Hi,
After a lot of trial and error I managed to get ldap + samba 3 running.
Samba now authenticates through ldap. But somehow the difference between
a unix and a samba login still exists.
I use smbldap-useradd.pl to create an ldap entry. There are two options:
With the "-a" option the entry contains the objectClass
"sambaSamAccount", and a lot of Windows related attributes.
Without the mentioned option, the program creates an entry with
objectClass "posixAccount" and the normal nss attributes.
Through smb.conf I have defined smbpasswd to use smbldap-useradd.pl to
update the passwd in the ldap directory.
So, now I still have to have two entries per user in the ldap directory
because with the sambaSamAccount userPasswd is {SHA}encrypted and with
the posixAccount the userPasswd is {CRYPT} encrypted. Though two entries
in LDAP is much more maintainable than anything I have seen before, I
still have the idea that things can be solved more gracefull, with one
entry and an automised password sync between unix and samba.
Any suggestions?
kind regards,
Robert
Extra:
For those interested here are my ldap related smb.conf entries:
add user script = /sbin/smbldap-useradd.pl -a -m "%u"
delete user script = /sbin/smbldap-userdel.pl -r "%u"
add user to group script = /sbin/smbldap-groupmod.pl -m "%u"
"%g"
delete user from group script = /sbin/smbldap-groupmod.pl -x
"%u" "%g"
set primary group script = /sbin/smbldap-usermod.pl -g "%g"
"%u"
add group script = /sbin/smbldap-groupadd.pl -a -p "%g"
delete group script = /sbin/smbldap-userdel.pl "%g"
add machine script = /sbin/smbldap-useradd.pl -w -d /dev/null -g
nobody -c "Machine Account" -s /bin/false "%u"
ldap suffix = dc=salsatechnologies,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap admin dn = cn=admin,dc=salsatechnologies,dc=com
ldap ssl = no
ldap passwd sync = Yes