Debian Samba LDAP Integration


  1. install samba

    • aptitude install samba

  2. install smbldap-tools

    • aptitude install smbldap-tools

  3. read smbldap-tools documentation

    • gunzip /usr/share/doc/smbldap-tools/README.Debian.gz

    • less /usr/share/doc/smbldap-tools/README.Debian

I. LDAP Server Configuration

  1. Copy the 'samba.schema' to be used in your LDAP server (you can find it in '/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz' after installing the samba-doc package):

    • zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema

  2. Modify the file '/etc/ldap/slapd.conf' to include the samba schema:

    • include /etc/ldap/schema/samba.schema

  3. Optionally add indexes to optimize SAMBA access:

    • index uid,uidNumber,gidNumber,memberUid eq

    • index cn,mail,surname,givenname eq,subinitial

    • index sambaSID eq

    • index sambaPrimaryGroupSID eq

    • index sambaDomainName eq

  4. Allow users to change their NT and LM Passwords changing the line: access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword

  5. Restart the LDAP server.

    • /etc/init.d/slapd restart

II. Samba Server Configuration

  1. Edit the '/etc/samba/smb.conf' to change the passdb backend from the original to:

    • passdb backend = ldapsam:ldap://localhost

  2. Add configuration directives for the passdb system:

    • obey pam restrictions = no

    • ldap admin dn = cn=admin,dc=neuroimaging,dc=org,dc=au

    • ldap delete dn = no

    • ldap suffix = dc=neuroimaging,dc=org,dc=au

    • ldap machine suffix = ou=Computers

    • ldap user suffix = ou=Users

    • ldap idmap suffix = ou=Users

    • ldap group suffix = ou=Groups

  3. More to use the smbldap-tools to change passwords:

    • ; Do ldap passwd sync

    • ldap passwd sync = Yes

    • passwd program = /usr/sbin/smbldap-passwd %u

    • passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*

  4. And if you want to administer user and groups from windows add:

    • add user script = /usr/sbin/smbldap-useradd -m "%u"

    • ldap delete dn = Yes

    • delete user script = /usr/sbin/smbldap-userdel "%u"

    • add machine script = /usr/sbin/smbldap-useradd -w "%u"

    • add group script = /usr/sbin/smbldap-groupadd -p "%g"

    • delete group script = /usr/sbin/smbldap-groupdel "%g"

    • add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"

    • delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"

    • set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

  5. Restart samba and add the smbldap admin password to let SAMBA use it:

    • /etc/init.d/samba restart

    • smbpasswd -w LDAP_ADMIN_PASSWORD

smbldap-tools Configuration

  1. Start copying the files 'smbldap.conf' and 'smbldap_bind.conf' from '/usr/share/doc/smbldap-tools/examples/' to '/etc/smbldap-tools/':

    • zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

    • cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf

  2. Edit the 'smbldap.conf' file; the main parameters to watch out are the 'SID', the ldap servers addresses, the TLS settings and the LDAP suffix.

    • NOTE: To obtain the SID execute the following command with your SAMBA server Running:

      • net getlocalsid

  3. Edit the 'smbldap_bind.conf' file and put there the SMBLDAP administrator's DN and Password.

  4. Fix file permisions:

    • chmod 0644 /etc/smbldap-tools/smbldap.conf

    • chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

  5. To initialize the LDAP database invoque the command:

    • smbldap-populate

    • NOTE: This makes the tool start adding uids and gids from 1000 (hardcoded default), if you want to start from different numbers you can use "-g <firstgid>" or "-u <firstuid>" as options to smbldap-populate.

No comments:

Post a Comment