Samba-LDAP on Debian

From DWIKI
Revision as of 18:30, 5 April 2008 by Tony (talk | contribs)

Software to install

samba-common

samba-doc

slapd

apt-get install slapd

choose admin password

dpkg-reconfigure slapd

Go with the defaults

libpam-ldap

apt-get install libpam-ldap

Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager.

libnss-ldap

apt-get install libnss-ldap

Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager. Fix the base dc= line in /etc/libnss_ldap.conf.

Update /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap

smbldap-tools

apt-get install smbldap-tools

Run net getlocalsid and save the output. Read /usr/share/doc/smbldap-tools/README.Debian. In /etc/smbldap-tools/smbldap.conf configure:

  • SID
  • sambaDomain
  • suffix
  • sambaUnixIdPooldn
  • userSmbHome
  • userProfile
  • userHomeDrive
  • mailDomain

/etc/pam.d/common-account

account sufficient pam_ldap.so debug
account required pam_unix.so debug

/etc/pam.d/common-auth

auth [success=1 default=ignore] pam_unix.so try_first_pass debug
auth required pam_ldap.so use_first_pass debug
auth required pam_permit.so

/etc/pam.d/common-password

password   required   pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so try_first_pass debug

BUGS

  • libpam-ldap
    • debconf should be able to provide/suggest already used dc values like slapd debconf does
    • Root login account should be cn=admin?
  • libnss-ldap
    • debconf should be able to provide/suggest already used dc values like slapd debconf does
    • in fact it should use same config as libpam-ldap or at least look at it
    • debconf sets base dc=padl,dc=com
  • smbldap-tools
    • README.Debian mentions 3. Optionally add indexes to optimize SAMBA access. This is not optional, leaving it out causes smbldap-populate to fail miserably.
    • README.Debian tells to run net getlocalsid after changing samba config. This is wrong, since at that point the command will fail untill evertything is configured and working. This should be a job for debconf anyway.

FAQ

failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499

?? rootpw and rootdn in slapd.conf is mandatory, and must match

Links