Hello,
I have been using Samba for years (login onto the PC, files and
printers sharing) and since recently I have a LDAP server running and
serving authentication to few Unix systems (mail, web, Zope, ssh,
etc.)
Now that I set-up a new server to use with Samba, I would like to
integrate Samba into the existing LDAP.
All the doc I could find so far is about creating a LDAP service from
scratch which is not my case.
My questions are:
- in slapd configuration, what are the minimum accesses (ACL) that
should be granted to the various attributes of samba schema? By
default my LDAP server is quite protected and allows no access to
any attribute, unless specified otherwise.
I could find:
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write
by * none
But what about the other attributes?
- I have my users database existing in LDAP, how can I add Samba
support? I understand that I should modify the objectClass of each
user to include sambaSamAccount, but then each user must also have
an attribute sambaSID. How can I generate that attribute?
- Is there a way to implement filter on the list of users? Nss_ldap,
pam_ldap for example allow to configure an optional filter, so only
the users with the correct attribute will have access to a specific
service (I separate the users that can log to their Unix account
onto the machine from the suers that can use a specific service on
that machine). Is there a similar filter with Samba or should I
differenciate with the use/unuse of objectClass sambaSamAccount?
- All what I read so far mention updating the sambaLMPassword and
sambaNTPassword with the command smbpasswd. I already have a set of
tools that I use to manage the users account (and that synchronize
account/password on many systems (database, radius, etc)), what can
I use to manage sambaLM/NTPassword within my local tools?
Best regards,
Olivier
"Olivier Nicole" <on@cs.ait.ac.th> wrote in message news:200904101109.n3AB9lAi026084@banyan.cs.ait.ac.th...> - in slapd configuration, what are the minimum accesses (ACL) that > should be granted to the various attributes of samba schema? By > default my LDAP server is quite protected and allows no access to > any attribute, unless specified otherwise. > > I could find: > > ## allow the "ldap admin dn" access, but deny everyone else > access to attrs=SambaLMPassword,SambaNTPassword > by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write > by * noneYou may want to add the following: by self write by * auth This should allow the user to change his password and authenticate against his password.> But what about the other attributes?>From what I have seen the users do not need access to the other attributes.Samba checks them but not the user.> - I have my users database existing in LDAP, how can I add Samba > support?I don't know of any easy way. I would do it the other way around. I would create a new Samba ldap directory using the standard approach. I would then add the Samba accounts. I would dump out the existing ldap directory to a ldif file and then use ldapmodify to add the other attributes to the samba accounts. I have never tested this but this is the approach I would try.>I understand that I should modify the objectClass of each > user to include sambaSamAccount, but then each user must also have > an attribute sambaSID. How can I generate that attribute?The smb-ldap tools are the best way to create the initial ldap entries for Samba. They create the standard Windows groups such as domain administrators, guests, domain users, etc. In addition, they allow you to manage the addition and deletion of Samba accounts via ldap. The SID is created the first time you start Samba. The scripts add the SID to each ldap account. See chapter 5 "Making Happy Users" of Samba by Example. The book is available on www.samba.org.> - Is there a way to implement filter on the list of users? Nss_ldap, > pam_ldap for example allow to configure an optional filter, so only > the users with the correct attribute will have access to a specific > service (I separate the users that can log to their Unix account > onto the machine from the suers that can use a specific service on > that machine). Is there a similar filter with Samba or should I > differenciate with the use/unuse of objectClass sambaSamAccount?AFAIK, accounts that do not have the Samba specific attributes will not be recognized by Samba.> - All what I read so far mention updating the sambaLMPassword and > sambaNTPassword with the command smbpasswd. I already have a set of > tools that I use to manage the users account (and that synchronize > account/password on many systems (database, radius, etc)), what can > I use to manage sambaLM/NTPassword within my local tools?I use the Windows NT tools User Manager for Domains and Server Manager. They should be located on a Samba share and accessed from a Windows workstation. I manage user passwords differently from you. I put the following line in my smb.conf file ldap passwd sync = yes When a user changes his Windows password, it changes the standard passwd value in ldap.> Best regards, > > Olivier > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> - I have my users database existing in LDAP, how can I add Samba > support? I understand that I should modify the objectClass of each > user to include sambaSamAccount, but then each user must also have > an attribute sambaSID. How can I generate that attribute?You can try LAM, LDAP Account Manager, a web interface to LDAP directories. It has a samba-specific section that lets you create and administer samba accounts. It resides here: http://lam.sourceforge.net/