Debian Samba LDAP Integration

• Prerequisites:
  • openldap server installed on the same host and is functioning properly
  • see debian-ldap-server-setup

1. install samba
   • aptitude install samba
2. install smbldap-tools
   • aptitude install smbldap-tools
3. read smbldap-tools documentation
   • gunzip /usr/share/doc/smbldap-tools/README.Debian.gz
   • less /usr/share/doc/smbldap-tools/README.Debian

I. LDAP Server Configuration

1. Copy the 'samba.schema' to be used in your LDAP server (you can find it in '/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz' after installing the samba-doc package):
   • zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema
2. Modify the file '/etc/ldap/slapd.conf' to include the samba schema:
   • include /etc/ldap/schema/samba.schema
3. Optionally add indexes to optimize SAMBA access:
   • index uid,uidNumber,gidNumber,memberUid eq
   • index cn,mail,surname,givenname eq,subinitial
   • index sambaSID eq
   • index sambaPrimaryGroupSID eq
   • index sambaDomainName eq
4. Allow users to change their NT and LM Passwords changing the line: access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword
5. Restart the LDAP server.
   • /etc/init.d/slapd restart

II. Samba Server Configuration

1. Edit the '/etc/samba/smb.conf' to change the passdb backend from the original to:
   • passdb backend = ldapsam:ldap://localhost
2. Add configuration directives for the passdb system:
   • obey pam restrictions = no
   • ldap admin dn = cn=admin,dc=neuroimaging,dc=org,dc=au
   • ldap delete dn = no
   • ldap suffix = dc=neuroimaging,dc=org,dc=au
   • ldap machine suffix = ou=Computers
   • ldap user suffix = ou=Users
   • ldap idmap suffix = ou=Users
   • ldap group suffix = ou=Groups
3. More to use the smbldap-tools to change passwords:
   • ; Do ldap passwd sync
   • ldap passwd sync = Yes
   • passwd program = /usr/sbin/smbldap-passwd %u
   • passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
4. And if you want to administer user and groups from windows add:
   • add user script = /usr/sbin/smbldap-useradd -m "%u"
   • ldap delete dn = Yes
   • delete user script = /usr/sbin/smbldap-userdel "%u"
   • add machine script = /usr/sbin/smbldap-useradd -w "%u"
   • add group script = /usr/sbin/smbldap-groupadd -p "%g"
   • delete group script = /usr/sbin/smbldap-groupdel "%g"
   • add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   • delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   • set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
5. Restart samba and add the smbldap admin password to let SAMBA use it:
   • /etc/init.d/samba restart
   • smbpasswd -w LDAP_ADMIN_PASSWORD

smbldap-tools Configuration

1. Start copying the files 'smbldap.conf' and 'smbldap_bind.conf' from '/usr/share/doc/smbldap-tools/examples/' to '/etc/smbldap-tools/':
   • zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
   • cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf
2. Edit the 'smbldap.conf' file; the main parameters to watch out are the 'SID', the ldap servers addresses, the TLS settings and the LDAP suffix.
   • NOTE: To obtain the SID execute the following command with your SAMBA server Running:
     • net getlocalsid
3. Edit the 'smbldap_bind.conf' file and put there the SMBLDAP administrator's DN and Password.
4. Fix file permisions:
   • chmod 0644 /etc/smbldap-tools/smbldap.conf
   • chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
5. To initialize the LDAP database invoque the command:
   • smbldap-populate
   • NOTE: This makes the tool start adding uids and gids from 1000 (hardcoded default), if you want to start from different numbers you can use "-g <firstgid>" or "-u <firstuid>" as options to smbldap-populate.