[Samba] Samba file server using ldap backend without AD or PDC?

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Nov 30 16:09:53 MST 2012

On 11/30/12 16:11, Brian Gold wrote:
> On 2012-11-30 4:01 pm, Gaiseric Vandal wrote:
>> So when you run pdbedit -Lv for a user, is the "Unix user" name is an
>> account in ldap?   If that is the case, then you probably just want to
>> have a script that runs that runs thru a list of user names and they
>> runs ldapmodify to add the appropriate samba attributes.    In theory
>> you can use pdbedit to export the data, then change the backend, then
>> import it back. I found that didn't quite work.
>> I had originally used nis backend for unix accounts and TBD backend
>> for samba.   I moved from NIS to LDAP for unix accounts. Then when I
>> added a BDC I moved the samba data into ldap.    I had used smbpasswd
>> to dump the data to a text file, then wrote a perl script to parse the
>> file into user name,  samba SID, and samba password and then rewrite
>> it into an ldapmodify ldif file.  I used this file to update the
>> existing LDAP accounts.
>> You MAYBE can use smbpasswd or pdbedit to create the samba accounts
>> in LDAP but I suspect that either it won't preserve the existing
>> password OR it may refuse to create the account.
> Here is the output for that same user when I do a pdbedit. The "unix 
> username" is being pulled from ldap.
> pdbedit -Lv testaff
> Unix username:        testaff
> NT username:
> Account Flags:        [U          ]
> User SID: S-1-5-21-2531268310-2106678637-3833209162-15782
> Primary Group SID: S-1-5-21-2531268310-2106678637-3833209162-513
> Full Name:            Test Staff
> Home Directory:       \\elephant\testaff
> HomeDir Drive:
> Logon Script:
> Profile Path:         \\elephant\testaff\profile
> Domain:               ELEPHANT
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Fri, 27 Jun 2008 16:50:45 EDT
> Password can change:  Fri, 27 Jun 2008 16:50:45 EDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Worth a try I guess.
> As it is, I'm planning on totally scrapping this existing samba file 
> server when we move to using ldap passwords. The only things that need 
> to carry over are the files on the file server itself. I'm totally 
> fine with not using any of the data that is in tbd currently.
> Is there a way to autogenerate the samba SID (since I don't 
> necessarily need the one that is being used in my current samba file 
> server) and whatever other samba fields might be needed for all of my 
> existing ldap accounts?

If you write a script you could probably increment the SID for each 
entry.       The pdbedit and smbpasswd commands will create all the 
necessary fields , including automatically creating a unique SID. But I 
just know if it will complain the account already exsits.   I think it 
won't complain the account exists (since not all the necessary fields 
are there) BUT it will probably complain that the account could not be 
created.    I don't think you will know til you test it.

More information about the samba mailing list