Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixpack at csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: ******** PrimaryGroupID: 100002 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the "sudo smbpasswd -w secret" step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the "ldap admin dn =" also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David
I have a Sun (Oracle) Directory Server directory server backend. I also use it for unix level authentication. Are you configuring samba as a domain controller or standalone server? I have uid and uidNumber attributes- you want to make sure that the samba account maps to a unix account somehow. "pdbedit -Lv username" will verify this. I think with an LDAP backend it will expect "ldap admin dn" entry. This is not usually a regular user in your company LDAP branch but is instead an administrator. Samba will need to write to LDAP if you add or remove a samba user using smbpasswd or pdbedit, or if you change a user's samba password with samba command line tools or from windows, or if you join or remove a Windows PC the domain, and if you join the samba server to the domain. (this will create domain object.s) You can of course use LDAP tools to create the user's samba attributes. I don't know how you would easily set the user's samba password. You could probably have a dummy samba machine with a local backend, set a password, then use "smbpasswd -e" to extract the hashed value. Maybe there are additional tools for creating an NT password hash. Machines will also have accounts with passwords. the passwords may automatically change. On 08/07/12 17:37, Frans Lanting - IT Admin wrote:> Hi Folks, > > A couple of questions about making SMB (3 or 4) authenticate to an > external (anonymous) LDAP server: > > 1) A typical LDAP user record is below. Is there anything lacking in > this record that would prevent Samba from authenticating against our > LDAP server? Note the sambaSID is as is, gobblygook info: > > > dsAttrTypeNative:eduPersonAffiliation: Employee Member > dsAttrTypeNative:givenName: David > dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack > dsAttrTypeNative:mail: dsixpack at csux.edu > dsAttrTypeNative:objectClass: posixAccount organizationalPerson > csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson > dsAttrTypeNative:sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX > dsAttrTypeNative:sn: Sixpack > dsAttrTypeNative:csuxPersonGuID: G000242316 > AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu > AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu > NFSHomeDirectory: /Users/dsixpack > Password: ******** > PrimaryGroupID: 100002 > RealName: > David Sixpack > RecordName: dsixpack > RecordType: dsRecTypeStandard:Users > UniqueID: 9239 > UserShell: /bin/bash > > 2) Regarding the "sudo smbpasswd -w secret" step, does this smb user > need to exist in our LDAP or that local to the machine running the SMB > daemon? I wasn't clear on how this step in the process is supposed to > work. > > 3) Is the "ldap admin dn =" also required? > > Note we have read-only access to our LDAP server, though a record > could be created for us if absolutely needed. > > Any help or ideas MUCH appreciated! Thanks! > > David
You also need sambaAccountFlags: [UX ] for user account and sambaAccountFlags: [W ] for machine accounts. On 08/07/12 17:37, Frans Lanting - IT Admin wrote:> Hi Folks, > > A couple of questions about making SMB (3 or 4) authenticate to an > external (anonymous) LDAP server: > > 1) A typical LDAP user record is below. Is there anything lacking in > this record that would prevent Samba from authenticating against our > LDAP server? Note the sambaSID is as is, gobblygook info: > > > dsAttrTypeNative:eduPersonAffiliation: Employee Member > dsAttrTypeNative:givenName: David > dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack > dsAttrTypeNative:mail: dsixpack at csux.edu > dsAttrTypeNative:objectClass: posixAccount organizationalPerson > csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson > dsAttrTypeNative:sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX > dsAttrTypeNative:sn: Sixpack > dsAttrTypeNative:csuxPersonGuID: G000242316 > AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu > AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu > NFSHomeDirectory: /Users/dsixpack > Password: ******** > PrimaryGroupID: 100002 > RealName: > David Sixpack > RecordName: dsixpack > RecordType: dsRecTypeStandard:Users > UniqueID: 9239 > UserShell: /bin/bash > > 2) Regarding the "sudo smbpasswd -w secret" step, does this smb user > need to exist in our LDAP or that local to the machine running the SMB > daemon? I wasn't clear on how this step in the process is supposed to > work. > > 3) Is the "ldap admin dn =" also required? > > Note we have read-only access to our LDAP server, though a record > could be created for us if absolutely needed. > > Any help or ideas MUCH appreciated! Thanks! > > David
On Tue, 2012-08-07 at 14:37 -0700, Frans Lanting - IT Admin wrote:> Hi Folks, > > A couple of questions about making SMB (3 or 4) authenticate to an > external (anonymous) LDAP server:> Note we have read-only access to our LDAP server, though a record > could be created for us if absolutely needed.If you are only able to get anonoymous read only access, then you won't be able to read any password hash values that you did somehow manage to get stored into the directory. In short, it isn't possible to make Samba use this LDAP server directly. Is there some Windows domain that is synchronised against this directory that your (presumably) windows clients already use? This would be what you would join Samba to. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org