navigation
search
Table of Contents
Use LDAP Directory to store Samba user accounts
Requirement
Install smbldap-tool:
yum install smbldap-tools
tip -
For ease, start from a blank LDAP tree.
LDAP configuration
Put the samba.schema into /etc/openldap/schema/:
cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/
Include samba schema in sldap.conf:
include /etc/openldap/schema/samba.schema
Add these to tune the database index in sldap.conf:
index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq
important -
The index directive of
slapd.conf is only effective on initial load of the directory. If indexes are subsequently changed the directory needs to be re-indexed using the slapindex command.
Required directory structure and objects
dc=example,dc=com
|
`--- sambaDomainName : to store domain information
|
`--- ou=Users : to store user accounts for Unix and Windows systems
|
`--- ou=Computers : to store computer accounts for Windows systems
|
`--- ou=Groups : to store system groups for Unix and Windows
| systems, or for any other LDAP-aware systems
|
`--- ou=DSA : to store special accounts (simpleSecurityObject)
, or for any other LDAP-aware systems
Samba configuration
Sample global section of smb.conf:
[global]
workgroup = EXAMPLE
netbios name = SANDBOX
server string = Samba Server Version %v
security = DOMAIN
passdb backend = ldapsam:ldap://127.0.0.1/
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
domain logons = Yes
domain master = Yes
ldap admin dn = cn=admin,dc=example,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=example,dc=com
ldap user suffix = ou=Users
cups options = raw
Store the ldap admin password:
smbpasswd -w "<secret password>"
smbldap-tools configuration
Edit /etc/smbldap-tools/smbldap_bind.conf, make sure these are correct:
masterDN="cn=admin,dc=example,dc=com" masterPw="<plain text password>"
Edit /etc/smbldap-tools/smbldap.conf, look for these important entries:
SID="<paste result of 'net getlocalsid' here>"
sambaDomain="EXAMPLE"
suffix="dc=example,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
defaultUserGid="513" <=== should be gid of "Domain Users"
defaultComputerGid="515" <=== should be gid of "Domain Computers"
Should check defaultUserGid and defaultComputerGid against the created directory object.
The default values is in file /usr/sbin/smbldap-populate.
Create directory objects
Create the directory objects automatically by running:
smbldap-populate
Create Users
Command:
smbldap-useradd -a -m -A 1 -B 0 -P -N John -S Doe johndoe
Entry created:
dn: uid=johndoe,ou=Users,dc=example,dc=com
cn: John Doe
displayname: John Doe
gecos: System User
gidnumber: 513
givenname: John
homedirectory: /home/johndoe
loginshell: /bin/bash
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: sambaSamAccount
sambaacctflags: [U]
sambahomedrive: H:
sambahomepath: \\EL5\johndoe
sambakickofftime: 2147483647
sambalmpassword: 2EAF888B5B66A27B93E28745B8BF4BA6
sambalogofftime: 2147483647
sambalogontime: 0
sambantpassword: 52ACDD30AF674A2C31CE973A207455E8
sambaprimarygroupsid: S-1-5-21-1706974622-1559483349-437752269-513
sambapwdcanchange: 0
sambapwdlastset: 1272082949
sambapwdmustchange: 1275970949
sambasid: S-1-5-21-1706974622-1559483349-437752269-3008
shadowlastchange: 14723
shadowmax: 45
sn: Doe
uid: johndoe
uidnumber: 1004
userpassword: {SSHA}gfku1uzOxzmi8e2w/PCvTL8k5ypNR25Q
