[Samba] Samba file server using ldap backend without AD or PDC?

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Nov 30 14:01:33 MST 2012 

So when you run pdbedit -Lv for a user, is the "Unix user" name is an 
account in ldap?   If that is the case, then you probably just want to 
have a script that runs that runs thru a list of user names and they 
runs ldapmodify to add the appropriate samba attributes.    In theory 
you can use pdbedit to export the data, then change the backend, then 
import it back. I found that didn't quite work.


I had originally used nis backend for unix accounts and TBD backend for 
samba.   I moved from NIS to LDAP for unix accounts. Then when I added a 
BDC I moved the samba data into ldap.    I had used smbpasswd to dump 
the data to a text file, then wrote a perl script to parse the file into 
user name,  samba SID, and samba password and then rewrite it into an 
ldapmodify ldif file.  I used this file to update the existing LDAP 
accounts.

You MAYBE can use smbpasswd or pdbedit to create the samba accounts in 
LDAP but I suspect that either it won't preserve the existing password 
OR it may refuse to create the account.








On 11/30/12 12:38, Brian Gold wrote:
>
>
> On 2012-11-30 11:15 am, Gaiseric Vandal wrote:
>> No, you wouldn't sync passwords to TDB.      Does your LDAP entry for
>> each user currently have a SambaSID value?  Also, when you type
>> "pdbedit -Lv someuser" you should see the unix account for the user.
>> The unix account is either explicitly created (e.g. in /etc/passwd or
>> ldap or nis) or dynamically created by winbind.
>>
>
> No, currently our users do not have SambaSID values in ldap.
>
>>
>> # pdbedit -Lv someuser
>>
>> Unix username:        someuser
>> NT username:          someuser
>> Account Flags:        [U          ]
>> User SID:             S-1-5-21-xxxxx
>> Primary Group SID:    S-1-5-21-xxx
>> Full Name:            Some User
>> Home Directory:       \\someserver\users\someuser
>> HomeDir Drive:        X:
>> Logon Script:         logon.bat
>> Profile Path:
>> Domain:               SOMEDOMAIN
>> Account desc:
>> Workstations:
>> Munged dial:
>> Logon time:           0
>> Logoff time:          0
>> Kickoff time:         0
>> Password last set:    Fri, 30 Sep 2011 09:40:43 EDT
>> Password can change:  Fri, 30 Sep 2011 09:40:43 EDT
>> Password must change: never
>> Last bad password   : 0
>> Bad password count  : 0
>> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>> #
>>
>> Assuming you are not using winbind to allocate uid's and gid's for
>> samba users, your LDAP  user entry will eventually look something like
>>
>> dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetorgperson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: sambaSamAccount
>> cn: Some User
>> gidNumber: xx
>> homeDirectory: /home/someuser
>> sambaSID: S-1-5-21-xxxx
>> sn: UserLastName
>> uid: someuser
>> uidNumber: 123
>> displayName: Some User
>> gecos: Some User
>> givenName: Some User
>> loginShell: /bin/tcsh
>> sambaAcctFlags: [UX         ]
>> sambaHomeDrive: X:
>> sambaHomePath: \\someserver\users\someuser
>> sambaLogonScript: logon.bat
>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
>> sambaPasswordHistory: 
>> 000000000000000000000000000000000000000000000000000000
>>  0000000000
>> sambaPwdLastSet: 1291843237
>> st: xxxxxx
>> street: xxxxxxxxx
>> telephoneNumber: xxxxxxxxx
>> userPassword:: xxxxxxxxxxxx
>>
>>
>> Although the login script and network home directory probably not
>> relevant in a non-DC setup.
>
> We are not using winbind at all currently.
>
> Here is a sample user's ldap data:
>
> dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu
> uid: tstaff
> sn: Staff
> uinSR: tstaff-false
> givenName: Test
> genderSR: m
> loginShell: /bin/false
> cn: Test Staff
> gecos: Test Staff
> mailSR: testaff at simons-rock.edu
> homeDirectory: /home/testaff
> objectClass: person
> objectClass: top
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: personSR
> objectClass: extensibleObject
> objectClass: posixAccount
> objectClass: shadowAccount
> shadowLastChange: 11551
> shadowWarning: 7
> gidNumber: 100
> shadowMax: 99999
> uidNumber: 7391
> mail: testaff at simons-rock.edu
> groupSR: staff
> groupSR: hidden
> employeeNumber: 991991991
> sambaNTPassword: REDACTED
> sambaPwdLastSet: 1354296936
> userPassword:: REDACTED

More information about the samba mailing list