Translation(s): Português Brasileiro - English

This page is outdated

slapd does not use the slapd.conf configuration file anymore - starting with version 2.3, the actual configuration for OpenLDAP servers is managed within a special DIT, typically rooted at an entry called cn=config. See LDAP/OpenLDAPSetup

Configuring LDAP Authentication for Debian

SAMBA Server Setup

Mostly, you need to do

 # apt-get install samba

And then to edit the files slapd.conf and smb.conf. In slapd.conf add the line :

  include /etc/ldap/schema/samba.schema

And further, add :

  access to attr=["sambaLMPassword"],["sambaNTPassword"]
    by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write
    by self write
    by anonymous auth
    by * none
                                
  # bug : should be more restrictive
  access to *
    by dn="cn=samba_admin,dc=bastille,dc=camden,dc=palace" write
    by * read

You still have to add manually your samba_admin in the LDAP directory. You can for instance create it from a copy your admin user. And in /etc/samba/smb.conf

  security = user
  ldap server = yourldapserver
  #
  # the secure port default 636
  ;ldap port = 9003
  #
  #
  ldap suffix = "dc=your,dc=ldapdn"
  ldap admin dn = "cn=samba_admin,dc=bastille,dc=camden,dc=palace"
  #
  ;ldap ssl = yes
  encrypt passwords = true
  ;passdb backend = tdbsam guest
  passdb backend = ldapsam guest

Then you will want to add your samba_admin user in the local samba passwd database (a bit like your ldap.secret).

  smbpasswd -a samba_admin -D 256 -w ag0000dpaasswd

The debug p-D level option let you track down problems. Once you got this working, you should be able to add users with:

  smbpasswd -a existingldapuser -w sambaonlypass

See Also:

QUESTION: I thought that the standard samba package did not include the LDAP backend - that you have to recompile samba yourself?

Samba 3 Includes LDAP support, but not the samba 2 LDAP compability (--with-ldapsam) that is required for most of the howtos out there. (ldap server = and such) Any information on how the new ldap support works would be appreciated.

QUESTION: This uses an extra "samba_admin" user. Many other online documents just use the normal ldap admin user. I don't believe adding yet another user with authority to change everyone's passwords is any more secure. This also means that samba cannot synchronise unix passwords using the "ldap passwd sync" option (the samba_admin user cannot change the unix passwords).

Remarks: libpam-samba is responsible to sync at each startup the unix password of each account with the smb db password so you have to uninstall it. If you want to separate completely both db, you have to say no to the unix password sync, change the passwd in selected program to change the passwd, everything in smb.conf

CategoryNetwork | CategorySystemAdministration | CategorySoftware | CategoryObsolete | ToDo: group with other Samba pages