Penguin
Recent Changes

Differences between version 8 and predecessor to the previous major change of Samba3LDAP.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 8 Last edited on Sunday, October 31, 2004 5:04:25 pm by DanielLawson Revert
Older page: version 7 Last edited on Tuesday, October 26, 2004 6:59:29 am by AristotlePagaltzis Revert
@@ -1,10 +1,41 @@
-!How to get [Samba] 3 working nicely with a [LDAP] backend. 
+! !How to get [Samba] 3 working nicely with a [LDAP] backend. 
  
 Samba 3 allows samba accounts to not have corresponding unix accounts. This is the first time a Samba has allowed this. However, I've not set it up so I won't go into that. 
  
-So this will - at first anyway - discuss setting up Samba 3 + LDAP in an environment where you already have LDAP handling your unix accounts. See [LDAPNotes] for information on that. 
+So this will - discuss setting up Samba 3 + LDAP in an environment where you already have LDAP handling your unix accounts. See [LDAPNotes] for information on that. 
  
+! smb.conf modifications  
+  
+There are a few ldap-specific smb.conf options you can set. I'd recommend reading the smb.conf manpage for the details on the options. As a quick start, here are the options I have set:  
+  
+<verbatim>  
+ ldap suffix=dc=your,dc=domain,dc=com  
+ ldap user suffix=ou=SMBUsers  
+ ldap machine suffix=ou=SMBMachines  
+ ldap admin dn="cn=admin,ou=People,dc=your,dc=domain,dc=com"  
+ ldap ssl = no  
+  
+ ldap passwd sync = yes  
+</verbatim>  
+  
+The user and machine suffixes are entirely up to you. Just make sure you remember this, and update any other Samba / LDAP scripts you might have to use these suffixes too (such as the idealx scripts mentioned below)  
+  
+If you change the ldap admin dn (or set it for the first time) you need to run smbpasswd and provide it with the ldap bind password:  
+  
+<verbatim>  
+smbpasswd -w LDAPBINDPW  
+</verbatim>  
+  
+The 'ldap passwd sync' parameter here is fairly important. Assuming your accounts are all stored in LDAP, this will let you easily change passwords via the windows change passwords mechanism (which is actually via samba). More on this later.  
+  
+  
+! LDAP Password Sync  
+  
+The default setting for this is 'no', which means 'Update the NT and LM passwords in LDAP, and update the last set time'. This *will* cause a lot of grief if you are trying to use another mechanism to set the password, such as a custom script. It can also be set to 'only' which means it will only update the LDAP password (which is the userPassword field, ie the password that unix services will use via pam_ldap). Setting it to 'yes' means it will attempt to update all three passwords and update the last set time. This is almost definitely what you want.  
+  
+  
+! Notes  
 [Debian] users: Samba.org has [Woody] packages for Samba 3; you can get it out of testing/unstable otherwise. 
  
 The Samba 3 packages have a set of smbldap-tools - you really should set these up. 
  
@@ -13,12 +44,7 @@
  
 As I don't have much time atm, I'll leave it here. I know this page contains nearly 0 content, but I'll pad it out when I get more time. 
  
 ---- 
-  
-Samba 3 has been released now. It has much better ActiveDirectory support, and also boasts a completely rewritten ldap schema, just to annoy those early adopters who played with the alpha series. They *do* provide a script to convert the two however :)  
-  
------  
-  
 Just stumbled upon this link: http://homex.subnet.at/~max/ldap/ for Samba and LDAP. http://samba.idealx.org/ has a good howto and some smbldap-tools scripts for user administration. 
  
 http://www.idealx.org/prj/samba/smbldap-howto.en.html