# How-To LDAP Samba PDC Support

## xarses

I've been writing a HowTo on successfully setting up a Samba Primary Domain Controller that uses a LDAP backend over on gentoo-wiki.com it can be found here: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC

It is my intention that this HowTo will help guide Gentoo Admins in Setting up Their Own Primary Domain Controller (PDC) using Samba and OpenLDAP. Setting up, configuring and understanding the arrays of options and their implications can be quite and daunting task. 

This thread is intended to be used for support, corrections, gripes and compaints regarding my HowTo. Currently Sections 1-4 are complete and I'm still working on the rest.

----------

## !equilibrium

i have read the howto very quick, and i have found that you suggest to use '-J3'.

i'ts wrong, on old single cpu without HT can creare broken binary, mainly on AMD cpus.

so is better to remove it, or put the right suggestions.

however, thanks a lot for the HOWTO  :Smile: 

----------

## daeghrefn

One suggestion I thought of... for the use flags, it might be better to have people put the use flags in /etc/portage/package.use rather than in /etc/make.conf, that way they don't mess up their system if they prefer to not have their other packages changed.

----------

## georgemj

I've been working on a similar document at our company (I guess I won't have to send it up to the gentoo site, now...  :Smile: ) and I ran into a snag recently that I thought you might want to be aware of.  Perhaps you can give me some guidance, too, as I don't knowall that much about Samba PDC's.

Rather than making just the changes to nsswitch.conf that you suggest, we were putting nsswitch.ldap from nss_ldap into place and then cut services: and protocols: just down to "files".

This worked fine until a system update about 3-4 week ago.  At that time the system could no longer boot right because udev was not able to load the devices correctly and /dev/sdaX were not available (among other problems I'm sure we would have run into).

It turned out that the problem was the hosts entry:

hosts: files dns ldap

If we drop the " ldap" all is fine.  If we have it in there udev is broken. (The PDC is the LDAP server, so presumably udev is referencing it, though there is no networking or LDAP running, I don't know how it possibly could.)

In your docs, you only suggest changing passwd: group: and shadow:.  Is that all that's necessary?  (Remember, I don't know much about PDC's...)  If so, I can just change our internal docs to direct those changes and not replace nsswitch.conf with nsswitch.ldap.

----------

## xarses

georgemj

 *Quote:*   

>  hosts: files dns ldap

 

hmm that might be why my udev gaged awhile back as ive had that line in there.

essentualy nsswitch is used for telling the OS where to look when trying to find various peices of information. in this case you are telling your system that hosts (host names) can be translated first by files (usualy /etc/hosts) then by dns (first dns cache, then  query) and if thoes two dont return a result ldap is then queried. so if you dont want to use ldap to help resolve name translations (usualy dns services are more effective) then you can resonably leave the line set to 

```
hosts: files dns
```

in my docs only passwd, group, and shadow are changed to include ldap because they are the only information parts critical to user authentication. Again these settings are used for local system authentication, dont get me wrong though passwd, group, and shadow resolves must work or samba wont be able to save files on the server's system. as far as im aware all of the other settings are not critical to the purpose of a ldap samba PDC

sorry, i do ramble. in short the answer is YES 

```
 hosts: files dns
```

 should not affect PDC functionality (your probly not storing hosts information anyway or, have /etc/ldap.conf configured to be able to find hosts information

if you have some doc's that got you to a working point, i would like to examine them and perhapse discuss them with you so that the HowTo may be improved upon

----------

## Po0ky

http://gentoo-wiki.com/Talk:HOWTO_LDAP_SAMBA_PDC_Performance_Tuning

http://gentoo-wiki.com/Talk:HOWTO_LDAP_SAMBA_PDC_Basic_Setup

Some feedback needed... Stuck on myself

----------

## georgemj

That would be fine with me (dicuss our common findings).  I am still putting the final touches on our system and we have to thoroughly test it (it goes into a customer's site, and we *really* don't want it dorked) before I'm confident that it's finalized.

I updated the OS on it (gentoo, and I stepped it through the gcc-3.4 update) and my phpldapadmin is being problematic on it, but prior to the rebuild I did some remedial testing with ssh and Win98 logging in and it seemed to work.

I have my docs in a mediawiki installation.  Would you like a PDF of what I have so far, or the mediawiki input for it?

----------

## xarses

georgemj: either would work find with me, pdf is more portable, ill send you a pm with my email addy

po0ky: awesome when i get a chance and stop working two jobs (end of the week) ill check it out and get and get through it

----------

## Dr.Dran

@xarses & @Po0ky: very very nice Howto Now I study the integration of Linux in Active Directory Domain, I will hope to obtain the *.schema file that merge the classical inetorgperson.schema with the Active Directory schema, the Novell Directory service and so on...

For case study I will suggest u to watch that howto... is interesting:

http://enterprise.linux.com/enterprise/04/12/09/2318244.shtml?tid=102&tid=101&tid=100

If anyone have experience on it please tell me something.

Best regards   :Very Happy: 

----------

## xarses

ya, thats my larger goal, get all three to work   :Rolling Eyes: 

----------

## Po0ky

HOWTO_LDAP_SAMBA_PDC_Security_Upgrade Req4Feedback

There you go... done some more  :Smile: 

----------

## Dr.Dran

So Cool we are in the right version... but I hope that in future I will grab the LDAP schema of Active Directory for the real integration   :Wink: 

Thanx and cool

 :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Po0ky

Bump!

Is there still some action going on here?  :Smile: 

----------

## lkarayan

It's well organized, however I don't know how many people I share this preference with, but a single HTML page would be nicer IMO.

----------

## bruor

i recently followed this howto and have come across an issue. 

i got to the end of setup and it seems like everything is working except being able to join the domain.

i get an error that the dns SRV record was not returned when searching etc. 

what i have read so far seems to point to the fact that the domain i am using resembles a dns resolvable name in smb.conf such as 

```
workgroup = test.example.org
```

it says that changing it to something like 

```
workgroup = test
```

will keep windows from thinking the PDC is actually AD, and will keep it from looking for SRV records in dns. making it resort to WINS

can anyone confirm that this will keep it from searching DNS for SRV records?

----------

## locovaca

I'm not able to get PAM/NSS set up... my files:

```
caprice pam.d # cat system-auth

#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    required     pam_unix.so

account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

```

caprice etc # cat nsswitch.conf

# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

```

caprice openldap # cat ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

BASE    dc=burke,dc=local

HOST    127.0.0.1

nss_base_passwd ou=Computers,dc=burke,dc=local

nss_base_passwd ou=Users,dc=burke,dc=local

nss_base_shadow ou=Users,dc=burke,dc=local

nss_base_group ou-Groups,dc=burke,dc=local

pam_password exop

debug 256

logdir /var/log/nss_ldap

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12

#TIMELIMIT      15

#DEREF          never

```

This results in...

```

caprice etc # getent passwd | grep 0:0

root:x:0:0:root:/root:/bin/bash

```

```

caprice openldap # ldapsearch -b "ou=Users,dc=burke,dc=local"

...

# root, Users, burke.local

dn: uid=root,ou=Users,dc=burke,dc=local

cn: root

sn: root

objectClass: inetOrgPerson

objectClass: sambaSamAccount

objectClass: posixAccount

objectClass: shadowAccount

gidNumber: 0

uid: root

uidNumber: 0

homeDirectory: /home/root

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaHomePath: \\Caprice\root

sambaHomeDrive: H:

sambaProfilePath: \\Caprice\profiles\root

sambaPrimaryGroupSID: S-1-5-21-1253800008-2809828810-751333459-512

sambaSID: S-1-5-21-1253800008-2809828810-751333459-500

loginShell: /bin/false

gecos: Netbios Domain Administrator

sambaLMPassword: hash

sambaAcctFlags: [U]

sambaNTPassword: hash

sambaPwdLastSet: 1138331557

sambaPwdMustChange: 1142219557

userPassword:: hash

...

# search result

search: 2

result: 0 Success

# numResponses: 7

# numEntries: 6

```

Any thoughts?  There's nothing in /var/log/nss_ldap, either...

----------

## locovaca

NM, figured it out, /etc/ldap.conf isn't the same as /etc/openldap/ldap.conf   :Embarassed: 

----------

## thedd

I'm having trouble with the samba+ldap after following this HowTo.

Please look at https://forums.gentoo.org/viewtopic-t-427457.html

----------

## butchie3980

Is there a way to compile the smbk5pwd for use with MIT Kerberos?  No success so far, but I'm hopeful.

Thanks

----------

## flipy

I've followed this how-to and it works great!

However, could someone explain how to add support for a MTA and IMAP?

Thanks

----------

## DiezelMax

ldap.conf

```

nss_base_passwd ou=People,dc=example,dc=net?sub

nss_base_shadow ou=People,dc=example,dc=net?sub

```

----------

## h0mer`-

I followed this tutorial but i get an error when running "smbldap-populate"

```

Populating LDAP directory for domain test (S-1-5-21-4205727931-4131263253-1851132061)

(using builtin directory structure)

adding new entry: dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 2.

adding new entry: ou=Users,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 3.

adding new entry: ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 4.

adding new entry: ou=Computers,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 5.

adding new entry: ou=Idmap,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 6.

adding new entry: uid=root,ou=Users,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 7.

adding new entry: uid=nobody,ou=Users,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 8.

adding new entry: cn=Domain Admins,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 9.

adding new entry: cn=Domain Users,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 10.

adding new entry: cn=Domain Guests,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 11.

adding new entry: cn=Domain Computers,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 12.

adding new entry: cn=Administrators,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 16.

adding new entry: cn=Account Operators,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 18.

adding new entry: cn=Print Operators,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 19.

adding new entry: cn=Backup Operators,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 20.

adding new entry: cn=Replicators,ou=Groups,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

adding new entry: sambaDomainName=test,dc=test,dc=lan

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 471, <GEN1> line 21.

Please provide a password for the domain root:

No such object at /usr/sbin//smbldap_tools.pm line 341.

```

This is my "smbldap_bind.conf"

(I removed my plaintext pw)

```

#slaveDN="cn=Manager,dc=test,dc=lan"

#slavePw="secret"

#masterDN="cn=Manager,dc=test,dc=lan"

#masterPw="secret"

rootdn="cn=Manager,dc=test,dc=lan"

rootpw=""

```

... and the "smbldap.conf"

```

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $

# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $

#

# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and

#  contributors (their names can be found in the CONTRIBUTORS file).

#

#                 Copyright (C) 2001-2002 IDEALX

#

#  This program is free software; you can redistribute it and/or

#  modify it under the terms of the GNU General Public License

#  as published by the Free Software Foundation; either version 2

#  of the License, or (at your option) any later version.

#

#  This program is distributed in the hope that it will be useful,

#  but WITHOUT ANY WARRANTY; without even the implied warranty of

#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#  GNU General Public License for more details.

#

#  You should have received a copy of the GNU General Public License

#  along with this program; if not, write to the Free Software

#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,

#  USA.

#  Purpose :

#       . be the configuration file for all smbldap-tools scripts

##############################################################################

#

# General Configuration

#

##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".

# If not defined, parameter is taking from "net getlocalsid" return

SID="S-1-5-21-4205727931-4131263253-1851132061"

# Domain name the Samba server is in charged.

# If not defined, parameter is taking from smb.conf configuration file

# Ex: sambaDomain="IDEALX-NT"

sambaDomain="test"

##############################################################################

#

# LDAP Configuration

#

##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch

# Samba with the dual-head patch from IDEALX. If not using this patch

# just use the same server for slaveLDAP and masterLDAP.

# Those two servers declarations can also be used when you have

# . one master LDAP server where all writing operations must be done

# . one slave LDAP server where all reading operations must be done

#   (typically a replication directory)

# Slave LDAP server

# Ex: slaveLDAP=127.0.0.1

# If not defined, parameter is set to "127.0.0.1"

slaveLDAP="127.0.0.1"

# Slave LDAP port

# If not defined, parameter is set to "389"

slavePort="389"

# Master LDAP server: needed for write operations

# Ex: masterLDAP=127.0.0.1

# If not defined, parameter is set to "127.0.0.1"

masterLDAP="127.0.0.1"

# Master LDAP port

# If not defined, parameter is set to "389"

masterPort="389"

# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection

# (you should also used the port 389)

# If not defined, parameter is set to "1"

ldapTLS="0"

# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details

verify="none"

# CA certificate

# see "man Net::LDAP" in start_tls section for more details

cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix

# Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=test,dc=lan"

# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for usersdn

usersdn="ou=Users,${suffix}"

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for computersdn

computersdn="ou=Computers,${suffix}"

# Where are stored Groups

# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn

groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)

# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"

# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups

# If not defined, entries are stored in sambaDomainName object.

# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

sambaUnixIdPooldn="sambaDomainName=test,${suffix}"

# Default scope Used

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="MD5"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################

#

# Unix Accounts Configuration

#

##############################################################################

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

# Home directory

# Ex: userHome="/home/%U"

userHome="/home/%U"

# Default mode used for user homeDirectory

userHomeDirectoryMode="700"

# Gecos

userGecos="System User"

# Default User (POSIX and Samba) GID

defaultUserGid="513"

# Default Computer (Samba) GID

defaultComputerGid="515"

# Skel dir

skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="45"

##############################################################################

#

# SAMBA Configuration

#

##############################################################################

# The UNC path to home drives location (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon home'

# directive and/or disable roaming profiles

# Ex: userSmbHome="\\PDC-SMB3\%U"

userSmbHome=""

# The UNC path to profiles locations (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon path'

# directive and/or disable roaming profiles

# Ex: userProfile="\\PDC-SMB3\profiles\%U"

userProfile=""

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: userHomeDrive="H:"

userHomeDrive="S:"

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: userScript="startup.cmd" # make sure script file is edited under dos

userScript="logon.bat"

# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used

# Ex: mailDomain="idealx.com"

mailDomain="test.lan"

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer Crypt::SmbHash library

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries

with_slappasswd="0"

slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner

no_banner="1"

```

----------

## whitetux

I get the same as above...I tried for a few days trying to get it to work. Eventually have given up trying to use smbldap-tools.

----------

## GoVirtual

I am just running through the HOW TO without a lot of Gentoo knowledge.

As I was following the instructions step by step I ran into a "warning" when doing the emerge after doing the keyword command.

A module was masked and it did not even start the emerge.

It took me a quick question to a Gentoo guru to get the situation explained and shown how I could get that module added and then get the emerge on the go.

An enhancement of the HOW TO could have a helper on how to take care of such an instance as I just ran into.

Thanks.  :Smile: 

----------

## RAPHEAD

Hi,

I've basically a similar setup like described in this nice howto but I have encountered two problems of which one is not quite resolved:

1.) If you use the nsswitch.conf settings as described in the howto, you will encounter the problem described here: https://bugs.gentoo.org/show_bug.cgi?id=99564

This can be resolved by using a ~x86 udev version -- currently I'm using 087.

2.) A chicken egg problem when starting slapd in the default runlevel.

If slapd starts on system boot, it hangs for quite a while and will even never start if you do not have defined timeouts in /etc/ldap.conf

In /var/log/messages the corresponding logs read:

```

Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

Oct 30 02:01:06 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

Oct 30 02:01:06 slapd[5585]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...

Oct 30 02:01:10 slapd[5585]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

...

```

I guess linux tries to find out something about the user "ldap" but it can't because the ldap backend is just starting.

However, the user ldap IS defined in /etc/shadow and my /etc/nsswitch.conf is:

```

passwd:      files ldap

shadow:      files ldap

group:        files ldap

...

```

I think it should not be neccesary to ask the ldap backend about the user ldap as it can be found in the "files" backend but obviously this is not the way how linux interprets this file.

The same problem is discussed here:

http://lists.freebsd.org/pipermail/freebsd-stable/2006-July/026916.html

Any ideas how this can be fixed? I think switching nsswitch.conf while booting is not a nice solution.

----------

## flipy

After setting up this PDC, I was thinking in a way to manage dhcp queries thru LDAP, but it's quite complicated.

My specific problem is that I need to manage wireless clients that connect thru an AP and authenticate them using LDAP.

But, since I'm still a newbie on this matter, I've not found any practical solution (I've heard something about DHCP+LDAP patch, but don't know)

Does anyone has got this same problem and configured it successfully?

Thanks

----------

## korda

 *flipy wrote:*   

> After setting up this PDC, I was thinking in a way to manage dhcp queries thru LDAP, but it's quite complicated.
> 
> My specific problem is that I need to manage wireless clients that connect thru an AP and authenticate them using LDAP.
> 
> But, since I'm still a newbie on this matter, I've not found any practical solution (I've heard something about DHCP+LDAP patch, but don't know)
> ...

 

FreeRADIUS might help you out there, I use it for wireless clients on our PDC as the wireless AP we use (some dlink thing, it's 150km away from me atm) can talk to a RADIUS server for authentication.

Also in the new year I'll attempt to use Po0ky's HOWTO to convert our current samba+gentoo PDC to use ldap for authentication, right now we use samba for wired workstation logins and unix passwords for personal laptop logins via freeradius and SSH shell access. We use unix/samba password synchronisation to reconcile the two.

It's quite bad, openldap seemed too hard to set up at the time but I think this howto will help out immensely in standardising shell, freeradius wireless users and samba workstation users.

----------

## Jeremy_Z

Hi, nice guide  :Smile: 

One thing stupid happened to me, samba would not start after configuring it according to the guide.

I had to skip that and run the populate, after that it could start fine.

----------

## dwalexuk

I compiled smbk5pwd following instructions on talk page, and it's loaded ok, but is doesn't synchronise passwords. (when you change password using passwd)

Is any way to debug this? I use loglevel        2304 in slapd.conf but I still don't have any clues.

----------

## nianderson

I have a working samba + ldap pdc that I inherited. I am wanting to add a standalone file server to the mix. I want the file server to just auth against my ldap server. Im having problems figuring out what I actually need to configure.

Do I only need to do the Samba section and not the nsswitch etc ... And in the Samba section leave out 

Netlogon shares, Profiles, and Adding machine accounts?

----------

## GD

hello....

thanks for the how-to... it seems to be working apart from a few points:

NOTE: I used the 5/05/2007 notes about not editing any pam.d files... I just added ldap to /etc/nsswitch.conf

NOTE2: I'm running gentoo-hardened although I have not configured grsec and stuff so far... (kernel support is enabled though...)

when doing a getent passwd | grep 0:0 this is what I get:

```

gaea log # getent passwd | grep 0:0

request done: ld 0x523f30 msgid 1

request done: ld 0x523f30 msgid 2

request done: ld 0x523f30 msgid 3

root:x:0:0:root:/root:/bin/bash

root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false

```

Is this OK?

But the most important thing is that the testuser test doesn't work... I've successfully added the user user smbldap-tools, but for some reason authentication fails. Here's the output in /var/log/auth.log:

```
May  6 01:03:16 gaea sshd[2650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gaea.gaza.net  user=testuser

May  6 01:03:19 gaea sshd[2645]: error: PAM: Authentication failure for testuser from gaea.gaza.net

May  6 01:04:25 gaea sshd[2651]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gaea.gaza.net  user=testuser

May  6 01:04:27 gaea sshd[2645]: error: PAM: Authentication failure for testuser from gaea.gaza.net

May  6 01:04:31 gaea sshd[2665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gaea.gaza.net  user=testuser

May  6 01:04:32 gaea sshd[2660]: error: PAM: Authentication failure for testuser from gaea.gaza.net

```

it seems the ldap server can't be contacted for some reason... however all the other tests described in the how-to seem to work fine... here's my /etc/ldap.conf:

 *Quote:*   

> # @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
> 
> #
> 
> # This is the configuration file for the LDAP nameservice
> ...

 

I've also created a /etc/ldap.secret file which contains the Manager password in cleartext... Any ideas on what might be wrong here? Any ways to do further debugging to find out where the problem is lying?

Thanks in advance...

george

----------

## GD

solved... I edited the /etc/pam.d/system.auth file anyway... any idea why this comment about skipping that section is present in the wiki?

----------

## KingOfSka

i got ssh login of ldap users , and share browsing fully working, but when i try to join the domain from a windows XP client, i get "A system device is disconnected" erorr and can't login.

on my gentoo box , in the log file of samba, i see

```

[2007/07/15 04:45:56, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)

  _net_sam_logon: user TEST_DOMAIN\testusera has user sid S-1-5-21-4205727931-4131263253-1851132061-3002

   but group sid S-1-5-21-1474600641-904944587-3008827518-513.

  The conflicting domain portions are not supported for NETLOGON calls

```

also in /var/log/samba/log.smbd  i found

```

[2007/07/15 04:24:00, 1] passdb/pdb_interface.c:pdb_default_uid_to_rid(1233)

  Could not peek rid out of sid S-1-5-21-4205727931-4131263253-1851132061-500

```

i installed phpldapadmin to try to manage this records but don't know what to do, i googled around and found of removing the groups and recreating them, but i've already done and didn't get any results

----------

## Falador

KingOfSka. I'm 99.9% sure your SIDs should match, apart from the last set of numbers.

```
[2007/07/15 04:45:56, 1] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(1004)

  _net_sam_logon: user TEST_DOMAIN\testusera has user sid S-1-5-21-4205727931-4131263253-1851132061-3002

   but group sid S-1-5-21-1474600641-904944587-3008827518-513.

  The conflicting domain portions are not supported for NETLOGON calls 
```

Looking at this 'testusera' has a uid of 3002 and is a member of group id 513 (last set of SID digits). The rest should match, yours doesn't.

----------

## KingOfSka

so i should try to change the ldap SID entry for my testuser and see if it works ? i'm taking a new look at config files and do some test during this day..

edit: solved all problems, don't know how because from some problem i had to reinstall all the stuff back and now it's fully working  :Very Happy: 

----------

