[Samba] LDAP issues

Alex Moen alexm at ndtel.com
Thu Jan 26 10:59:24 MST 2012 

On Jan 26, 2012, at 10:55 AM, Jürgen Echter wrote:

> Am 26.01.2012 17:51, schrieb Alex Moen:
>> Forgot to add... If I create a Unix account, and add it to the  
>> local smbpasswd subsystem, it works fine.  I can log in using the  
>> credentials that I create.  So, samba is working, and linux/ldap is  
>> working, but samba/ldap has issues...
>>
>> On Jan 26, 2012, at 9:54 AM, Alex Moen wrote:
>>
>>> Centos 6
>>> Samba 3
>>> smbldap-tools installed.
>>>
>>> LDAP directory not on local host.
>>>
>>> Example user LDIF:
>>>
>>> dn: uid=testuser at mydomain.com,ou=mydomain,o=ndtc
>>> mailHost: mailserver.mydomain.com
>>> loginShell: /bin/bash
>>> gidNumber: 500
>>> uidNumber: 53112
>>> uid: testuser at mydomain.com
>>> sn: user
>>> cn: test user
>>> mail: testuser at mydomain.com
>>> homeDirectory: /cust/mydomain/users/testuser
>>> gecos: test user,,662-6123
>>> objectClass: mirapointmailuser
>>> objectClass: inetorgperson
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> objectClass: sambaSAMAccount
>>> sambaLogonTime: 0
>>> sambaLogoffTime: 2147483647
>>> sambaKickoffTime: 2147483647
>>> sambaPwdCanChange: 0
>>> sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224
>>> sambaAcctFlags: [UX]
>>> sambaHomeDrive: F:
>>> sambaHomePath: \\ndtc-fs\cust\mydomain\users
>>> sambaPwdLastSet: 1327615956
>>> sambaPwdMustChange: 2147483647
>>>
>>> getent passwd shows:
>>>
>>> testuser at mydomain.com:x:53112:500:test user,,662-6123:/cust/ 
>>> mydomain/users/testuser:/bin/bash
>>>
>>> I can ssh to the server with this account.  So, the linux/ldap  
>>> stuff seems to work properly.
>>>
>>> However, I cannot connect with the smb proto.  Continue to get a  
>>> username/password prompt.
>>>
>>> My suspicion is the "@" in the uid, which as I understand it, in  
>>> the windoze world signifies a group... I think I am confusing  
>>> something in the process.
>>>
>>> My question is: can Samba be configured to append the  
>>> "@mydomain.com" to the username, then authenticate the user?  So  
>>> the user could use the testuser login via the windoze login and  
>>> drive mapping processes, but Samba would actually use testuser at mydomain.com 
>>>  to actually authenticate?
>>>
>>> All these accounts are already in use in the LDAP directory, and  
>>> so the uid cannot be changed.
>>>
>>> lmk if there's anything else needed here... I'm willing to share  
>>> configs, command outputs, etc. to get this solved.
>>>
>>> TIA!
>>>
>>
> sounds if samba isn't using LDAP properly.
>
> would you mind to show us your config?
>
> greets
>
> juergen

Sure!  Here it is:

[global]
	
	workgroup = A36561
	server string = My File Server
	netbios name = NDTC-FS
	interfaces = lo eth1
	log file = /var/log/samba/log.%m
	max log size = 50
	ldap debug level = 1
	ldap debug threshold = 5
	log level = 3 all:5
	security = user
	passdb backend = ldapsam:ldap://66.163.128.204
	ldap suffix = ou=mydomain,o=ndtc
	ldap machine suffix = ou=People
	ldap usersuffix = ou=People
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap admin dn = cn=admin,o=ndtc
	ldap ssl = off
	domain master = yes
	domain logons = yes
	wins support = yes
	load printers = yes
	cups options = raw
	
[homes]
	comment = Home Directories
	browseable = no
	writable = yes

[groups]
	comment = Group Directories
	path = /cust/mydomain/groups
	guest ok = no
	writable = yes

[share]
	comment = Share space
	path = /cust/mydomain/share
	public = yes
	writeable = yes
	read only = no
	printable = no
	write list = +users
	force create mode = 660
	force directory mode = 770
	force user = nobody
	force group = nobody

[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

More information about the samba mailing list