[OpenIndiana-discuss] Could not setup LDAP for SAMBA

IVO GELOV (CRM) ivo at crm.walltopia.com
Tue Mar 6 12:55:37 UTC 2012


On Tue, 06 Mar 2012 12:01:21 +0200, Jonathan Adams <t12nslookup at gmail.com> wrote:

I am including the "samba.schema" in slapd.conf - and I have also this in LDAP:

# Entry 1: ou=users,dc=domain,dc=com
dn: ou=users,dc=domain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users

# Entry 2: uid=administration,ou=users,dc=domain,dc=com
dn: uid=administration,ou=users,dc=domain,dc=com
cn: administration
gidnumber: 101
homedirectory: /tmp
objectclass: top
objectclass: account
objectclass: posixAccount
objectclass: sambaSamAccount
sambaacctflags: [UX         ]
sambalmpassword: C4B274309D14EC00AAD3B435B51404EE
sambantpassword: 02ECCB1802088A4C42E17664D55819E5
sambasid: S-1-5-21-1-10208
uid: administration
uidnumber: 104
userpassword:

I am still not familiar enough with Solaris, so zones are still dark place for me :)
May be I am not understanding very well the things. I assume that LDAP replaces
/etc/passwd - i.e. instead of poluting /etc/passwd I will populate LDAP. >From both,
the latter is more convenient for me. The exact thing I want is to have only 2 UIDs
and about 50 user SAMBA accounts which should map to one or the other of my 2 UIDs.
These UIDs are 104 and 105 and already exist.
The problem is, that SAMBA - or most probably the Solaris itself - can not do this
mapping.
Issuing "getent passwd administration" gives me no output. And I do not know how
to debug "getent" in order to see what is wrong .....

So this is the issue which I need some help for :(

PS: we do not have a Windows domain currently (please do not laugh), so I only need
a workgroup mode for SAMBA.

> ok, well thats relatively straight forward ...
>
> you might want to do this in a zone on Solaris, if you're worried
> about polluting the passwd file because each samba user _does_ need a
> user on the system, if you do it in a zone then the zone can be an
> LDAP client and you can disable all ssh, telnet and ftp access so that
> people can only access their user partitions using samba.
>
> after you have the zone as an LDAP client, you need to configure the
> LDAP for samba and the smb.conf file.
>
> If you are brave and know your way around LDAP you can do this
> manually if you get the Samba LDAP Schema from the Samba source tar
> file ( https://www.samba.org/samba/download/ ) and loading it into the
> LDAP server.
>
> the users you want to have access to the domain will need to have the
> class of "posixAccount" and "sambaSamAccount" ... and you will need to
> know your sambaSID ...
>
> otherwise you can look to getting smbldap tools, written in perl (
> http://gna.org/projects/smbldap-tools ) essential if you are planning
> on having domain logons, or even look at other tools from
> https://wiki.samba.org/index.php/Samba_&_LDAP
>
> I'm a script'er so we have in house tools.
>
> logging in to the first share for the first time is the hardest bit
> ... after that it is just setting up groups and access levels.
>
> Jon
>



More information about the OpenIndiana-discuss mailing list