[Samba] Samba with OpenLDAP (not a DC)

Rowland Penny rpenny at samba.org
Fri Nov 9 17:31:01 UTC 2018 

On Fri, 9 Nov 2018 11:04:49 -0600
dee heffem via samba <samba at lists.samba.org> wrote:

> Hi,
> I'm trying to setup a samba server on Ubuntu 16.04 following the
> docs[1] on the samba wiki.
> 
> I have my users in OpenLDAP, along with their Posix attributes.
> They can ssh/sftp to the Linux server and have valid *nix GIDs/UIDs.
> 
> I've added the 'passdb backend' and 'ldap suffix' lines into my
> smb.conf[2] however I'm getting errors[3] in smb.log that the ldap
> server "did not correctly init"
> 
> Googling that error message has not turned up anything helpful yet.
> I do not need the samba server to be  a domain controller, nor do
> I wish to join my samba server to an AD domain. I just want to
> authenticate users from OpenLDAP as if they were local users so
> they can mount a file share. Is this possible to do?
> 
> Thanks
> 
> 
> [1] docs I'm using
> https://wiki.samba.org/index.php/Samba_%26_LDAP#Setting_up_PAM_and_NSS_to_use_LDAP
> 
> 
> 
> [2]
> [global]
>    workgroup = WORKGROUP
>    server string = %h server (Samba, Ubuntu)
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    server role = standalone server
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
>    usershare allow guests = yes
> 
>    passdb backend = ldapsam:ldap://ldap1.my.org
>    ldap suffix = dc=my,dc=org
> 
> [printers]
>    comment = All Printers
>    browseable = no
>    path = /var/spool/samba
>    printable = yes
>    guest ok = no
>    read only = yes
>    create mask = 0700
> [print$]
>    comment = Printer Drivers
>    path = /var/lib/samba/printers
>    browseable = yes
>    read only = yes
>    guest ok = no
> 
> [Finance]
>    comment     = Files for Finance
>    path        = /mnt/finance/files
>    browseable  = yes
>    read only   = yes
>    guest ok    = no
> 
> 
> 
> [3]
>   pdb backend ldapsam:ldap://ldap1.my.org did not correctly init
> (error was NT_STATUS_NO_MEMORY)
> [2018/11/09 10:49:31.794461,  0]
> ../source3/passdb/secrets.c:365(fetch_ldap_pw)
>   fetch_ldap_pw: neither ldap secret retrieved!
> [2018/11/09 10:49:31.794526,  0]
> ../source3/passdb/pdb_ldap.c:6433(pdb_init_ldapsam_common)
>   pdb_init_ldapsam_common: Failed to retrieve LDAP password from
> secrets.tdb [2018/11/09 10:49:31.794546,  0]
> ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
>   pdb backend ldapsam:ldap://ldap1.my.org did not correctly init
> (error was NT_STATUS_NO_MEMORY)

Did you run smbpasswd -w <ldap-password> ?

You also need more ldap lines in smb.conf and have you added the
samba.schema to ldap ?

You could try reading this:

https://wiki.samba.org/index.php/Ldapsam_Editposix

Having said that, there isn't that much difference between
Your standalone server with ldap and an NT4-style PDC and I wouldn't
set up a new one of either. There are numerous problems against the use
of either, coupled with the fact that it is just easier to set up a new
Samba AD DC.

Rowland

More information about the samba mailing list