Brian Gold
2012-Nov-30 13:28 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
Hi all, I've been using samba for a few years now on a couple of file servers with a tdbsam backend for our user accounts. We use openldap for the vast majority of our identity management, so I would love to be able to tie into this. We recently started using sambaNTPassword in openldap for radius authentication, so this is populated for most of our users now.>From reading through some of the documentation though, I'm a bit confused asto how this would be implemented. We don't currently have Active Directory and don't have any samba PDC/BDCs set up. Would it be necessary for us to have a PDC/BDC in order to use openldap as our backend? Thanks, Brian
Gaiseric Vandal
2012-Nov-30 14:22 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend? You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. On 11/30/12 08:28, Brian Gold wrote:> Hi all, > > > > I've been using samba for a few years now on a couple of file servers with a > tdbsam backend for our user accounts. We use openldap for the vast majority > of our identity management, so I would love to be able to tie into this. We > recently started using sambaNTPassword in openldap for radius > authentication, so this is populated for most of our users now. > > > > From reading through some of the documentation though, I'm a bit confused as > to how this would be implemented. We don't currently have Active Directory > and don't have any samba PDC/BDCs set up. Would it be necessary for us to > have a PDC/BDC in order to use openldap as our backend? > > > > Thanks, > > Brian >
Brian Gold
2012-Nov-30 14:42 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 9:22 am, Gaiseric Vandal wrote:> Can you clarify one thing - why are you using the sambaNTPassword in > openldap if openldap is not currently used samba authentication? I > would have thought that you would use the standard password field.We are using the standard userPassword field for most things, but for radius authentication via PEAP/MSCHAPv2, we needed to use sambaNTPassword instead.> I use Samba 3.x DC's with an ldap back end. I also use the ldap > backend for unix authentication as well as authentication to various > other systems that support LDAP authentication. If you are > using > one or more BDC's you really do have to use an LDAP back end. But > there is no reason why member server's can use an LDAP backend. > If the underlying unix account for each samba account is in > /etc/passwd and not LDAP, you should consolidate it all into LDAP.We currently don't want to deploy a PDC or BDC if we don't need to. All we want to do is have a file server that can authenticate using the username/password stored in openldap.> Do the sambaNTPassword (and other samba attributes) in LDAP match > those in the tdb backend? You may find you want to blast away the > existing sambaNTPassword entries in LDAP before you migrate the TDB > data to LDAP.No, our current Samba file server has a totally separate set of passwords. When we transition over to this new Samba file server, we will be having all our users use their openldap password instead. We do not want to sync their existing tdb passwords over to LDAP.
Brian Gold
2012-Nov-30 17:38 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 11:15 am, Gaiseric Vandal wrote:> No, you wouldn't sync passwords to TDB. Does your LDAP entry for > each user currently have a SambaSID value? Also, when you type > "pdbedit -Lv someuser" you should see the unix account for the user. > The unix account is either explicitly created (e.g. in /etc/passwd or > ldap or nis) or dynamically created by winbind. >No, currently our users do not have SambaSID values in ldap.> > # pdbedit -Lv someuser > > Unix username: someuser > NT username: someuser > Account Flags: [U ] > User SID: S-1-5-21-xxxxx > Primary Group SID: S-1-5-21-xxx > Full Name: Some User > Home Directory: \\someserver\users\someuser > HomeDir Drive: X: > Logon Script: logon.bat > Profile Path: > Domain: SOMEDOMAIN > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: 0 > Kickoff time: 0 > Password last set: Fri, 30 Sep 2011 09:40:43 EDT > Password can change: Fri, 30 Sep 2011 09:40:43 EDT > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > # > > Assuming you are not using winbind to allocate uid's and gid's for > samba users, your LDAP user entry will eventually look something > like > > dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount > cn: Some User > gidNumber: xx > homeDirectory: /home/someuser > sambaSID: S-1-5-21-xxxx > sn: UserLastName > uid: someuser > uidNumber: 123 > displayName: Some User > gecos: Some User > givenName: Some User > loginShell: /bin/tcsh > sambaAcctFlags: [UX ] > sambaHomeDrive: X: > sambaHomePath: \\someserver\users\someuser > sambaLogonScript: logon.bat > sambaNTPassword: xxxxxxxxxxxxxxxxxxxx > sambaPasswordHistory: > 000000000000000000000000000000000000000000000000000000 > 0000000000 > sambaPwdLastSet: 1291843237 > st: xxxxxx > street: xxxxxxxxx > telephoneNumber: xxxxxxxxx > userPassword:: xxxxxxxxxxxx > > > Although the login script and network home directory probably not > relevant in a non-DC setup.We are not using winbind at all currently. Here is a sample user's ldap data: dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu uid: tstaff sn: Staff uinSR: tstaff-false givenName: Test genderSR: m loginShell: /bin/false cn: Test Staff gecos: Test Staff mailSR: testaff at simons-rock.edu homeDirectory: /home/testaff objectClass: person objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: personSR objectClass: extensibleObject objectClass: posixAccount objectClass: shadowAccount shadowLastChange: 11551 shadowWarning: 7 gidNumber: 100 shadowMax: 99999 uidNumber: 7391 mail: testaff at simons-rock.edu groupSR: staff groupSR: hidden employeeNumber: 991991991 sambaNTPassword: REDACTED sambaPwdLastSet: 1354296936 userPassword:: REDACTED
Brian Gold
2012-Nov-30 21:11 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
On 2012-11-30 4:01 pm, Gaiseric Vandal wrote:> So when you run pdbedit -Lv for a user, is the "Unix user" name is an > account in ldap? If that is the case, then you probably just want > to > have a script that runs that runs thru a list of user names and they > runs ldapmodify to add the appropriate samba attributes. In theory > you can use pdbedit to export the data, then change the backend, then > import it back. I found that didn't quite work. > > > I had originally used nis backend for unix accounts and TBD backend > for samba. I moved from NIS to LDAP for unix accounts. Then when I > added a BDC I moved the samba data into ldap. I had used smbpasswd > to dump the data to a text file, then wrote a perl script to parse > the > file into user name, samba SID, and samba password and then rewrite > it into an ldapmodify ldif file. I used this file to update the > existing LDAP accounts. > > You MAYBE can use smbpasswd or pdbedit to create the samba accounts > in LDAP but I suspect that either it won't preserve the existing > password OR it may refuse to create the account. >Here is the output for that same user when I do a pdbedit. The "unix username" is being pulled from ldap. pdbedit -Lv testaff Unix username: testaff NT username: Account Flags: [U ] User SID: S-1-5-21-2531268310-2106678637-3833209162-15782 Primary Group SID: S-1-5-21-2531268310-2106678637-3833209162-513 Full Name: Test Staff Home Directory: \\elephant\testaff HomeDir Drive: Logon Script: Profile Path: \\elephant\testaff\profile Domain: ELEPHANT Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Fri, 27 Jun 2008 16:50:45 EDT Password can change: Fri, 27 Jun 2008 16:50:45 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Worth a try I guess. As it is, I'm planning on totally scrapping this existing samba file server when we move to using ldap passwords. The only things that need to carry over are the files on the file server itself. I'm totally fine with not using any of the data that is in tbd currently. Is there a way to autogenerate the samba SID (since I don't necessarily need the one that is being used in my current samba file server) and whatever other samba fields might be needed for all of my existing ldap accounts?
Andrew Bartlett
2012-Dec-03 11:49 UTC
[Samba] Samba file server using ldap backend without AD or PDC?
On Fri, 2012-11-30 at 08:28 -0500, Brian Gold wrote:> Hi all, > > > > I've been using samba for a few years now on a couple of file servers with a > tdbsam backend for our user accounts. We use openldap for the vast majority > of our identity management, so I would love to be able to tie into this. We > recently started using sambaNTPassword in openldap for radius > authentication, so this is populated for most of our users now. > > > > >From reading through some of the documentation though, I'm a bit confused as > to how this would be implemented. We don't currently have Active Directory > and don't have any samba PDC/BDCs set up. Would it be necessary for us to > have a PDC/BDC in order to use openldap as our backend?Yes, if you have multiple servers that you wish to use this for. Essentially you make your file servers DCs, even if you don't ever join clients to the domain. That way, they have the same SID, which is stored in LDAP (normally the domain SID is per-machine). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Reasonably Related Threads
- Issue providing seamless migrtion (3.0.24 to 3.5.6) - sambaNTPassword mystery
- Problem authenticating users from openldap + samba
- Segmentation Fault when trying to set root samba password, IPA as a backend
- After migrating users to ldap, passwords still stored in passdb.tdb
- pdbedit dosen't send the sambaSID to the ldap