[Samba] Samba file server using ldap backend without AD or PDC?

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Nov 30 09:15:46 MST 2012

On 11/30/12 09:42, Brian Gold wrote:
> On 2012-11-30 9:22 am, Gaiseric Vandal wrote:
>> Can you clarify one thing -  why are you using the sambaNTPassword in
>> openldap if openldap is not currently used samba authentication?   I
>> would have thought that you would use the standard password field.
> We are using the standard userPassword field for most things, but for 
> radius authentication via PEAP/MSCHAPv2, we needed to use 
> sambaNTPassword instead.

That makes sense
>> I use Samba 3.x DC's with an ldap back end.   I also use the ldap
>> backend for unix authentication as well as authentication to various
>> other systems that support LDAP authentication.       If you are using
>> one or more BDC's you really do have to use an LDAP back end. But
>> there is no reason why member server's can use an LDAP backend.
>> If the underlying unix account for each samba account is in
>> /etc/passwd and not LDAP, you should consolidate it all into LDAP.
> We currently don't want to deploy a PDC or BDC if we don't need to. 
> All we want to do is have a file server that can authenticate using 
> the username/password stored in openldap.

Should be no problem.
>> Do the sambaNTPassword (and other samba attributes)  in LDAP match
>> those in the tdb backend?    You may find you want to blast away the
>> existing sambaNTPassword entries in LDAP before  you migrate the TDB
>> data to LDAP.
> No, our current Samba file server has a totally separate set of 
> passwords. When we transition over to this new Samba file server, we 
> will be having all our users use their openldap password instead. We 
> do not want to sync their existing tdb passwords over to LDAP.

No, you wouldn't sync passwords to TDB.      Does your LDAP entry for 
each user currently have a SambaSID value?  Also, when you type "pdbedit 
-Lv someuser" you should see the unix account for the user.   The unix 
account is either explicitly created (e.g. in /etc/passwd or ldap or 
nis) or dynamically created by winbind.

# pdbedit -Lv someuser

Unix username:        someuser
NT username:          someuser
Account Flags:        [U          ]
User SID:             S-1-5-21-xxxxx
Primary Group SID:    S-1-5-21-xxx
Full Name:            Some User
Home Directory:       \\someserver\users\someuser
HomeDir Drive:        X:
Logon Script:         logon.bat
Profile Path:
Domain:               SOMEDOMAIN
Account desc:
Munged dial:
Logon time:           0
Logoff time:          0
Kickoff time:         0
Password last set:    Fri, 30 Sep 2011 09:40:43 EDT
Password can change:  Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0

Assuming you are not using winbind to allocate uid's and gid's for samba 
users, your LDAP  user entry will eventually look something like

dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-xxxx
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX         ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1291843237
st: xxxxxx
street: xxxxxxxxx
telephoneNumber: xxxxxxxxx
userPassword:: xxxxxxxxxxxx

Although the login script and network home directory probably not 
relevant in a non-DC setup.

More information about the samba mailing list