[Samba] SMB+LDAP

[Gaiseric Vandal]

I have a Sun (Oracle) Directory Server directory server backend.  I also
use it for unix level authentication.


Are you configuring samba as a domain controller or standalone server?

I have uid and uidNumber attributes-   you want to make sure that the
samba account maps to a unix account somehow.  "pdbedit -Lv username" 
will verify this.

I think with an LDAP backend it will expect "ldap admin dn" entry. This
is not usually a regular user in your company LDAP branch  but is
instead an administrator.    Samba will need to write to LDAP if you add
or remove a samba user using smbpasswd or pdbedit, or if you change a
user's samba password with samba command line tools or from windows, or
if you join or remove a Windows PC the domain, and if you join the samba
server to the domain.  (this will create domain object.s)


You can of course use LDAP tools to create the user's samba attributes. 
I don't know how you would easily set the user's samba password.  You
could probably have a dummy samba machine with a local backend, set a
password, then use "smbpasswd -e" to extract the hashed value.    Maybe
there are additional tools for creating an NT password hash.


Machines will also have accounts with passwords.  the passwords may
automatically change.  




On 08/07/12 17:37, Frans Lanting - IT Admin wrote:
> Hi Folks,
>
> A couple of questions about making SMB (3 or 4) authenticate to an
> external (anonymous) LDAP server:
>
> 1) A typical LDAP user record is below. Is there anything  lacking in
> this record that would prevent Samba from authenticating against our
> LDAP server? Note the sambaSID is as is, gobblygook info:
>
>
> dsAttrTypeNative:eduPersonAffiliation: Employee Member
> dsAttrTypeNative:givenName: David
> dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack
> dsAttrTypeNative:mail: dsixpack at csux.edu
> dsAttrTypeNative:objectClass: posixAccount organizationalPerson
> csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson
> dsAttrTypeNative:sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
> dsAttrTypeNative:sn: Sixpack
> dsAttrTypeNative:csuxPersonGuID: G000242316
> AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu
> AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu
> NFSHomeDirectory: /Users/dsixpack
> Password: ********
> PrimaryGroupID: 100002
> RealName:
>  David Sixpack
> RecordName: dsixpack
> RecordType: dsRecTypeStandard:Users
> UniqueID: 9239
> UserShell: /bin/bash
>
> 2) Regarding the "sudo smbpasswd -w secret" step, does this smb user
> need to exist in our LDAP or that local to the machine running the SMB
> daemon? I wasn't clear on how this step in the process is supposed to
> work.
>
> 3) Is the "ldap admin dn =" also required?
>
> Note we have read-only access to our LDAP server, though a record
> could be created for us if absolutely needed.
>
> Any help or ideas MUCH appreciated! Thanks!
>
> David