must use another attribute for the authentication (uidAuth).

In order to achieve this, i edited 3 files :
=> ldap.conf
=> smb.conf
=> nsswitch.conf

============================================================================
I have added these parameters to my ldap.conf :


pam_login_attribute uidAuth
pam_template_login_attribute uidAuth
pam_password exop

nss_base_passwd	ou=users,ou=ent,ou=box,c=fr?one?objectClass=posixAccount
nss_base_shadow ou=users,ou=ent,ou=box,c=fr?one?objectClass=shadowAccount
nss_base_group	ou=groups,ou=ent,ou=box,c=fr
nss_map_attribute uid uidAuth

=========================================================
 smb.conf :

[global]
	admin users = @admins, root
	dns proxy = No
	domain logons = Yes
	domain master = Yes
	dos filetime resolution = Yes
	ldap admin dn = cn=admin,ou=adms,ou=box,c=fr
	ldap ssl = No
	ldap suffix = ou=ent,ou=box,c=fr
	ldap timeout = 25
	ldap user suffix = ou=users
	ldap machine suffix = ou=computers
	ldap group suffix = ou=groups
	obey pam restrictions = yes
	log file = /var/log/samba/%m.log
	log level = 10
	logon drive = I:
	logon path =
	logon script = %U.bat
	max log size = 5000
	name resolve order = wins host bcast lmhosts
	os level = 255
	passdb backend = ldapsam:ldap://192.168.1.50
	preferred master = Yes
	socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY
	time server = Yes
	update encrypted = Yes
	username map = /etc/samba/smbusers
	wins proxy = Yes
	wins support = Yes
	workgroup = DOMTEST

===================================================================
nsswitch.conf :
passwd: files ldap
shadow: files ldap
group: files ldap

==========================================================

Results :

1) Getent ok :
When i tested it with getent, i got the correct answer from the ldap.

2) I can't login with samba :
When i try to login with samba, the log indicates that samba does not use
these parameters. It search on the uid.
In the samba log of the station i have found
"filter=>[(&(uid=john.doe)(objectClass=sambaSamAccount))]" and "couldn't
find user 'john.doe' in passdb".

--------------
Question :
Anybody know how to force samba to use another attribute than the uid ?

More information about the samba mailing list