Samba-LDAP on Debian
From DWIKI
Software to install
samba-common
samba-doc
slapd
apt-get install slapd
choose admin password
dpkg-reconfigure slapd
Go with the defaults
libpam-ldap
apt-get install libpam-ldap
Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager.
libnss-ldap
apt-get install libnss-ldap
Go with defaults, except for dc values. For Root login account use cn=admin instead of cn=manager. Fix the base dc= line in /etc/libnss_ldap.conf.
Update /etc/nsswitch.conf
passwd: compat ldap group: compat ldap
smbldap-tools
apt-get install smbldap-tools
Run net getlocalsid and save the output. Read /usr/share/doc/smbldap-tools/README.Debian. In /etc/smbldap-tools/smbldap.conf configure:
- SID
- sambaDomain
- suffix
- sambaUnixIdPooldn
- userSmbHome
- userProfile
- userHomeDrive
- mailDomain
/etc/pam.d/common-account
account sufficient pam_ldap.so debug account required pam_unix.so debug
/etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so try_first_pass debug auth required pam_ldap.so use_first_pass debug auth required pam_permit.so
/etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5 password sufficient pam_ldap.so try_first_pass debug
BUGS
- libpam-ldap
- debconf should be able to provide/suggest already used dc values like slapd debconf does
- Root login account should be cn=admin?
- libnss-ldap
- debconf should be able to provide/suggest already used dc values like slapd debconf does
- in fact it should use same config as libpam-ldap or at least look at it
- debconf sets base dc=padl,dc=com
- smbldap-tools
- README.Debian mentions 3. Optionally add indexes to optimize SAMBA access. This is not optional, leaving it out causes smbldap-populate to fail miserably.
- README.Debian tells to run net getlocalsid after changing samba config. This is wrong, since at that point the command will fail untill evertything is configured and working. This should be a job for debconf anyway.
FAQ
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 499
rootpw and rootdn in slapd.conf is mandatory, and must match smbldap_bind.conf.