[Samba] Samba standalone + openldap

Rowland Penny rpenny at samba.org
Fri Feb 3 15:27:45 UTC 2017 

On Fri, 3 Feb 2017 15:15:43 +0100
Michael JOIGNY via samba <samba at lists.samba.org> wrote:

> Hi everybody,
> 
> I'm new to this mailing list, i need help about a configuration with 
> Samba / Openldap.
> 
> I have a samba server with shared folders, where users authenticate
> with a determined login/password.
> 
> I would like to use my directory (openldap) to authenticate my users
> to access the shared folders.
> 
> I do not want to use samba as a domain controller, just to
> authenticate the users with their login/password stored in my
> directory.
> 
> I cannot find the good configuration, here is my configuration :
> 
> I integrated the samba schema into the directory via this
> file .ldif : /usr/share/doc/samba/examples/LDAP/samba.ldif.gz
> 
> I see well the following attributes via slapcat :
> 
> #/  samba_server_name, my_domain.com
>      dn: sambaDomainName=///samba_server_name,d/c=my_domain,dc=com//
> //    sambaDomainName: ///samba_server_name///
>      sambaSID: S-1-5-21-1471793353-708426617-xxxxxyyyyzzzz//
> //    sambaAlgorithmicRidBase: 1000//
> //    objectClass: sambaDomain//
> //    sambaNextUserRid: 1000//
> //    sambaMinPwdLength: 5//
> //    sambaPwdHistoryLength: 0//
> //    sambaLogonToChgPwd: 0//
> //    sambaMaxPwdAge: -1//
> //    sambaMinPwdAge: 0//
> //    sambaLockoutDuration: 30//
> //    sambaLockoutObservationWindow: 30//
> //    sambaLockoutThreshold: 0//
> //    sambaForceLogoff: -1//
> //    sambaRefuseMachinePwdChange: 0/
> 
> # samba's attributes (objectclass)
> 
> /   sambaSamAccountsambaconfig, sambagroupmapping, sambaidmapentry,
> etc ../
> 
> 
> # openldap directory tree
> 
>   * dc=my_domain, dc=com
> 
>       o ou=Groups
> 
>           + groupe a (user1, user2, etc ..)
>           + groupe b (user3, user4, etc ..)
>           + groupe c (user5, user6, etc ..)
>           + etc ...
> 
>       o ou=Users
>           + user1
>           + user2
>           + etc ..
> 
>       o ou=other_branch
>           + user4
>           + user5
>           + etc ...
> 
> # smb.conf
> 
>          passdb backend = ldapsam:ldap://my_url:port
>          ldap suffix = dc=my_domain,dc=com
>          ldap user suffix = ou=Users
>          ldap group suffix = ou=Groups
>          #ldap machine suffix = ou=Computers
>          #ldap idmap suffix = ou=Idmap
>          ldap admin dn = cn=superuser,dc=my_domain,dc=com
>          ldap ssl = off
> 
> 
> # /etc/nsswitch.conf
> 
>   * passwd:         compat ldap
>     group:            compat ldap
>     shadow:         compat ldap
> 
> # /etc/libnss-ldap.conf et /etc/pam_ldap.conf
> 
>      base dc=mon_domaine,dc=com
>      uri ldap://mon_url
>      ldap_version 3
>      binddn cn=reader,dc=mon_domaine,dc=com
>      bindpw xxxyyyzzz
>      rootbinddn cn=superuser,dc=mon_domaine,dc=com
>      port xxx
> 
> The "/getent passwd/" gives me informations but only from the 
> "other_branch"  (don't know why) while i would like to get
> informations only from the "Users" branch.
> 
> So, i need help on :
> 
>   * get informations (login/password) from Users branch (ou)
> 
>   * known the minimum attributes from samba schema for a user
>     (sambaSamaccount, gidNumber, sambaGroupType, etc..) and the
>     associated values that i need for my configuration (samba
> standalone
>     + openldap)
> 
>   * manage users's access for the shared folders
> 
> Kind regards,
> 
> Michael
> 

No, sorry I cannot agree with you, you will probably be better off
setting up a Samba AD DC.

Rowland

More information about the samba mailing list