edoceo

Samba - TDBSAM to LDAP Migration

It's often desireable to have your Samba system authenticate to an OpenLDAP or similar type of LDAP server. Because OpenLDAP offers replication, you can seemlessly fail over, should the need arise.

Migrating from tdbsam to ldapsam

Often the Samba server is initially configured with tdbsam, when moving to ldap those accounts need to be imported. It's advisable to collect the local SID information before starting.

Collect the existing information using some command line tools.

net getlocalsid
net getdomainsid
net usersidlist
pdbedit -Lv

Now update /etc/samba/smb.conf to point to LDAP.

cp smb.conf smb.conf.tdbsam
nano smb.conf

Make changes like these (sample diff)

--- smb.conf.tdbsam
+++ smb.conf
@@ -31,7 +31,8 @@
   os level = 65
-  passdb backend = tdbsam
+  passdb backend = ldapsam:ldap://ldap.edoceo.com/
   preferred master = yes
@@ -55,6 +56,18 @@
   load printers = no
-  # Placeholder for LDAP Stuffs
+  # LDAP Stuffs
+  idmap backend = ldap://ldap.edoceo.com/
+  ldap admin dn = cn=root,dc=edoceo,dc=com
+  ldap delete dn = no
+  ldap group suffix = ou=Groups
+  ldap idmap suffix = ou=Idmap
+  ldap machine suffix = ou=Hosts
+  ldap passwd sync = yes
+  #ldap ssl = start_tls
+  ldap suffix = dc=edoceo,dc=com
+  ldap user suffix = ou=Users

Tell Samba what password to use when binding with the ldap admin dn.

smbpasswd -w 'secret'

Using a tool like phpLDAPadmin create a sambaDomainName which looks similar to this one: Or ldapadd -f -D $binddn -W this from a file.

dn: sambaDomainName=carbon,dc=edoceo,dc=com
objectClass: sambaDomain
objectClass: top
sambaDomainName: carbon
sambaNextUserRid: 6504
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaSID: S-1-5-21-177675109-1247036630-3246284137

Migrating Users from Samba tdbsam to OpenLDAP ldapsam

Debugging Samba and LDAP Backend

Increasing the verbosity of the Samba tools with with the -d4 option will show the LDAP queries. Tools like ldapsearch will provide a method to test. As an example, here's a domain lookup.

# pdbedit -Lv
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CARBON))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CARBON))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server

And the same query from ldapsearch.

# ldapsearch -x '(&(objectClass=sambaDomain)(sambaDomainName=CARBON))'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=sambaDomain)(sambaDomainName=CARBON))
# requesting: ALL
#

# carbon, edoceo.com
dn: sambaDomainName=carbon,dc=edoceo,dc=com
objectClass: sambaDomain
objectClass: top
sambaSID: S-1-5-21-177675109-1247036630-3246284137
sambaNextUserRid: 6504
sambaNextRid: 6504
sambaNextGroupRid: 6504
sambaDomainName: carbon
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Migration Final Steps

After migrating the file /var/lib/samba/private/passdb.tdb can be removed. Verify it's not in use with lsof passdb.tdb.

See Also

ChangeLog

  • 09 May 2009 - Created /djb

Loading Comments from Disqus...