HELP Ubuntu 12.04 LTS server, SAMBA and ldap

Charles Sampson csampson at hisolutions.net
Thu Jul 18 08:25:23 MDT 2013 

I apologize profusely for this but I am in dire need of help. I'm not a 
linux/ldap/samba guru by any stretch of the imagination and have to get 
a server back going ASAP. I had a Suse 9.2 server crash over the weekend 
(5 days ago) which was serving the company's files and authenticating 
the xp machines. I only had two pieces of information with which to 
rebuild the server. I have the original USER FILES (not system files, 
still on a raid array in the machine and on a rsync'd backup drive) and 
I have a backup of the LDAP DATABASE from the old machine. I installed 
Ubuntu 12.04 LTS server (using the same name and the same IP address), I 
installed ldap and samba back to back. I found two ldap configuration 
web pages that allowed me to get ldap up, authenticate to it's self, 
create the structure necessary to support the samba elements in the 
backup file and then import/load the backup ldap file (yes I stripped 
out the elements that could not be imported) . I still have no clue what 
it all means but if I issue a ldapsearch -x -LLL -b 
dc=hisolutions,dc=net 'uid=csampson' cn gid the results is dn: 
uid=csampson,ou=People,dc=hisolutions,dc=net cn: csampson. I then 
started with the configuration of Samba. I found a tutorial that told me 
how edit edit the smb.conf to authenticate with ldap and how to to share 
the files on my hard drive. At one point I could actually mount the 
shares samba and public but I couldn't access any folders below them 
because I set them to public. But I've been trying other set-ups so now 
I can't even do that. Currently if I issue the command "smbclient -L 
//bert" on my server it asks for my root password and then prints 
"Connection to bert failed (Error NT_STATUS_CONNECTION_REFUSED).

This is what I did and my configuration files.

sudo apt-get install slapd ldap-utils
sudo apt-get install samba

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

created a file named backend.mycompany.net.ldif that is very similar to 
this:

********************************************************************
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb.la

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=comtech,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=comtech,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn=”cn=admin,dc=comtech,dc=com” 
write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base=”" by * read
olcAccess: to * by dn=”cn=admin,dc=comtech,dc=com” write by * read

******************************************************************************************************
Then I issued the command sudo ldapadd -Y EXTERNAL -H ldapi:/// -f 
backend.mycompany.net.ldif

Then I followed the instructions on the web page 
https://help.ubuntu.com/lts/serverguide/samba-ldap.html. But I skipped 
the "Adding Samba LDAP objects" because the smbldap-tools folder didn't 
have the configure.pl.gz file (maybe this is a problem?). And I didn't 
set the password or add users because I thought this was taken care of 
in the old ldap database import.

Then I stripped out the entries of the old ldap database that would not 
import into the new database with:
egrep -v ldap.ldif 
"^(structuralObjectClass|entryUUID|creatorsName|modifiersName|createTimestamp|modifyTimestamp|entryCSN):" 
 > ldap-stripped.ldif

If you really want to see that file I can email it to you but it's way 
too long to post here.

I imported the old ldap database with the command :

sudo ldapadd -x -D cn=admin,dc=mycompany,dc=net -W -f ldap-stripped.ldif

And finally I have been editing the smb.conf. below is the version 
without all the comments to save space.

************************************************************************************************
[global]

workgroup = HIS

server string = %h server (Samba, Bert)

; name resolve order = lmhosts host wins bcast

; interfaces = 10.0.0.4/16 eth0
; bind interfaces only = yes



#### Debugging/Accounting ####

log file = /var/log/samba/log.%m

max log size = 1000

syslog = 0

panic action = /usr/share/samba/panic-action %d


#authentication
# LDAP SETTINGS
# should this be passdb backend = tdbsam ?
passdb backend = ldapsam:ldap://bert.hisolutions.net
ldap suffix = dc=hisolutions,dc=net
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=hisolutions,dc=net
ldap ssl = start tls
ldap passwd sync = yes
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
security = user

encrypt passwords = true

obey pam restrictions = yes
unix password sync = yes

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

pam password change = yes

map to guest = bad user

########## Domains ###########

; domain logons = yes
; logon path = \\%N\profiles\%U
; logon drive = P:

; logon script = logon.cmd

; add user script = /usr/sbin/adduser --quiet --disabled-password 
--gecos "" %u

; add machine script = /usr/sbin/useradd -g machines -c "%u machine 
account" -d /var/lib/samba -s /bin/false %u

; add group script = /usr/sbin/addgroup --force-badname %g


# MISC
; include = /home/samba/etc/smb.conf.%m

; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

; winbind enum groups = yes
; winbind enum users = yes

; usershare max shares = 100

usershare allow guests = yes

#======================= Share Definitions =======================

;[homes]
; comment = Home Directories
; browseable = no
; read only = no
; create mask = 0700
; directory mask = 0700
; valid users = %S

[profiles]
comment = Users profiles
path = /var/raid/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700


[homes]
comment = home Directories
browseable = yes
read only = no
public = no
[samba]
comment = samba directory share
path = /var/raid/samba
read only = no
public = yes
writable = yes
create mask = 0765
directory mask = 0755
[public]
comment = public directory
path = /var/raid/samba/public
read only = no
public = yes
writable = yes
create mask =0765
directory mask = 0755

More information about the samba-technical mailing list