# LDAP Question

## xinman

Anybody got a working LDAP + Samba configuration that windows clients authenticate against?

Then this question is for you...

I've pretty much got it working, my PCs can authenticate, now just ironning out wrinkles!

The OU for the unix/linux groups and the OU for the windows domain groups should they be diffrent or should all those groups be in the same OU?

As of now I have the unix/linux groups in ou=Group and the windows domain groups in ou=Groups but I'm not sure that it is correct and I really don't want to get too far in my journey just to find I am wrong.

So if there is a guru or two out there please enlighten me!

Thanks so much,

Dan

----------

## Petyr

1) OU for linux/unix group == OU for windows groups?? Yes. At least in my config, they're both in the same OU and this works fine.

Nice thing about having them in the same OU, now if you want you can go for the Holy Grail and make your Linux boxes auth against LDAP, hence your Linux logins and your Windows logins are the same! this is a godsend trust me. Once you've got that then you can setup shares and people that are in the correct windows group will have access to those files on the Linux end as well and the group name stays the same. 

Sorry, I'm rambling now... The thing was a beast to setup, that's all I remember at this point ^_~

hth,

Petyr

----------

## xinman

thanks for your help, that should do it now to just work out a couple more wrinkles and it should be good, then i will work on getting my linux boxes to authenticate against it also thanks again.

----------

## xinman

Another question...

OK, I changed something, not really sure what and now the time between me typing username and it asking for the password is like 20 secs, using ssh or console. What would cause this?

Also, what is the best value for 

```
pam_password
```

, I'm currently using crypt, but I keep seeing something called exop, what is this?

Thanks again,

Dan

----------

## newbie_aato

hi there...

did you fix your Samba3 + LDAP configuration...i am also having trouble with mine..

could kindly guide me? i am new in linux systems...

----------

## xinman

Still working on it, but if you're really that new to linux you should probably learn more about linux before attempting such a major project.  I've been working on samba+ldap for a couple months now (on and off) and it seems to be one of the more difficult tasks I've found myself doing in linux.  Really, it wasn't this hard to install Gentoo, so it amazes me that something this useful is really this hard, but in the end hopefully it will be well worth it for me and then I will know how to do it next time.

Dan

----------

## newbie_aato

yep...you're right there...hope you could help me out if you have configured your samba server

i really need it..and i am still studying about its configurations...

thanks

----------

## xinman

For samba configs check out the samba website www.samba.org there are books on there I had bought the The Official Samba 3 Howto and Reference  but another good example is the Samba by example. You can view these on here free so take advantage of that.  Very extensive information.  Does that mean you have the ldap portion of the server working correctly?  I think my main thing I'm working on now is administering and cleaning up the configs, and some tweaks to my server.  What troubles are you having?  If I can help you I will, but I'm by no means an expert! What is it you are trying to accomplish?

Regards,

Dan

----------

## Petyr

Sorry about the huge delay in posting back.

I'm not currently at the machine that has the ldap auth on it, but if I remember correctly I normally use md5 for pam_password. The exop stuff I believe is short for extended operation, where the ldap server does some kind of hand waving and the password is magically encrypted. I don't use it so I'm not exactly sure how it works ^_~

As for the difficulty of this particular project, believe me I know. I've set this kind of server up three times now and every time has been an uphill struggle. Rule of thumb on this one is if you've got less than 5 computers, it's not worth doing. Ya hit 5 and suddenly it becomes worth the effort. Now if only samba could get more of the features of AD going in it. As far as I know all that's just based on ldap anyways *shrug*

Couple tips on order for getting this setup and running:

1) Get ldap up and running first. You should be able, first from the local computer then from a remote station, to do an ldap_search and get back a list of stuff from the ldap server.

2) Get linux ldap auth up and running (this is about the same level of difficulty as getting samba auth for windows clients going). The tends to involve a bit of fiddling with the pam.d files, so do be careful with this.

3) Get basic samba shares up and running. No auth, no passwords, nothing. Just make sure you can even see things.

4) Get phpldapadmin up and running (trust me, this make it a LOT easier to see wtf ldap is doing in the long run)

5) Get the smbldap-tools configured. Pay particular attention to the SID values that phpldapadmin and smbldap are using as this is a common pitfall for people.

6) Add a computer to the domain, create a user account.

7) Verify the account can log in from windows AND linux. This setup should service both people.

8) Get login scripts setup and running for the user, with their windows profile in their home directory on the server (assuming you want roaming profiles).

hth,

Petyr Rahl

----------

## xinman

Well I got...

1)  ldap up and running

2) got linux auth done, everything but local console goes through ldap, linux console as backup with two accounts for emergency uses.

3) got a couple basic shares up and a couple of protected shares up, basic shares work fine, password shares have some bugs, but I'll get to those.

4) got phpldapadmin, seems useful but I'm also using Jxplorer

5) got the smbldap-tools configured and working

6) added a computer to the domain, created a machine account (auto), logged in with a user that i had created

(as that user i can access my profile share, but i cannot access my linux home folder, any thoughts on this?)

7) yes it does work for both accounts (in linux i can access both the win profile and the linux home for my user)

 :Cool:  working on login scripts, i've been looking at various scripting types (do you recommend any?), also looking into roaming profiles and folder redirecting (for smaller profiles, less overhead).

Main problem I'm working on right now is giving someone access to easily add a user without giving access to deleting, I assume I should just use acls in the slapd.conf, but I need to look into it more.  The other major problem is mapping root to an 'Administrator' account name.  I would rather be able to use Administrator or a diffrent name to do my work on machines. 

Any help on these would be great!

Thanks,

Dan

----------

## Petyr

 *xinman wrote:*   

> Well I got...
> 
> Main problem I'm working on right now is giving someone access to easily add a user without giving access to deleting, I assume I should just use acls in the slapd.conf, but I need to look into it more.  The other major problem is mapping root to an 'Administrator' account name.  I would rather be able to use Administrator or a diffrent name to do my work on machines. 

 

Mapping admin account has to do with the SID. Search around on google for that, I think it might even be somewhere buried in the smbldap-tools scripts. I think the trailing number is like -512 or something like that. SID blahblahblah-512 is kinda like saying someone's UID = 0 on Linux.

As for giving someone the ability to add an account ACL's are a good way to go. Make sure to do a good amount of testing with phpldapadmin (or whatever other tool you're going to give them access to) for adding accounts. I've found that smbldap-tools are the best at adding the accounts, but kinda crappy for modifying them. Phpldapadmin is great for modifying things, but kinda crappy at adding a new account. 

hth,

Petyr

----------

## newbie_aato

hi there,

i would like to setup my Samba server running samba3 using my configurations on my

samba config running samba2...but the SID's are diffrent and because of that i may not be able to

map the user's files running on roaming accounts.

help?

----------

## Petyr

 *newbie_aato wrote:*   

> hi there,
> 
> i would like to setup my Samba server running samba3 using my configurations on my
> 
> samba config running samba2...but the SID's are diffrent and because of that i may not be able to
> ...

 

Uhmm this is probably better posted in a seperate thread, since it's basically a seperate question. Lemme see if I've got this straight though...

You have a samba3 server that you'd like to setup. Currently everyone is on a samba2 server and this is managing a NT4 style domain with roaming profiles. You'd basically like to upgrade to the Samba3 server, but not have to change anyone's account settings.

So the smbldap-tools stuff should have a few scripts to migrate things into ldap for you. There are a couple of excellent resources that you should consider. First and formost TOSHARG (just google for it, trust me). Short for The Official Samba Howto And Resource Guide (or something like that), it's the single best free resource for all things samba on the web. Second, Samba-3 By Example by John H. Terpstra (ISBN 0-13-147221-6). Both of those should be more than enough to walk you through doing a migration from samba's db files, into ldap.

Once you've got all the info in ldap, then you can just take down the old smb2 server and name the smb3 server the same thing and start it up. That *should* just work, but I'm no expert so I can't say for sure.

hth,

Petyr Rahl

----------

## xinman

Petyr,

I would like to thank you for all the help you have given me, I'm slightly tied up with a couple of other things right now, but as soon as I get done with them and in my spare time I will read about that.  I actually had bought the TOSHARG in September of last year and slowly working my way through it.  I hate reading so I use books more for reference, but it does have info in there about the mapping.  

Newbie_aato, 

Those books that Petyr mentioned are awesome, you should really check them out, you can get them pretty cheap over at bookpool.com  but as they are open source as well you can check them out at samba.org.  Sometimes it's nice to support the developers and have a nice big thick book to carry with you. Good luck.

Thanks,

Dan

PS. I will post a note with my thoughts and problems when I'm all done.

----------

