Configuring LDAP Authentication for Debian

SAMBA Server Setup

Mostly, you need to do

 # apt-get install samba

Note: if you are using woody, samba does not come with ldap support, so you need to compile it yourself or use the backport provided by the samba team: use this /etc/apt/sources.list line: deb http://de.samba.org/samba/ftp/Binary_Packages/Debian/samba3/ stable main

And then to edit the files slapd.conf and smb.conf. In slapd.conf add the line :

  include /etc/ldap/schema/samba.schema

And further, add :

  access to attr=["sambaLMPassword"],["sambaNTPassword"]
    by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write
    by self write
    by anonymous auth
    by * none
                                
  # bug : should be more restrictive
  access to *
    by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write
    by * read

You still have to add manually your samba_admin in the LDAP directory. You can for instance create it from a copy your admin user. And in /etc/samba/smb.conf

  security = user
  ldap server = yourldapserver
  #
  # the secure port default 636
  ;ldap port = 9003
  #
  #
  ldap suffix = "dc=your,dc=ldapdn"
  ldap admin dn = "cn=samba_admin,dc=bastille,dc=camden,dc=palace"
  #
  ;ldap ssl = yes
  encrypt passwords = true
  ;passdb backend = tdbsam guest
  passdb backend = ldapsam guest

Then you will want to add your samba_admin user in the local samba passwd database (a bit like your ldap.secret).

  smbpasswd -a samba_admin -D 256 -w ag0000dpaasswd

The debug p-D level option let you track down problems. Once you got this working, you should be able to add users with:

  smbpasswd -a existingldapuser -w sambaonlypass


See Also:


QUESTION: I thought that the standard samba package did not include the LDAP backend - that you have to recompile samba yourself?

Samba 3 Includes LDAP support, but not the samba 2 LDAP compability (--with-ldapsam) that is required for most of the howtos out there. (ldap server = and such) Any information on how the new ldap support works would be appreciated.

QUESTION: This uses an extra "samba_admin" user. Many other online documents just use the normal ldap admin user. I don't believe adding yet another user with authority to change everyone's passwords is any more secure. This also means that samba cannot synchronise unix passwords using the "ldap passwd sync" option (the samba_admin user cannot change the unix passwords).