How to get Samba 3 working nicely with a LDAP backend.

Samba 3 allows samba accounts to not have corresponding unix accounts. This is the first time a Samba has allowed this. However, I've not set it up so I won't go into that.

So this will - discuss setting up Samba 3 + LDAP in an environment where you already have LDAP handling your unix accounts. See LDAPNotes for information on that.

LDAP Schema

Get the samba.schema file from your samba distribution, and put this in /etc/ldap/schema, or wherever your distribution puts the LDAP schema files. Edit /etc/ldap/slapd.conf and add in a schema line pointing at this file.

Note: The debian package seems to have a samba.schema file which is old and out of date, and a samba.schema.gz file which is actually the correct one. ungzip this and put it in /etc/ldap/schema.

You'll also want to check that you have the newest schema every time you upgrade samba. The schema can change quite a bit, and some features won't work if you don't have the right schema installed.

smb.conf modifications

There are a few ldap-specific smb.conf options you can set. I'd recommend reading the smb.conf manpage for the details on the options. As a quick start, here are the options I have set:

   ldap suffix=dc=your,dc=domain,dc=com
   ldap user suffix=ou=SMBUsers
   ldap machine suffix=ou=SMBMachines
   ldap admin dn="cn=admin,ou=People,dc=your,dc=domain,dc=com"
   ldap ssl = no

   ldap passwd sync = yes

The user and machine suffixes are entirely up to you. Just make sure you remember this, and update any other Samba / LDAP scripts you might have to use these suffixes too (such as the idealx scripts mentioned below)

If you change the ldap admin dn (or set it for the first time) you need to run smbpasswd and provide it with the ldap bind password:

smbpasswd -w LDAPBINDPW

The 'ldap passwd sync' parameter here is fairly important. Assuming your accounts are all stored in LDAP, this will let you easily change passwords via the windows change passwords mechanism (which is actually via samba). More on this later.

LDAP Password Sync

The default setting for this is 'no', which means 'Update the NT and LM passwords in LDAP, and update the last set time'. This will cause a lot of grief if you are trying to use another mechanism to set the password, such as a custom script. It can also be set to 'only' which means it will only update the LDAP password (which is the userPassword field, ie the password that unix services will use via pam_ldap). Setting it to 'yes' means it will attempt to update all three passwords and update the last set time. This is almost definitely what you want.

unix passwd sync

This is a slightly misleading name for this directive. It should really be 'external passwd sync'. The 'passwd program' and 'passwd sync' directives are only called if this parameter is set to yes.

It is probably ok to set 'unix passwd sync = no' and 'ldap password sync = yes', and be fairly happy that your passwords are being updated correctly. However, I have found that this sets passwords that zimbra, for example, cannot deal with. If this is the case, or you want to do something special with your password update such as set other values as well, do the following:

   ldap password sync = No
   unix passwd sync = Yes
   passwd program = /path/to/program %u
   passwd chat = *chat*script*

Additionally, you may need to tweak your slapd.conf acls to support password sync. The DSA needs access to the root DSE in order to determine the server's capabilities. If you are using the Idealx scripts, this should do the trick:

  access to *
      by dn="cn=samba,ou=dsa,dc=example,dc=com" read
      by dn="cn=smbldap-tools,ou=dsa,dc=example,dc=com" read
      by * none

Obviously, the passwd program and passwd chat parameters need to be tailored to your script. I use the smbldap-passwd program from IdealX, and have it set to only update the 'userPassword' attribute in LDAP, not the NT/LM hashes (as samba will do this anyway):

   ldap passwd sync = No
   unix password sync = Yes
   passwd program = /usr/sbin/smbldap-passwd -u %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n

IdealX Samba Administration Scripts

The IdealX smbldap-tools are, in my opinion, essential for running an LDAP-aware Samba server.

The smbldap-populate script will add in the "basic" builtin users and groups you need for decent windows interop.

The other scripts can be specified in smb.conf for things like adding users, adding machines (essential for joining a Windows client to a Samba domain run from LDAP), and so on.

There is a migrate script as well, which will take an existing smbpasswd file and move the accounts into LDAP for you.

Debian users: has Woody packages for Samba 3; you can get it out of testing/unstable otherwise.

The Samba 3 packages have a set of smbldap-tools - you really should set these up.

Now go and read the excellent LDAP-SMB-2.2/HEAD HOWTO.

There is a great howto for Samba 2.2.x and LDAP under Debian Woody at Much of the content will migrate to other systems or to Samba 3 as well, so it's worth a read

For SuSE or OpenSUSE users checkout the Samba PDC/OpenLDAP howto as this takes advantage of the Yast administration tool to do a fair bit of the manual work for you.