It's often desireable to have your Samba system authenticate to an OpenLDAP or similar type of LDAP server. Because OpenLDAP offers replication, you can seemlessly fail over, should the need arise.
Migrating from tdbsam to ldapsam
Often the Samba server is initially configured with tdbsam, when moving to ldap those accounts need to be imported. It's advisable to collect the local SID information before starting.
Collect the existing information using some command line tools.
net getlocalsid net getdomainsid net usersidlist pdbedit -Lv
Now update /etc/samba/smb.conf to point to LDAP.
cp smb.conf smb.conf.tdbsam nano smb.conf
Make changes like these (sample diff)
--- smb.conf.tdbsam +++ smb.conf @@ -31,7 +31,8 @@ os level = 65 - passdb backend = tdbsam + passdb backend = ldapsam:ldap://ldap.edoceo.com/ preferred master = yes @@ -55,6 +56,18 @@ load printers = no - # Placeholder for LDAP Stuffs + # LDAP Stuffs + idmap backend = ldap://ldap.edoceo.com/ + ldap admin dn = cn=root,dc=edoceo,dc=com + ldap delete dn = no + ldap group suffix = ou=Groups + ldap idmap suffix = ou=Idmap + ldap machine suffix = ou=Hosts + ldap passwd sync = yes + #ldap ssl = start_tls + ldap suffix = dc=edoceo,dc=com + ldap user suffix = ou=Users
Tell Samba what password to use when binding with the ldap admin dn.
smbpasswd -w 'secret'
Using a tool like phpLDAPadmin create a sambaDomainName which looks similar to this one:
Or ldapadd -f -D $binddn -W this from a file.
dn: sambaDomainName=carbon,dc=edoceo,dc=com objectClass: sambaDomain objectClass: top sambaDomainName: carbon sambaNextUserRid: 6504 sambaPwdHistoryLength: 0 sambaLockoutThreshold: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaSID: S-1-5-21-177675109-1247036630-3246284137
Migrating Users from Samba tdbsam to OpenLDAP ldapsam
Debugging Samba and LDAP Backend
Increasing the verbosity of the Samba tools with with the -d4 option will show the LDAP queries.
Tools like ldapsearch will provide a method to test.
As an example, here's a domain lookup.
# pdbedit -Lv smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CARBON))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CARBON))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server
And the same query from ldapsearch.
# ldapsearch -x '(&(objectClass=sambaDomain)(sambaDomainName=CARBON))' # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectClass=sambaDomain)(sambaDomainName=CARBON)) # requesting: ALL # # carbon, edoceo.com dn: sambaDomainName=carbon,dc=edoceo,dc=com objectClass: sambaDomain objectClass: top sambaSID: S-1-5-21-177675109-1247036630-3246284137 sambaNextUserRid: 6504 sambaNextRid: 6504 sambaNextGroupRid: 6504 sambaDomainName: carbon sambaPwdHistoryLength: 0 sambaLockoutThreshold: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Migration Final Steps
After migrating the file /var/lib/samba/private/passdb.tdb can be removed.
Verify it's not in use with lsof passdb.tdb.
See Also
- Samba 3.0 and LDAP
- A guide from Ubuntu on Samba and LDAP
- Migrating from NT4 to LDAP backend
- University of Navarra documentation on account creation with smbpasswd
ChangeLog
- 09 May 2009 - Created /djb