# Which How-To for SAMBA+LDAP PDC?

## petrjanda

ive tried using at least 3 how-to's, but I just cant get it working. Either because its outdated or because the how-to wasnt done on Gentoo and its different. So which how-to did you use? What modifications did you have to do to get it working on your system?

----------

## AppleMasher

http://samba.idealx.org/smbldap-howto.fr.html and http://www.gentoo.org/doc/en/ldap-howto.xml

Take it slow one step at a time.

good luck

----------

## petrjanda

Using the idealx guide, these lines in slapd.conf dont work

```

# some attributes need to be readable so that 'id user' can answer correctly

access to attrs=@posixAccount,@posixGroup,@inetOrgPerson

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read

        by self read

# some attributes need to be writable for samba

access to attrs=@sambaSamAccount,@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@sambaShare,@sambaConfigOption,@sambaPrivilege

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by self read

```

slapd wouldnt start, its complaining about the attrs not existing.

----------

## AppleMasher

just because im such a nice guy  :Smile: 

The first issue is the @ sybmols aren't supposed to be there and secondly smbldap-tools is missing unless ur using the samba user for both and thirdly we need to allow samba and smbldap-tools users to write to objectClass,entry 

Im sure its still not perfect, but it should be a lot closer.

```
# users can authenticate and change their password

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

        by self write

        by anonymous auth

# some attributes need to be readable by everyone

access to attrs=uidNumber,gidNumber,gecos,homeDirectory,uid,cn,memberUid,objectClass,entry

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

        by self read

# the objectClass needed for everyone

access to attrs=objectClass,entry

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" read

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" read

        by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read 

        by dn="cn=postfix-auth,ou=DSA,dc=idealx,dc=org" read

        by self read

# some attributes can be writable by users themselves

access to attrs=description,telephoneNumber

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools",ou=DSA,dc=idealx,dc=org" write

        by self write

        by users read

# some attributes need to be readable so that 'id user' can answer correctly

access to attrs=posixAccount,posixGroup,inetOrgPerson

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" read

        by self read

# some attributes need to be writable for samba

access to attrs=sambaSamAccount,sambaGroupMapping,sambaTrustPassword,sambaDomain,sambaShare,sambaConfigOption,sambaPrivilege,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,samb

aLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,

sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

        by self read

# samba need to be able to create the samba domain account

access to dn.base="dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

# samba need to be able to create the sambaDomain account and NextFreeUnixId

access to dn="dc=idealx,dc=org" attrs=children

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

access to dn="cn=NextFreeUnixId,dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

access to dn.one="dc=idealx,dc=org" filter="(objectClass=sambaDomain)"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

# samba need to be able to create new users account

access to dn="ou=People,dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

# samba need to be able to create new groups account

access to dn="ou=Groups,dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

# samba need to be able to create new computers account

access to dn="ou=Computers,dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

# samba need to be able to create new idmap entries

access to dn="ou=Idmap,dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

# Default access rights

access to *

        by self read

```

----------

## petrjanda

Thanx a lot!

I will post more later if I have problems.

----------

## petrjanda

Well Ive got another problem: When I run smbldap-populate, everything works fine but I never see an entry like this one:

```

adding new entry: sambaDomainName=A216NETWORK.EDU,dc=a216network,dc=edu

```

When I tried to add a user

```

smbldap-useradd -m -a testuser

```

getent passwd displays testuser

```

testuser1:x:1500:513:System User:/home/testuser1:/bin/bash

```

but id testuser says theres no such user.

```

id: testuser1: No such user

```

----------

## AppleMasher

hmm smbldap-populate takes the value for sambaDomainName from the workgroup parmeter in smb.conf, hmm i suppose it could be possible that this part

```
# samba need to be able to create the samba domain account

access to dn.base="dc=idealx,dc=org"

        by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

        by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write 
```

Is not actually giving the required permission to smbldap-tools.  Im not sure I imported the initial accounts with Manager and then switched to the restricted account.  You may want to try executing the script with Manager and see if it fixes it.  As for the testuser is there no errors at all?  Do you have the ou=Users,dc=idealx,dc=lan?  This is used to store the windows accounts.

----------

## petrjanda

 *AppleMasher wrote:*   

> hmm smbldap-populate takes the value for sambaDomainName from the workgroup parmeter in smb.conf, hmm i suppose it could be possible that this part
> 
> ```
> # samba need to be able to create the samba domain account
> 
> ...

 

What Ive done so far:

For some reason, I can actually join computer to the domain using the "Administrator" account(but only after I actually added the "root" account to the LDAP database). I can ALSO login with testuser1, and logout, and everything seems to work. My current slapd ACL's are(i found these to be the simplest):

```

access to dn.base=""

      by self write

      by * auth

access to attr=userPassword

      by self write

      by * auth

access to attr=shadowLastChange

      by self write

      by * read

access to *

                by * read

                by anonymous auth

```

When I logged in with testuser1, i had the Password has expired popup coming up, so I attempted to change the password, but it told me I dont have persmissions for this untill I removed these lines from smb.conf

```

unix password sync = yes

pam password change = yes

```

Then I indeed could change the password, but in future I'd like the unix password sync to work. Any ideas how to do that?

I should also say that Im using the RootDN(Manager) account (not the samba account) in smb.conf so that samba can access the LDAP backend.

I have ou=People,dc=idealx,dc=lan (not ou=Users)

Im also usign the People container to store computer accounts because I have been told that theres a bug in samba that prevents samba to search the Computers container.

----------

## petrjanda

Actually, I still cant change passwords... I dont know what I did.

When I run smbldap-populate using the Manger account still doesnt print out anything like

adding new entry: sambaDomainName=A216NETWORK.EDU,dc=a216network,dc=edu

----------

## petrjanda

Ok, something really weird is happening: when i add a user, who then tries to log in and change his password, it complains about him not having permissions to do so, but when I actually restart the whole server he can change his password. I think its time to have a look at the logs:

smb.conf

```

# Global parameters

[global]

        workgroup = A216NETWORK.EDU

        netbios name = PDC-SRV

        server string = PDC-SRV

        interfaces = eth2, lo

#        bind interfaces only = Yes

        passdb backend = ldapsam:ldap://localhost

#        passwd program = /bin/passwd %u

#        passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *\n*

        username map = /etc/samba/smbusers

#        unix password sync = Yes

        ldap passwd sync = yes

        pam password change = yes

        log level = 99

        log file = /var/log/samba/log.%m

        max log size = 50

        name resolve order = wins bcast hosts

        add user script = /usr/local/sbin/smbldap-useradd -m "%u"

        delete user script = /usr/local/sbin/smbldap-userdel "%u"

        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"

        delete group script = /usr/local/sbin/smbldap-groupdel "%g"

        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"

        delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"

        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u

        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"

        logon script = logon.bat

        logon drive = Q:

        domain logons = Yes

        os level = 50

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        ldap admin dn = cn=Manager,dc=a216network,dc=edu

        ldap delete dn = Yes

        ldap group suffix = ou=Groups

        ldap idmap suffix = ou=Idmap

        ldap machine suffix = ou=People

        ldap suffix = dc=a216network,dc=edu

        ldap user suffix = ou=People

        idmap backend = ldap:ldap://localhost

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        printer admin = root

        map acl inherit = Yes

        fstype = RS3.6

[homes]

        comment = Home Directories

        valid users = %U

        read only = No

        create mask = 0664

        directory mask = 0775

        browseable = No

[profiles]

        path = /home/samba/profiles

        valid users = %U, "@Domain Admins"

        force user = %U

        read only = No

        create mask = 0600

        directory mask = 0700

        guest ok = Yes

        profile acls = Yes

        browseable = No

        csc policy = disable

[netlogon]

        path = /home/samba/netlogon/

        browseable = No

```

slapd.conf

```

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

access to dn.base=""

                by self write

                by * auth

access to attr=userPassword,sambaNTPassword,sambaLMPassword

                by self write

                by * auth

access to attr=shadowLastChange

                by self write

                by * read

access to *

                by * read

                by anonymous auth

#loglevel       256

schemacheck     on

idletimeout     30

backend         bdb

database        bdb

checkpoint      1024 5

cachesize       10000

suffix          "dc=a216network,dc=edu"

rootdn          "cn=Manager,dc=a216network,dc=edu"

# rootpw = not24get

rootpw       {SSHA}hdzrlk+a4NW4VXe5VZXCnyyed6J4Wqb8

directory       /var/lib/openldap-data

# Indices to maintain

index objectClass           eq

index cn                    pres,sub,eq

index sn                    pres,sub,eq

index uid                   pres,sub,eq

index displayName           pres,sub,eq

index uidNumber             eq

index gidNumber             eq

index memberUID             eq

index sambaSID              eq

index sambaPrimaryGroupSID  eq

index sambaDomainName       eq

index default               sub

```

/etc/ldap.conf

```

# @(#)$Id: ldap.conf,v 2.37 2004/09/09 06:31:07 lukeh Exp $

#

# This is the configuration file for the LDAP nameservice

# switch library and the LDAP PAM module.

#

# PADL Software

# http://www.padl.com

#

# Your LDAP server. Must be resolvable without using LDAP.

# Multiple hosts may be specified, each separated by a

# space. How long nss_ldap takes to failover depends on

# whether your LDAP client library supports configurable

# network or connect timeouts (see bind_timelimit).

host 127.0.0.1

# The distinguished name of the search base.

base dc=a216network,dc=edu

# Another way to specify your LDAP server is to provide an

# uri with the server name. This allows to use

# Unix Domain Sockets to connect to a local LDAP Server.

#uri ldap://127.0.0.1/

#uri ldaps://127.0.0.1/

#uri ldapi://%2fvar%2frun%2fldapi_sock/

# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3

# if supported by client library)

#ldap_version 3

# The distinguished name to bind to the server with.

# Optional: default is to bind anonymously.

binddn cn=Manager,dc=a216network,dc=edu

# The credentials to bind with.

# Optional: default is no credential.

bindpw asterix132

# The distinguished name to bind to the server with

# if the effective user ID is root. Password is

# stored in /etc/ldap.secret (mode 600)

#rootbinddn cn=nssldap,ou=DSA,dc=a216network,dc=edu

# The port.

# Optional: default is 389.

#port 389

# The search scope.

#scope sub

#scope one

#scope base

# Search timelimit

timelimit 50

# Bind/connect timelimit

bind_timelimit 50

# Reconnect policy: hard (default) will retry connecting to

# the software with exponential backoff, soft will fail

# immediately.

bind_policy hard

# Idle timelimit; client will close connections

# (nss_ldap only) if the server has not been contacted

# for the number of seconds specified below.

idle_timelimit 3600

# Filter to AND with uid=%s

#pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)

#pam_login_attribute uid

# Search the root DSE for the password policy (works

# Search the root DSE for the password policy (works

# with Netscape Directory Server)

#pam_lookup_policy yes

# Check the 'host' attribute for access control

# Default is no; if set to yes, and user has no

#W value for the host attribute, and pam_ldap is

# configured for account management (authorization)

# then the user will not be allowed to login.

#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access

# control

# Default is no; if set to yes, and the user has no

# value for the authorizedService attribute, and

# pam_ldap is configured for account management

# (authorization) then the user will not be allowed

# to login.

#pam_check_service_attr yes

# Group to enforce membership of

#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute

pam_member_attribute memberuid

# Specify a minium or maximum UID number allowed

#pam_min_uid 0

#pam_max_uid 0

# Template login attribute, default template user

# (can be overriden by value of former attribute

# in user's entry)

#pam_login_attribute userPrincipalName

#pam_template_login_attribute uid

#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,

# HEADS UP: the pam_crypt, pam_nds_passwd,

# and pam_ad_passwd options are no

# longer supported.

#

# If you are using XAD, you can set pam_password

# to racf, ad, or exop. Make sure that you have

# SSL enabled.

# Do not hash the password at all; presume

# the directory server will do it, if

# necessary. This is the default.

#pam_password md5

# Hash password locally; required for University of

# Michigan LDAP server, and works with Netscape

# Directory Server if you're using the UNIX-Crypt

# hash mechanism and not using the NT Synchronization

# service.

#pam_password crypt

# Remove old password first, then update in

# cleartext. Necessary for use with Novell

# Directory Services (NDS)

#pam_password nds

# RACF is an alias for the above. For use with

# IBM RACF

#pam_password racf

# Update Active Directory password, by

# creating Unicode password and updating

# unicodePwd attribute.

#pam_password ad

# Use the OpenLDAP password change

# extended operation to update the password.

pam_password exop

# Redirect users to a URL or somesuch on password

# changes.

#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts

# Syntax:

# nss_base_XXX          base?scope?filter

# where scope is {base,one,sub}

# and filter is a filter to be &'d with the

# default filter.

# You can omit the suffix eg:

# nss_base_passwd       ou=People,

# to append the default base DN but this

# may incur a small performance impact.

nss_base_passwd ou=People,dc=a216network,dc=edu?one

nss_base_shadow ou=People,dc=a216network,dc=edu?one

nss_base_group  ou=Groups,dc=a216network,dc=edu?one

```

----------

## gambi

hi, does it work now?

Because i'll gone have to do the same next week. If not, i'll will give it a try and report later on my reached goals.

----------

