Configuring LDAP Authentication for Debian
SAMBA Server Setup
Mostly, you need to do
# apt-get install samba
And then to edit the files slapd.conf and smb.conf. In slapd.conf add the line :
And further, add :
access to attr=["sambaLMPassword"],["sambaNTPassword"] by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write by self write by anonymous auth by * none # bug : should be more restrictive access to * by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write by * read
You still have to add manually your samba_admin in the LDAP directory. You can for instance create it from a copy your admin user. And in /etc/samba/smb.conf
security = user ldap server = yourldapserver # # the secure port default 636 ;ldap port = 9003 # # ldap suffix = "dc=your,dc=ldapdn" ldap admin dn = "cn=samba_admin,dc=bastille,dc=camden,dc=palace" # ;ldap ssl = yes encrypt passwords = true ;passdb backend = tdbsam guest passdb backend = ldapsam guest
Then you will want to add your samba_admin user in the local samba passwd database (a bit like your ldap.secret).
smbpasswd -a samba_admin -D 256 -w ag0000dpaasswd
The debug p-D level option let you track down problems. Once you got this working, you should be able to add users with:
smbpasswd -a existingldapuser -w sambaonlypass
QUESTION: I thought that the standard samba package did not include the LDAP backend - that you have to recompile samba yourself?
Samba 3 Includes LDAP support, but not the samba 2 LDAP compability (--with-ldapsam) that is required for most of the howtos out there. (ldap server = and such) Any information on how the new ldap support works would be appreciated.
QUESTION: This uses an extra "samba_admin" user. Many other online documents just use the normal ldap admin user. I don't believe adding yet another user with authority to change everyone's passwords is any more secure. This also means that samba cannot synchronise unix passwords using the "ldap passwd sync" option (the samba_admin user cannot change the unix passwords).
Remarks: libpam-samba is responsible to sync at each startup the unix password of each account with the smb db password so you have to uninstall it. If you want to separate completely both db, you have to say no to the unix password sync, change the passwd in selected program to change the passwd, everything in smb.conf