siddou.tk

Install Samba+OpenLDAP on Debian 7 Wheezy

Samba provides file and print services for multiple OS.
OpenLDAP provide a flexible directory that we will use to manage samba groups and users.

In this note i’ll show you how to install OpenLDAP and use it with Samba, how to configure a basic samba for OpenLDAP and finaly how to create users and groups.
For each step i’ll give you usefull testing commands.

OpenLDAP install:

dpkg-reconfigure debconf

dialog -> medium

apt-get install slapd ldap-utils

Omit OpenLDAP server configuration? No
DNS domain name: siddou.com
Organization name: siddou
Administrator password: ldap_password
Confirm password: ldap_password
Allow LDAPv2 protocol? No

Manage OpenLDAP:

I use Apache Directory
but phpldapadmin is pretty popular:

apt-get install phpldapadmin

LDAP server host address: ldap_srv_name
Enable support for ldaps protocol? No
Distinguished name of the search base: dc=siddou,dc=com
Type of authentication: session
Login dn for the LDAP server: cn=admin,dc=siddou,dc=com
Web server(s) which will be reconfigured automatically: apache2
Should your webserver(s) be restarted? Yes

Connect to phpldapadmin:

go to http://ldap_srv_name/phpldapadmin/
Login DN: cn=admin,dc=siddou,dc=com
Password: ldap_password

Extend OpenLDAP schema for Samba

apt-get install samba-doc
cp  /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
gunzip /etc/ldap/schema/samba.schema.gz

 

nano ldap.conf

 

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
slaptest -f ldap.conf -F /etc/ldap/slapd.d/
chown -R openldap:openldap /etc/ldap/schema/
chown -R openldap:openldap /etc/ldap/slapd.d/
service slapd restart

Check if samba.ldif is present :

# ls -l /etc/ldap/slapd.d/cn\=config/cn=\schema
-rw------- 1 openldap openldap 15545 May 16 16:40 cn={0}core.ldif
-rw------- 1 openldap openldap 11379 May 16 16:40 cn={1}cosine.ldif
-rw------- 1 openldap openldap  6509 May 16 16:40 cn={2}nis.ldif
-rw------- 1 openldap openldap  2873 May 16 16:40 cn={3}inetorgperson.ldif
-rw------- 1 openldap openldap 14752 May 16 16:50 cn={4}samba.ldif

Samba install

Main package and its dependency
apt-get install samba
smbldap-tools install:

Smbldap-tools is a set of perl scripts designed to manage user and group
accounts stored in an LDAP directory

apt-get install smbldap-tools
I got perl script errors with the wheezy package 0.9.7.
jessie package (0.9.9) is working fine but I’ll install from source:

apt-get install make perl libnet-ldap-perl libcrypt-smbhash-perl
wget http://download.gna.org/smbldap-tools/sources/latest/smbldap-tools-0.9.10.tar.gz
tar xvf smbldap-tools-0.9.10.tar.gz
cd smbldap-tools-0.9.10
./configure
make
make install
cp ~/smbldap-tools-0.9.10/doc/smb.conf.example /etc/samba/smb.conf
smb.conf
nano /etc/samba/smb.conf
[global]
workgroup = SMBTEST
server string = PDC
netbios name = samba_servername
domain master = yes
local master = yes
domain logons = yes
client lanman auth = yes
client ntlmv2 auth = yes
lanman auth = yes
ntlm auth = yes
security = user
os level = 40
ldap ssl = off
ldap passwd sync = yes
passdb backend = ldapsam:"ldap://ldap_srv_name"
ldap admin dn = cn=admin,dc=siddou,dc=com
ldap suffix = dc=siddou,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
ldap delete dn = yes
add user script = /usr/local/sbin/smbldap-useradd -m '%u' -t 1
rename user script = /usr/local/sbin/smbldap-usermod -r '%unew' '%uold'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u' -t 1
logon path = \\%L\profiles\%U
logon drive = P:
logon home = \\%L\%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = Yes
dns proxy = No
wins support = Yes
winbind use default domain = Yes
nt acl support = Yes
msdfs root = Yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
unix charset = iso-8859-15
display charset = iso-8859-15
dos charset = 850
[netlogon]
path = /siddou/netlogon
writable = No
browseable = No
write list = Administrator
[profiles]
path = /siddou/profiles
browseable = No
writeable = Yes
profile acls = yes
create mask = 0700
directory mask = 0700
[homes]
comment = Home directory
browseable = No
writeable = Yes
[share]
comment = Commun Directory
browseable = Yes
writeable = Yes
public = No
path = /siddou/share
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[group1]
comment = group1 share
path = /siddou/group1
valid users = @group1
force group = group1
read only = No
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770

Create directories:

mkdir /siddou
mkdir /siddou/group1
chmod 770 /siddou/group1
mkdir /siddou/group2
chmod 770 /siddou/group2
mkdir /siddou/homes
mkdir /siddou/netlogon
mkdir /siddou/profiles
chmod 777 /siddou/profiles
mkdir /siddou/share
chmod 770 /siddou/share

Test configuration:

testparm

Restart samba

service samba restart
give OpenLDAP password to samba:
# smbpasswd -W
Setting stored password for "cn=admin,dc=siddou,dc=com" in secrets.tdb
New SMB password:
Retype new SMB password:
get local sid:
# net getlocalsid
SID for domain SAMBATEST is: S-1-5-21-3015975622-2278597513-1543651915
Populate OpenLDAP:
mkdir -p /usr/local/etc/smbldap-tools
nano /usr/local/etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-3015975622-2278597513-1543651915" # put SID here
masterLDAP="ldap_srv_name"
masterPort="389"
slaveLDAP="ldap_srv_name"
slavePort="389"
ldapTLS="0"
verify="require"
suffix="dc=siddou,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Machines,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/siddou/homes/%U"
userHomeDirectoryMode="700"
userGecos="User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="3650"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
nano /usr/local/etc/smbldap-tools/smbldap_bind.conf
masterDN="cn=admin,dc=siddou,dc=com"
masterPw="ldap_password"
slaveDN="cn=admin,dc=siddou,dc=com"
slavePw="ldap_password"
chmod 600 /usr/local/etc/smbldap-tools/smbldap_bind.conf
smbldap-populate
Populating LDAP directory for domain DOMSMB (S-1-5-21-3015975622-2278597513-1543651915)
(using builtin directory structure)
...
Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:

provide ldap_password

Enable unix auth to OpenLDAP:
apt-get install libnss-ldap libpam-ldap

(Questions may vary depending on dialog level, packages already installed…)
LDAP server Uniform Resource Identifier: ldap://ldap_srv_name:389/
Distinguished name of the search base: dc=siddou,dc=com
LDAP version to use: 3
Does the LDAP database require login? No
Special LDAP privileges for root? Yes
Make the configuration file readable/writeable by its owner only? Yes
LDAP account for root: cn=admin,dc=siddou,dc=com
LDAP root account password: ldap_password
Allow LDAP admin account to behave like local root? Yes
Does the LDAP database require login? No
LDAP administrative account: cn=admin,dc=siddou,dc=com
LDAP administrative password: ldap_password
Local encryption algorithm to use for passwords: crypt

check the config:

# sed -e '/^[ ]*#/d' -e '/^$/d' /etc/libnss-ldap.conf
base dc=siddou,dc=com
uri ldap://ldap_srv_name:389/
ldap_version 3
rootbinddn cn=admin,dc=siddou,dc=com

 

# sed -e '/^[ ]*#/d' -e '/^$/d' /etc/pam_ldap.conf
base dc=siddou,dc=com
uri ldap://ldap_srv_name:389/
ldap_version 3
rootbinddn cn=admin,dc=siddou,dc=com
pam_password crypt

Modify nsswitch.conf

nano /etc/nsswitch.conf
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

reboot

shutdown -r now
Create user:
smbldap-useradd -a -c "Paul Lascar" -m -P plasc -M [email protected]

Check if the user was created in OpenLDAP:

apt-get install ldap-utils
ldapsearch -h ldap_srv_name -b dc=siddou,dc=com -x uid=plasc

Should display

# plasc, Users, siddou.com
dn: uid=plasc,ou=Users,dc=siddou,dc=com
...

Check unix auth to OpenLDAP:

# pdbedit -Lv -d 3 plasc
Unix username:        plasc
NT username:          plasc
Account Flags:        [U          ]
User SID:             S-1-5-21-3015975622-2278597513-1543651915-3000
Primary Group SID:    S-1-5-21-3015975622-2278597513-1543651915-513
...
# id plasc
uid=1000(plasc) gid=513(Domain Users) groups=513(Domain Users)

Check home user:

#ls -ltr /siddou/homes
drwx------ 2 plasc Domain Users 4096 Jun  5 15:10 plasc
Create group and assign users:
smbldap-groupadd -a group1
smbldap-groupmod -m plasc group1

verify:

# smbldap-groupshow group1
...
displayName: group1
memberUid: plasc

Assign group to directory group:

chown :group1 /siddou/group1

Assign group Domain User to share:

chown :513 /siddou/share

Manage users:

add user:

smbldap-useradd -a -c "Paul Lascar" -m -P plasc -M [email protected]

remove user (-r remove home user home directory)

smbldap-userdel -r plasc

changer user password:

smbldap-passwd -a plasc

Manage groups:

add group:

smbldap-groupadd -a groupe1

add users to a group:

smbldap-groupmod -m plasc,toto group1

remove group

smbldap-groupdel group1

remove user from a group

smbldap-groupmod -x plasc group1

Test Samba shares:

On a Linux client:

apt-get install smbclient

List sharename

# smbclient -U nobody -L samba_servername
Enter nobody's password: (leave blank)
Anonymous login successful
Domain=[SMBTEST] OS=[Unix] Server=[Samba 3.6.6]

	Sharename       Type      Comment
	---------       ----      -------

Connect to home dir:

# smbclient -U plasc //samba_servername/plasc
Enter plasc's password:
Domain=[SMBTEST] OS=[Unix] Server=[Samba 3.6.6]
smb: \> ls

39 thoughts on “Install Samba+OpenLDAP on Debian 7 Wheezy

  1. kira

    You really did a nice job ! I very appreciate… It was clear and very easy to follow. But i have a question: Does it work if i follow those step for ubuntu 12.04 ?
    Good job again.

  2. javier

    Hi and sorry for my poor english… i’m from spain…

    your how to works like a charm in debian 6 and 7… but only one question… how can create two way relationship with another domain in AD (Windows 2008 R2)?

    Thx for all

  3. Alejandro Alfonzo

    help when I run the command net getlocalsid the following error: failed to bind to server ldap :/ / 10.2.201.19 with dn = “cn = admin, dc = mppp, dc = gob, dc = ve” Error: Invalid credentials
    (unknown)
    SID for domain SAMBA_LDAP is: S-1-5-21-330697291-1822191222-2225364642

  4. Alejandro Alfonzo

    help when I run net getlocalsid I returned the following error: failed to bind to server ldap://127.0.0.1 with dn=”cn=admin,dc=mppp,dc=gob,dc=ve” Error: Invalid credentials
    (unknown)
    SID for domain MPPP.GOB.VE is: S-1-5-21-330697291-1822191222-2225364642

    Please could you help

    1. Siddou Post author

      first check if connexion to ldap from samba server is ok:
      apt-get install ldap-utils
      ldapsearch -h ldap_srv_name -x -b “dc=siddou,dc=com” (if anonymous)
      ldapsearch -h ldap_srv_name -xW -D cn=admin,dc=siddou,dc=com -b “dc=siddou,dc=com” (with admin credentials)

      then re-check ldap parameters in /etc/samba/smb.conf:
      ldap ssl = off
      ldap passwd sync = yes
      passdb backend = ldapsam:”ldap://ldap_srv_name”
      ldap admin dn = cn=admin,dc=siddou,dc=com
      ldap suffix = dc=siddou,dc=com
      ldap group suffix = ou=Groups
      ldap user suffix = ou=Users
      ldap machine suffix = ou=Machines
      ldap delete dn = yes

      Restart samba then retry smbpasswd -W
      If “smbpasswd -W” success then try “net getlocalsid” again.

  5. Alejandro ALfonzo

    hello, ready solved the previous problem but now when I run: smbldap-populate me da el siguiente error:
    Populating LDAP directory for domain mppp.gob.ve (S-1-5-21-2979091469-816342444-3817128703)
    (using builtin directory structure)

    entry dc=mppp,dc=gob,dc=ve already exist.
    entry ou=Users,dc=mppp,dc=gob,dc=ve already exist.
    entry ou=Groups,dc=mppp,dc=gob,dc=ve already exist.
    adding new entry: ou=Machines,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: ou=Idmap,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    entry sambaDomainName=mppp.gob.ve,dc=mppp,dc=gob,dc=ve already exist. Updating it…
    failed to modify entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 493.
    adding new entry: uid=root,ou=Users,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: uid=nobody,ou=Users,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Domain Admins,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Domain Users,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Domain Guests,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Domain Computers,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Administrators,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Account Operators,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Print Operators,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Backup Operators,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.
    adding new entry: cn=Replicators,ou=Groups,dc=mppp,dc=gob,dc=ve
    failed to add entry: modifications require authentication at /usr/local/sbin/smbldap-populate line 500.

    Please provide a password for the domain root:
    /usr/local/sbin/smbldap-passwd: user root doesn’t exist

    have knowledge of why this error may be happening? greetings and thank you very much beforehand

  6. Chris van de Wouw

    Hi Siddou,

    Thank you for your well explained guidance towards an actually working LDAP/Samba configuration!

    For some time I tried to centralize LDAP for my private network needs (home network + some external services), but never got any further Openfiler buildin ldap service with a Drupal site conneted to it.

    Now, with this guidance as starting point I managed to let LDAP be the backend of most authentications and authorizations, DHCP and local DNS.

    For DHCP I used ISCDHCP following this guide: http://wiki.herzbube.ch/index.php/ISCDHCP

    For DNS I used DnsMasq. Although DnsMasq doesn’t support LDAP as backend and doesn’t follow nsswitch.conf, it was fairly easy to let DnsMasq know about the hosts that are registered in LDAP.
    * Make sure the host entries with fixed addresses from the DHCP guide have the objectClass ipHost
    * ‘getent hosts’ will show these
    * in /etc/dnsmasq, configure option ‘addn-hosts=/etc/hosts.ldap’, which will add a second source next to /etc/hosts
    * now: getent hosts | grep -v “127.0.0.1” > /etc/hosts.ldap
    * service dnsmasq restart
    This provides some kind of ldap integration for dnsmasq

    For ldap management I use the apache directory studio, which provides in all my needs. Though I’m thinking of setting up some scripts to ease management for maintaining users, groups, converting leases to static addresses, etc.

    Again, thank you for putting me on the right track!

    Chris

  7. Arnoud Roeland

    Hello Siddou,

    Thank you for your guide. I am trying to follow along but unfortunately I get stuck. When I give the command

    slaptest -f ldap.conf -F /etc/ldap/slapd.d/

    I get the following error message:

    5329b746 ldap.conf: line 14: unknown directive outside backend info and database definitions.
    slaptest: bad configuration directory!

    What can I do about this?

    All the best,
    Arnoud Roeland

    1. Siddou Post author

      just did it on a clean wheezy install no problem:
      49 apt-get install slapd ldap-utils
      50 apt-get install samba-doc
      51 cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
      52 gunzip /etc/ldap/schema/samba.schema.gz
      53 ls /etc/ldap/schema/
      54 nano ldap.conf
      55 slaptest -f ldap.conf -F /etc/ldap/slapd.d/
      “config file testing succeeded”
      56 chown -R openldap:openldap /etc/ldap/schema/
      57 chown -R openldap:openldap /etc/ldap/slapd.d/
      58 service slapd restart
      59 ls -l /etc/ldap/slapd.d/cn\=config/cn=\schema

      your ldap.conf shouldn’t have 14 lines, only those 5:
      include /etc/ldap/schema/core.schema
      include /etc/ldap/schema/cosine.schema
      include /etc/ldap/schema/nis.schema
      include /etc/ldap/schema/inetorgperson.schema
      include /etc/ldap/schema/samba.schema

      carreful /etc/ldap/ldap.conf isn’t the file to edit (i realize that it could be quite confusing)

  8. ciska

    Hi !
    Thank you for this tutorial, great help !

    I had no major problem following it, but i got an issue just at the end.
    These commands works well :
    – ldapsearch -h ldap_srv_name -b dc=siddou,dc=com -x uid=plasc
    – pdbedit -Lv -d 3 plasc

    But the command # id returns me id: plasc: No such user
    Also my user doesnt seem to have a primary Group SID when i launch pdbedit command, could it be the problem ?
    I use webmin to manage my services, but when i try to setup the ldap client it says ” connection failed : Failed to connect to LDAP server 10.1.17.18 port 389″ I didn’t notice any erros in my files libnss-ldap.conf or pam_ldap.conf. I replaced srv_name by the IP, is this a possible trooble ?

    What should i try ?
    Thanks 🙂

    1. Siddou Post author

      Hello thanks a lot. If you don’t have primary Group SID there must be a problem with unix auth to ldap. check again libnss-ldap, pam_ldap and nsswitch maybe.

  9. ciska

    Hello,

    thanks for your reply.
    I resolved my issue, there was effectively a mistake in my configuration files 🙂
    All is ok now !

    I was wondering about configure TLS with my OpenLdap, have you already setup this ? Try to follow some tutorials but encounter so many errors @[email protected] If you could have some tips for me, would be perfect, ty 🙂

  10. Ricardo Mejias

    Hi bro I hoope you can help me whit this issue … I follow your instruction but when I try to any user or add any PC to the domain say that cant find the user name … I hope you can help my whit this ploblem of autentication o conection, thanks

    [email protected]:~# smbclient -U plasc //pdc-debian/plasc
    Enter plasc’s password:
    session setup failed: NT_STATUS_LOGON_FAILURE

    1. Siddou Post author

      Hey Ricardo,
      any luck with anonymous account, can you see samba shares?
      smbclient -U nobody -L samba_servername

      are you addin user to ldap with this command?
      smbldap-useradd -a plasc

      is the password is set?
      smbldap-passwd -a plasc

      check those command also
      pdbedit -Lv -d 3 plasc and id plasc

  11. Moimeme

    Bonjour,
    désolé de te dérangé mais j’ai un probléme que je n’arrive pas à résoudre, j’ai tenté de suivre le tutorial (merci au passage), mais j’ai le soucis suivant et pourtant j’ai bien vérifié.

    Populating LDAP directory for domain SMBTEST (S-1-5-21-985362780-1335621644-3976829342)
    (using builtin directory structure)

    entry dc=test,dc=lan already exist.
    entry ou=Users,dc=test,dc=lan already exist.
    entry ou=Groups,dc=test,dc=lan already exist.
    entry ou=Machines,dc=test,dc=lan already exist.
    entry ou=Idmap,dc=test,dc=lan already exist.
    failed to search entry: invalid DN at /usr/local/sbin/smbldap-populate line 480.

    Merci pour ton aide,
    Cordialement.

    1. Moimeme

      Désolé pour le dérangement, en fait j’avais pas mis le bon nom de domaine.
      J’ai un routeur DD-wrt donc j’avais déjà un nom de domaine et en renseignant le bon nom tout fonctionne pour l’instant.

  12. Moimeme

    Bonjour, désolé du dérangement.
    Alors après voir suivie le tutorial avoir réussi a rajouter mes utilisateurs de test.
    j’ai un petit soucis encore.
    Quand je veux rajouter un Machine Windows j’ai une erreur.

    smbldap-useradd -w nuc$
    Use of uninitialized value $group in concatenation (.) or string at /usr/share/perl5/smbldap_tools.pm line 985.
    Can't call method "get_value" on an undefined value at /usr/local/sbin/smbldap-useradd line 271.

    j’ai fait pas mal de recherche mais infructueuse.
    Merci pour ton aide

  13. Samuel

    Hi,

    That’s a very good tuto. I try it and everything worked fine =D
    However I have one question. Is it possible to do the same with standalone samba and openldap servers?

    Thanks for you answer

      1. Samuel

        Great =D

        I’ve try to do it myself, but I can’t find out which command I should run on each server. Could you help me?

        1. Siddou Post author

          OpenLDAP install part on your openldap server

          Samba install on your samba server
          replace ldap_srv_name with your openldap server in config files

          1. Samuel

            My problem come after the installation,

            from which server should I populate open LDAP and enable unix auth

          2. Siddou Post author

            populate openLDAP and enable unix auth are in the samba section, so on the samba server.

  14. Samuel

    I’ve try it, but it seem that smbldap-useradd -a -c “Paul Lascar” -m -P plasc -M [email protected] do not create a local user since id plasc return id: plasc: No such user.

    Any idea where I could have messed up?

  15. Samuel

    Found it !
    My samba server was trying to comunicate with ldapi protocol, which it cannot understand. I’ve setup it to use ldap protocol.

    Thanks a lot for your help 😀

  16. Chris

    Hello,

    Many thanks for this great tutorial, it works great on Debian 7/8. Windows and Linux machines are able to log on to the domain without issues. The only thing I think that it’d be nice to add is the idmap settings in /etc/samba/smb.conf :

    idmap uid = 10000
    idmap gid = 10000

    And then run smbldap-populate again. The values can be any of your choice as long as they do not conflict with local uids.

    Without those two lines, I noticed my local user accounts had their uid overwritten and some conflicts appeared in the displayed names.

    As for the Linux client configuration I found a great tutorial here, it also works great with this server configuration. The link to the Linux client config is http://www.unixmen.com/configure-linux-clients-authenticate-using-openldap/

    Thanks a lot again!

    Regards,
    Chris

    1. Siddou Post author

      Correct I will make in the future a new note for Debian 8 with this issue solved:
      avoid samba uid to overlap local uid:
      nano /usr/local/sbin/smbldap-populate
      my $firstuidNumber=$Options{'u'};
      if (!defined($firstuidNumber)) {
      $firstuidNumber=10000;
      }

      my $firstgidNumber=$Options{'g'};
      if (!defined($firstgidNumber)) {
      $firstgidNumber=10000;
      }

      my $firstridNumber=$Options{'r'};
      if (!defined($firstridNumber)) {
      $firstridNumber=10000;

      smbldap-populate -g 10000 -u 10000 -r 10000

      For clients i’ll will use SSSD to handle NSS and PAM.

  17. Chris

    Thanks for that information about the smbldap-populate script, indeed I will also modify it on my machine as it seems that defining the uid/gid idmap in the smb.conf file is rather deprecated.
    I’ll also have a look at the sssd service to have the clients connect to the server.

    Many thanks for your excellent article and response 🙂

  18. Chris

    Addition:
    Well, the uid/gid start range could never have been in smb.conf anyway. I didn’t think about that at first but I now remember I launched smbldap-populate with the -u / -g options to define the uid/gid start range. Right before I had defined the idmap uid/gid in smb.conf, which is useless. I was a bit confused, sorry about that…

  19. Eliot

    Hi, many thanks for this tutorial, it work fine =D

    Although, I’ve a question. I tried to setup a second samba server to use samba as back end. I’ve followed the samba part on a second server but it seem it is not working.

    I’ve already tried to set domain master line to ‘no’ but it has no effect.

    Any idea what I’ve missed?

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *