Samba-LDAP on Debian: Difference between revisions

From DWIKI
mNo edit summary
Line 46: Line 46:
  password  required  pam_unix.so nullok obscure min=4 max=8 md5
  password  required  pam_unix.so nullok obscure min=4 max=8 md5
  password sufficient pam_ldap.so try_first_pass debug
  password sufficient pam_ldap.so try_first_pass debug
/etc/pam_ldap.conf
host 127.0.0.1
base dc=example,dc=com
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
pam_password crypt


==BUGS==
==BUGS==

Revision as of 16:30, 13 September 2008

Software to install

samba-common

samba-doc

slapd

apt-get install slapd

choose admin password

dpkg-reconfigure slapd

Go with the defaults

libpam-ldap

apt-get install libpam-ldap

Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager.

libnss-ldap

apt-get install libnss-ldap

Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager. Fix the base dc= line in /etc/libnss_ldap.conf.

Update /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap

smbldap-tools

apt-get install smbldap-tools

Run net getlocalsid and save the output. Read /usr/share/doc/smbldap-tools/README.Debian. In /etc/smbldap-tools/smbldap.conf configure:

  • SID
  • sambaDomain
  • suffix
  • sambaUnixIdPooldn
  • userSmbHome
  • userProfile
  • userHomeDrive
  • mailDomain

/etc/pam.d/common-account

account sufficient pam_ldap.so debug
account required pam_unix.so debug

/etc/pam.d/common-auth

auth [success=1 default=ignore] pam_unix.so try_first_pass debug
auth required pam_ldap.so use_first_pass debug
auth required pam_permit.so

/etc/pam.d/common-password

password   required   pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so try_first_pass debug

/etc/pam_ldap.conf

host 127.0.0.1
base dc=example,dc=com
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
pam_password crypt


BUGS

  • libpam-ldap
    • debconf should be able to provide/suggest already used dc values like slapd debconf does
    • Root login account should be cn=admin?
  • libnss-ldap
    • debconf should be able to provide/suggest already used dc values like slapd debconf does
    • in fact it should use same config as libpam-ldap or at least look at it
    • debconf sets base dc=padl,dc=com
  • smbldap-tools
    • README.Debian mentions 3. Optionally add indexes to optimize SAMBA access. This is not optional, leaving it out causes smbldap-populate to fail miserably.
    • README.Debian tells to run net getlocalsid after changing samba config. This is wrong, since at that point the command will fail untill evertything is configured and working. This should be a job for debconf anyway.

FAQ

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499

rootpw and rootdn in slapd.conf is mandatory, and must match smbldap_bind.conf.

Links