---

SambaTNG - PDC LDAP  howto

#The password you get prompted for is "anoncvs".
cvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/vhosts/samba-tng.org/cvsroot co hg
cvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/vhosts/samba-tng.org/cvsroot co tng

---

How to compile and start    [toc ]

• ldap libraries are in /usr/local/etc/openldap/lib
• ldap includes are in /usr/local/etc/openldap/include

Step #1:
Before run the configure script you need make a copy of the ldap includes and libraries to the default places (for example, in linux /usr/include/ and /usr/lib):

cp -p /usr/local/etc/openldap/include/* /usr/include/
cp -p /usr/local/etc/openldap/lib/* /usr/lib

or the place where the libs/includes are:
<openldap_source>/configure --prefix=/usr/local/etc/openldap
as you can decide in the openldap configure step.

./configure --prefix=/usr/local/etc/samba_tng --with-ldap
make
make install

Please read the source/README carefully: you need start several daemons, perhaps:

/usr/local/etc/samba_tng/sbin/smbd -d 3
/usr/local/etc/samba_tng/sbin/nmbd -d 3

/usr/local/etc/samba_/sbin/srvsvcd
/usr/local/etc/samba_/sbin/wkssvcd

/usr/local/etc/samba_tng/sbin/lsarpcd
/usr/local/etc/samba_tng/sbin/samrd
/usr/local/etc/samba_tng/sbin/netlogond
/usr/local/etc/samba_tng/sbin/winregd
 

/usr/local/etc/samba_tng/sbin/browserd
/usr/local/etc/samba_tng/sbin/spoolssd
/usr/local/etc/samba_tng/sbin/svcctld

Also, with samba-TNG versions prior to 2.1, perhaps you need an account in the domain for the PDC itself.
 

---

Ldap server configuration slap.conf   [toc ]

dc=es    (Spain)
   |
   dc=unav, dc=es    (University of Navarra, unav)
      |
      o=smb, dc=unav, dc=es    (samba objects @ University of Navarra)

so, you need define your own organization/domain objects like:

 

University of Navarra	samba tree
dn: dc=unav, dc=es dc: unav objectClass: dcObject objectClass: organization o: Universidad de Navarra	dn: o=smb, dc=unav, dc=es o: smb objectClass: organization

------ snip ------
[root@arcos openldap]# more slapd.conf
# This file should NOT be world readable.
#
include /usr/local/etc2/openldap_2/etc/openldap/schema/core.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/cosine.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/nis.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/samba-tng.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
referral        ldap://bilbo.cti.unav.es

pidfile         /usr/local/etc2/openldap_2/var/slapd.pid
argsfile        /usr/local/etc2/openldap_2/var/slapd.args

#The <hash> to use for userPassword generation.  One
#of   {SSHA},   {SHA},   {SMD5},   {MD5},   {CRYPT},
#KERBEROS}, {SASL}, and  {UNIX}.   The  default  is {SSHA}.
password-hash   {CRYPT}

#Certificados
TLSCertificateFile      /usr/local/etc2/openldap_2/etc/openldap/ssl/arcos-cert.pem
TLSCertificateKeyFile   /usr/local/etc2/openldap_2/etc/openldap/ssl/arcos-key.pem
TLSCACertificateFile    /usr/local/etc2/openldap_2/etc/openldap/ssl/CAcerts
#TLSCipherSuite         EXPORT56
 

#######################################################################
# ldbm database definitions
#######################################################################
database        ldbm
suffix          "dc=unav, dc=es"
rootdn          "cn=root, dc=unav, dc=es"
rootpw          <other_secret>
directory       /usr/local/etc2/openldap_2/unav-slapd
#cachesize       1000
#dbcachesize     100000
#
#
index           default pres,eq
index           objectClass
index           cn,sn,mail      pres,sub,eq
index           mailacceptinggeneralid,maildrop eq
#
#
defaultaccess   read
#######################################################################
----

Ldap server configuration sldap.oc.conf    [toc ]

Add the schema to sldap.conf shema list.

# sambatng.schema       - Version 0.0.1         - 2001/04/17    - herbert
#
# Copyrights:
#       Ignacio Coupeau <icoupeau@unav.es>      (original author)
#       Joe Little <jlittle@cis.Stanford.EDU>   (improvements)
#       Armin Herbert <herbert@ph-freiburg.de>  (merging)
#
# Samba TNG - LDAPv3 schema
#
# Requires:
#       core.schema
#       cosine.schema
#       nis.schema    (uidnumber and gidnumber)
#
# Provides:
#       1.3.6.1.4.1.9183.2      =  NT4DOM specs for use with --with-ldap
 

attributetype ( 1.3.6.1.4.1.9183.2.1.1 NAME 'sambaMember'
        DESC 'samba member'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.3 NAME 'ntuid'
        DESC 'NT user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.4 NAME 'rid'
        DESC 'NT hex RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.6 NAME 'grouprid'
        DESC 'NT group RID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.7 NAME 'sid'
        DESC 'NT SID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.8 NAME 'lmPassword'
        DESC 'LanManager Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )

attributetype ( 1.3.6.1.4.1.9183.2.1.9 NAME 'ntPassword'
        DESC 'nt Passwd'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
attributetype ( 1.3.6.1.4.1.9183.2.1.10 NAME 'pwdLastSet'
        DESC 'NT pwdLastSet'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.11 NAME 'pwdCanChange'
        DESC 'NT pwdCanChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.12 NAME 'pwdMustChange'
        DESC 'NT pwdMustChange'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.13 NAME 'smbHome'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.14 NAME 'homeDrive'
        DESC 'smbHome'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.9183.2.1.15 NAME 'script'
        DESC 'script'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.16 NAME 'profile'
        DESC 'profile'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

attributetype ( 1.3.6.1.4.1.9183.2.1.17 NAME 'acctFlags'
        DESC 'acctFlags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} )

attributetype ( 1.3.6.1.4.1.9183.2.1.18 NAME 'nextrid'
        DESC 'nextrid'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.19 NAME 'id'
        DESC 'ldap admin user ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.20 NAME 'logonTime'
        DESC 'logonTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.21 NAME 'logoffTime'
        DESC 'logoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.9183.2.1.22 NAME 'kickoffTime'
        DESC 'kickoffTime'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )

objectclass ( 1.3.6.1.4.1.9183.2.2.1
        NAME 'sambaAccount'
        DESC 'Provisional sambaAccount'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ uid $ uidNumber $ ntuid $ rid )
        MAY ( gidNumber $ grouprid $ ou $ cn $ description $
                lmPassword $ ntPassword $
                pwdLastSet $ pwdCanChange $ pwdMustChange $
                logonTime $ logoffTime $ kickoffTime $
                smbHome $ homeDrive $ script $ profile $ acctFlags ) )
 

objectclass ( 1.3.6.1.4.1.9183.2.2.2
        NAME 'sambaGroup'
        DESC 'Provisional sambaGroup'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn $ rid )
        MAY ( ntuid $ sambaMember $ description ) )
 

objectclass ( 1.3.6.1.4.1.9183.2.2.3
        NAME 'sambaBuiltin'
        DESC 'Provisional sambaBuiltin'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.4
        NAME 'sambaConfig'
        DESC 'Provisional sambaConfig'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ id $ nextrid ) )

objectclass ( 1.3.6.1.4.1.9183.2.2.5
        NAME 'sambaAlias'
        DESC 'Provisional sambaAlias'
        SUP top
        STRUCTURAL
        MUST ( ObjectClass $ cn )
        MAY ( sid $ rid $ sambaMember $ ntuid $ description ) )
 
 

Ldap basic entries    [toc ]

--------- snip -------------
dn: o=smb, dc=unav, dc=es
o: smb
objectclass: organization

dn: id=root, o=smb, dc=unav, dc=es
id: root
objectclass: sambaConfig
nextrid: 3e9

dn: uid=Administrator, o=smb, dc=unav, dc=es
objectclass: sambaAccount
uid: Administrator
lmpassword: 19331995431739EDF9393D97E7A1873C
ntpassword: CE9F79F52D5AEEDB398A8E07C82CA20F
pwdlastset: 3982F885
grouprid: 200
pwdmustchange: ffffffff
ntuid: Administrator
acctflags: [U          ]
gidnumber: 0
uidnumber: 522
rid: 1f4

dn: uid=nobody, o=smb, dc=unav, dc=es
objectclass: sambaAccount
uid: nobody
uidnumber: 99
ntuid: guest
rid: 1f5
pwdlastset: 39856D06
acctflags: [NU         ]
lmpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
ntpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

---------- eof -----------------

Note:

Keep in mind that an account for login needs the equivalent /etc/passwd entry.
When you add an user account with bin/smbpasswd, the /etc/passwd account entry is tested, the rid is incremented (+1) and assigned; but with the administrative accounts (ie well know RIDs) the insertion is manual, so you must check the rid is ok AND the /etc/passwd; for example:

Administrator:*:522:0:Linux samba Administrator:/home/administrador:/dev/null

LDAP Create "builtin" and "group" records    [ toc ]

A2) SIDs and RIDs
-----------------
SIDs and RIDs are well documented elsewhere.
A SID is an NT Security ID (see DOM_SID structure).  They are of the form:

        S-revision-NN-SubAuth1-SubAuth2-SubAuth3...
        S-revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...

currently, the SID revision is 1.
The Sub-Authorities are known as Relative IDs (RIDs).

A2.1) Well-known SIDs
---------------------

A2.1.1) Universal well-known SIDs
---------------------------------
        Null SID                     S-1-0-0
        World                        S-1-1-0
        Local                        S-1-2-0
        Creator Owner ID             S-1-3-0
        Creator Group ID             S-1-3-1
        Creator Owner Server ID      S-1-3-2
        Creator Group Server ID      S-1-3-3
        (Non-unique IDs)             S-1-4

A2.1.2) NT well-known SIDs
--------------------------

        NT Authority          S-1-5
        Dialup                S-1-5-1

        Network               S-1-5-2
        Batch                 S-1-5-3
        Interactive           S-1-5-4
        Service               S-1-5-6
        AnonymousLogon        S-1-5-7       (aka null logon session)
        Proxy                 S-1-5-8
        ServerLogon           S-1-5-8       (aka domain controller account)
        (Logon IDs)           S-1-5-5-X-Y
        (NT non-unique IDs)   S-1-5-0x15-...
        (Built-in domain)     s-1-5-0x20

A2.2) Well-known RIDS
---------------------

A RID is a sub-authority value, as part of either a SID, or in the case
of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1
structure, in the LSA SAM Logon response.

A2.2.1) Well-known RID users
----------------------------
        DOMAIN_USER_RID_ADMIN          0x0000 01F4
        DOMAIN_USER_RID_GUEST          0x0000 01F5

A2.2.2) Well-known RID groups
----------------------------
        DOMAIN_GROUP_RID_ADMINS        0x0000 0200
        DOMAIN_GROUP_RID_USERS         0x0000 0201
        DOMAIN_GROUP_RID_GUESTS        0x0000 0202

A2.2.3) Well-known RID aliases
------------------------------
        DOMAIN_ALIAS_RID_ADMINS        0x0000 0220
        DOMAIN_ALIAS_RID_USERS         0x0000 0221
        DOMAIN_ALIAS_RID_GUESTS        0x0000 0222
        DOMAIN_ALIAS_RID_POWER_USERS   0x0000 0223

        DOMAIN_ALIAS_RID_ACCOUNT_OPS   0x0000 0224
        DOMAIN_ALIAS_RID_SYSTEM_OPS    0x0000 0225
        DOMAIN_ALIAS_RID_PRINT_OPS     0x0000 0226
        DOMAIN_ALIAS_RID_BACKUP_OPS    0x0000 0227

        DOMAIN_ALIAS_RID_REPLICATOR    0x0000 0228
 

---- snip ----
dn: cn=Domain Admins,  o=smb, dc=unav, dc=es
member: Administrator,1f4,1
objectclass: sambaGroup
ntuid: Domain Admins
rid: 200
cn: Domain Admins

dn: cn=Domain Users,  o=smb, dc=unav, dc=es
objectclass: sambaGroup
ntuid: Domain Users
rid: 201
cn: Domain Users

dn: cn=Domain Guests,  o=smb, dc=unav, dc=es
objectclass: sambaGroup
ntuid: Domain Guests
rid: 202
cn: Domain Guests

dn: cn=Administrators,  o=smb, dc=unav, dc=es
description: Members can fully administer the computer/domain
sid: S-1-5-32-544
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Administrators
rid: 220
cn: Administrators
gidnumber: 0

dn: cn=Users,  o=smb, dc=unav, dc=es
sid: S-1-5-32-545
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Users
rid: 221
cn: Users
gidnumber: 200

dn: cn=Guests,  o=smb, dc=unav, dc=es
sid: S-1-5-32-546
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Guests
rid: 222
cn: Guests
gidnumber: 99
member: nobody,1f5,1

dn: cn=Account Operators,  o=smb, dc=unav, dc=es
sid: S-1-5-32-548
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Account Operators
rid: 224
cn: Account Operators

dn: cn=Server Operators,  o=smb, dc=unav, dc=es
sid: S-1-5-32-549
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Server Operators
rid: 225
cn: Server Operators

dn: cn=Print Operators,  o=smb, dc=unav, dc=es
sid: S-1-5-32-550
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Print Operators
rid: 226
cn: Print Operators

dn: cn=Backup Operators,  o=smb, dc=unav, dc=es
sid: S-1-5-32-551
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Backup Operators
rid: 227
cn: Backup Operators

dn: cn=Replicator,  o=smb, dc=unav, dc=es
sid: S-1-5-32-552
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Replicator
rid: 228
cn: Replicator

--------- eof ------------
 

Configuring smb server    [toc ]

Modify the smb.conf file:

------ snip ------
#
#
#       CTI, Universidad de Navarra
#       Ignacio Coupeau 000813;  printers
#       Ignacio Coupeau 010626;  v3 stuff
#

[global]
ldap suffix = "o=smb, dc=unav, dc=es"
ldap bind as = "cn=root, dc=unav, dc=es"
ldap passwd file = /usr/local/etc/samba_tng/private/ldappasswd
#ldap server = LDAP-SMB1 LDAP-SMB2
ldap server = arcos.cti.unav.es
ldap port = 389

workgroup = CTI-SMB-TNG
netbios name = bilbo
comment = Linux RedHat Samba Server
security = user
null passwords = Yes
encrypt passwords = yes

logon drive = U:
domain master = yes
domain logons = yes

preferred master = yes
os level = 255
wins support = yes
wins proxy = yes

time offset = 60
time server = True

log file = /usr/local/etc/samba_tng/logs
public = No
browseable = No
writable = No

#[homes]
#comment = Directorios privados
#path = /usr/local/etc/samba_tng/usr/%u
#read only = no
#create mode = 0700
#comment = Home Directories
#browseable = yes
 

[netlogon]
path = /usr/local/etc/samba_tng/netlogon
locking = no
writeable = yes
guest ok = no
browseable = yes
 

[profiles]
path = /usr/local/etc/samba_tng/profiles
#writeable = no; yes: only for profile modifs
writeable = no
guest ok = yes
browseable = yes
create mode = 0777
--------- eof -----------
 

Note about LDAP-smb.conf params:

• If you have the "logon script", " logon drive" and the profiles "logon path" in the smb.conf , these values overrides the particular values stored into a ldap (Matt Chapman and  Jean Francois Micouleau ).
• If you don't put these params in the smb.conf files, the samba uses the values stored in the ldap. In the smb.conf of this howto, these params are stored in ldap.

Note about ldap root passwd:
The ldap rootdn in the slapd.conf file contains a line like:

rootpw          <a_secret_word>

ldap passwd file = /usr/local/etc/samba_tng/private/ldappasswd

Adding accounts    [toc ]

You need the /etc/passwd /etc/groups contains the accounts and groups.... also the Administrator and nobody samba internal accounts.

The fast (batch) commands:

• Create a ws account (look the '$'):
  [root@bilbo samba_tng]# bin/samedit -S . -U root -c 'createuser icb$'
   
• Create a user account:
  [root@bilbo samba_tng]# bin/samedit -S . -U root -c 'createuser oihana -p <a_passwd>'
  [root@bilbo samba_tng]# bin/samedit -S . -U root -c 'createuser icoupeau -p <a_passwd>'
   
• A new user passwd:
  [root@bilbo samba_tng]# bin/samedit -S . -U root -c 'samuserset icoupeau -p <new_passwd>'
  [root@bilbo samba_tng]# bin/samedit -S . -U root -c 'samuserset Administrator -p <a_passwd_for_the_Administrator>'

First log as root with samedit:

bin/samedit -S . -U root

[root@.]$ createuser <account>

[root@bilbo samba_tng]# bin/samedit -S . -U root

added interface ip=159.237.12.42 bcast=159.237.12.255 nmask=255.255.255.0
Enter Password:<null passwd>

example:
[root@.]$ createuser PORTABLE$
createuser PORTABLE$
SAM Create Domain User
Domain: CTI-SMB-TNG Name: PORTABLE$ ACB: [W          ]
Resetting Trust Account to insecure, initial, well-known value: "PORTABLE"
PORTABLE can now be joined to the domain, which should
be done on a private, secure network as soon as possible
getpwnam(root) called
Create Domain User: OK

For add/replace users:

from samedit
[root@.]$ createuser <a_userid> -p <a_user_passwd>

example:
[root@.]$ createuser icoupeau -p XYZ
createuser icoupeau -p XYX
SAM Create Domain User
Domain: CTI-SMB-TNG Name: icoupeau ACB: [U          ]
getpwnam(root) called
Create Domain User: OK

also, with shell/scripts:
bin/samedit -U root -S . -N -c "createuser $NEWUSER -p $PASSWORD"

For delete users/ws:

The deluser don't works for me at this moment (010416):
[root@.]$ deluser icb$
deluser icb$
SAM Delete Domain User
msrpc_receive: failed
Broken pipe

Instead try the ldapdelete command for now.

for passwd replacements:

try from NT ws;

also, this may works:
log in the domain with the user/passwd you would change:

[root@bilbo samba_tng]# bin/samedit -S . -U icoupeau
added interface ip=159.237.12.42 bcast=159.237.12.255 nmask=255.255.255.0
Enter Password: <your_actual_passwd>

as logged, type ntpass; that's all:

[icoupeau@.]$ ntpass
ntpass
SAM NT Password Change
User: icoupeau Domain:
New Password:
retype:
getpwnam(root) called
NT Password changed OK

Refine the ldap account entries    [ toc ]

With ldapmodify, you can add/replace some attributes as the "homeDrive",
"script" and "profile"...

You need only specify the relative "logon script" name (in this example
037148.bat); this scrip will be searched in the [netlogon] share.

For our classrooms I found the "pwdMustChange: FFFFFFFF" very useful,
because overrides the dialog box for passwd replacement.

------- snip-----------
dn: uid=037148, o=smb, dc=unav, dc=es
changetype: modify
replace: profile
profile: \\bilbo\profiles\prn1
-
replace: script
script: 037148.bat
-
replace: homeDrive
homeDrive: U:
-
replace: gidnumber
gidnumber: 201
-
replace: grouprid
grouprid: 202
-
replace: pwdCanChange
pwdCanChange: 00000000
-
replace: pwdMustChange
pwdMustChange: FFFFFFFF
-
------EOF------

Note:
The syntax:
    profile: \\bilbo\profiles\prn1
runs, and now, the:
    profile: \\%L\profiles\%U
runs also: fixed.

Adding members to a group    [ toc ]

This section follows http://us1.samba.org/listproc/samba-technical/2536.html (M. Chapman):

 objectclass sambaGroup
    requires
        cn, /* group name */
        rid
    allows
        description,
        member /* repeated for each member, in format "name,rid,type" */
                    /* e.g. member=matty,0x600,1 */

#The smb.conf map files are overriding by ldap internals/groups/builtin
#domain group map = /usr/local/etc/samba_tng/lib/domain_group.map
#domain user map = /usr/local/etc/samba_tng/lib/domain_user.map
#local group map = /usr/local/etc/samba_tng/lib/local_group.map

By hand, with ldap commands

For example, assume now that you need to grant administrative privileges to a existent user called "admin". To do this, you need compliments two steps:

• add the new  member to group: you need the params "name,rid,type" as indicated before;
• change/add the gidnumber and the grouprid of the user to indicate the group's id.

To get the "rid" you can perform a search like:
./ldapsearch -L  -b "o=smb, dc=unav, dc=es" "uid=*"  rid -h bilbo

the output is  something like:

dn: uid=icoupeau, o=smb, dc=unav, dc=es
rid: 3e9

dn: uid=www, o=smb, dc=unav, dc=es
rid: 3eb

dn: uid=nobody, o=smb, dc=unav, dc=es
rid: 3ec
...

dn: uid=admin, o=smb, dc=unav, dc=es
rid: 3f5

So, to add member "admin" to the group "Domain Admins" run the command

./ldapmodify -f <file> ... "

where <file> contains:

------ snip ------
dn: cn=Domain Admins,  o=smb, dc=unav, dc=es
changetype: modify
add: member
member: admin,3f5,1
-
------EOF------

the type "1" say that the group memeber is a "user".

Step #2

you need add the grouprid for "Domain Admins" and the unix gidnumber (0,root) to user admin:
for this, run the command

./ldapmodify -f <file> ... "

where <file> contains:

------ snip ------
dn: uid=admin, o=smb, dc=unav, dc=es
changetype: modify
replace: gidnumber
gidnumber: 0
-
replace: grouprid
grouprid: 200
-
------EOF------

RPC samedit (under construction)

first log as root (or an user with administrative provileges in the domain where you want to log.

[root@bilbo bin]# ./samedit
Usage: /usr/local/etc/samba_tng/bin/samedit [\server] [password] [-U user] -[W domain] [-l log]
Version TNG-alpha
        -d debuglevel         set the debuglevel
        -S <\>server          Server to connect to (\. or . for localhost)
        -l log basename.      Basename for log/debug files
        -n netbios name.      Use this name as my netbios name
        -N                    don't ask for a password
        -m max protocol       set the max protocol level
        -I dest IP            use this IP to connect to
        -E                    write messages to stderr instead of stdout
        -U username           set the network username
        -U username%pass      set the network username and password
        -W domain             set the domain name
        -c 'command string'   execute semicolon separated commands
        -t terminal code      terminal i/o code {sjis|euc|jis7|jis8|junet|hex}

So, if you are on the samba server (ie "-S .") logged as root, you can say any user (I think so). In this example I logged as administrator (an account with administrative privileges):

[root@bilbo bin]# ./samedit -S . -U administrator%<a_passwd>
?
[list commands]
ntlogin        domlist        domtrust       samsync        lookupdomain
samlookuprids  samlookupnames enumusers      addgroupmem    addaliasmem
delgroupmem    delaliasmem    creategroup    createalias    createuser
deluser        delgroup       delalias       ntpass         samquerysec
samuserset2    samuserset     samuser        samgroup       samalias
samaliasmem    samgroupmem    samtest        enumaliases    enumdomains
enumgroups     dominfo        dispinfo       set            use
quit           q              exit           bye            help
?

[administrator@.]$ enumgroups
[list groups]
enumgroups
SAM Enumerate Groups
Group RID:      200  Group Name: Domain Admins
Group RID:      201  Group Name: Domain Users
Group RID:      202  Group Name: Domain Guests

[administrator@.]$ addaliasmem
[add members to an alias]
addaliasmem
addaliasmem <alias name> [member name1] [member name2] ...
[root@.]$ addaliasmem cti icoupeau administrator
addaliasmem cti icoupeau administrator
SAM Domain Alias Member
SID added to Alias 0x3ed: S-1-5-21-3723612833-20774843-2650202883-1001
SID added to Alias 0x3ed: S-1-5-21-3723612833-20774843-2650202883-500
Add Domain Alias Member: OK
[I think here are a bug because:

[root@bilbo openldap]# sh samba-search "cn=cti"
dn: cn=cti, o=smb, dc=unav, dc=es
objectclass: sambaAlias
cn: cti
rid: 3ed
member: ,S-1-5-21-3723612833-20774843-2650202883-1001,1
member: ,S-1-5-21-3723612833-20774843-2650202883-500,1
member: ,S-1-5-21-3723612833-20774843-2650202883-512,2
---
as you can see, before the SIDs, the name was lost ???

[administrator@.]$ enumaliases
[list aliases]
enumaliases
SAM Enumerate Aliases
Alias RID:      220  Alias Name: Administrators
Alias RID:      221  Alias Name: Users
Alias RID:      222  Alias Name: Guests
Alias RID:      224  Alias Name: Account Operators
Alias RID:      225  Alias Name: Server Operators
Alias RID:      226  Alias Name: Print Operators
Alias RID:      227  Alias Name: Backup Operators
Alias RID:      228  Alias Name: Replicator
Alias RID:      3ed  Alias Name: cti
 

[administrator@.]$ enumusers
[list users]
enumusers
SAM Enumerate Users
User RID:      1f4  User Name: Administrator
User RID:      1f5  User Name: nobody
User RID:      3e9  User Name: icoupeau
User RID:      3ea  User Name: cti-portatil$
User RID:      3eb  User Name: pharos02$
User RID:      3ec  User Name: icb$
[administrator@.]$ samaliasmem
samaliasmem
samaliasmem [DOMAIN\]<name>
[administrator@.]$ samaliasmem cti
samaliasmem cti
SAM Query Alias: cti
From: BILBO To: \\. Domain: CTI-SMB-DEV SID: S-1-5-21-3723612833-20774843-2650202883
        Alias Members:
        -------------
        Member Name:    CTI-SMB-DEV\icoupeau    Type:   User
        Member Name:    CTI-SMB-DEV\Administrator       Type:   User

will be continue...
 

Password sync    [toc ]

I just wanted to post this to let everyone know that I got the following working:

1)  Samba-TNG-2.6 as a PDC for Win2K, WinNT and Win98 clients
2)  Password sync with Samba using OpenLDAP
3)  Linux clients authenticating off of OpenLDAP using pam_ldap and nss_ldap.
4)  pam_ldap/nss_ldap encrypted with the use of stunnel

Here is the following configuration information:

smb.conf file:

ldap suffix = "<LDAP Suffix>"
ldap bind as = "<LDAP Bind Info>"
ldap port = 389
.
.
.
unix password sync = yes
passwd program = /usr/local/samba/bin/ldapsync %u
passwd chat = *New*Password* %n\n *modifying*

My ldap sync perl script called ldapsync %u:

#!/usr/bin/perl -w

 $user=$ARGV[0];
 print "New Password:  ";
 $pass=<STDIN>;
 chomp $pass;

 $salt=join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];

 $pass=crypt($pass,$salt);

 $FILE="|ldapmodify -D '<LDAP Bind>' -w <LDAP Password>";

 open FILE or die;

 print FILE <<EOF;
 dn: uid=$user, ...ldap suffix...
 changetype: modify
 replace: userPassword
 userPassword: {crypt}$pass

 EOF
 close FILE;

 exit 0;
 

The best reference material to go by is the following URL for samba as a PDC and ldap:

http://www.unav.es/cti/ldap-smb-howto.html
 

--
          Jody Haynes
 
 

A complex example    [ toc ]

This example assume that you have several PDC, several shares distributed on several Samba servers, and two (or more) LDAP synchronized servers.
 

Scenario

• 2 PDC compiled with LDAP support. In the real life we have 8 PDC Pentium 166-200/SCSI 2940/128MB RAM. The 128MB are essential for classrooms with 50-60 NT ws.
• 2 LDAP servers: master (ldap-smb1) and slave (ldap-smb2) syncronized with slurpd running in the master.The synchronization  grants the consistency between master/slave(s) databases. For 420 ws, we have 2 HP E60 Netserver 2x400MHz/SCSI/256MB RAM, but with very low workload... a 400MHZ may be run. I strong recomed you a second LDAP for redundance.
• 2 Samba servers with the user data (the shares). In the real life, we have 4 disk servers HP LC3 with one processor.

An user record in ldif format

The process

• The phrase "if the credentials are OK" can be expanded in "the PDC (or the Samba server) ask to the LDAP server if the credentials are OK; if so, then update the record and returns; if not, returns false".
• As you can see in the ldif-user's record, the profile is fetched from the PDC server (\\L%\profiles\<a_profile>) look at PDC's smb.conf files).
• The smbhome points to the another samba server with the share.

PDC's configuration files

LDAP's configuration files

access  to dn="uid=.*,o=smb,dc=unav,dc=es"
access  to dn="id=.*,o=smb,dc=unav,dc=es"
access  to dn="cn=*.,o=smb,dc=unav,dc=es"

access  to dn="o=smb,dc=unav,dc=es"

Samba servers' configuration files

Note: I strong recommend you, test the replication. With Linux RH 5.2 kernel 2.2.10 I need runs the slurpd in one shot mode every 1-2 hours; as demon not runs fine at all.
 
 

Scripts for create basic accounts in LDAP

#!/usr/bin/perl
#
#       Ignacio Coupeau, 000803.01
#       Ignacio Coupeau, 000811.01 network... added
#       Ignacio Coupeau, 000814.01 fixed nobody/guest/[NU         ]
#       Ignacio Coupeau, 010626.01 changed base
#
#       Populates a ldap-samba database from the scratch
#       - you need a ldap database created, with a_password, a slapd.conf well defined and so.
#
#
$ldapPasswd = "a_secret";
$ldapRDN = "cn=root, dc=unav, dc=es";
$ldap_base = "o=smb, dc=unav, dc=es";
$ldap_organization = "smb";
$ldap_host = "localhost";
$ldapmodify_cmd = "/usr/local/etc2/openldap_2/bin/ldapadd -c -r -D \"$ldapRDN\" -w $ldapPasswd -h
$ldap_host ";
#
#
#

print "$ldapmodify_cmd \n";

create_ldif_basic();
create_ldif_builtin();
create_ldif_adds();
system ("$ldapmodify_cmd -f basic_ldif");
system ("$ldapmodify_cmd -f builtin_ldif");
system ("$ldapmodify_cmd -f adds_ldif");

exit(0);
 

sub create_ldif_basic {
        open (LDIF, ">basic_ldif");

print LDIF <<pagina;
dn: $ldap_base
o: $ldap_organization
objectclass: organization

dn: id=root, $ldap_base
objectClass: sambaConfig
id: root
nextrid: 3e9

dn: uid=Administrator, $ldap_base
objectclass: sambaAccount
uid: Administrator
lmpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
ntpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
pwdlastset: 3982F885
grouprid: 200
pwdmustchange: ffffffff
ntuid: Administrator
acctflags: [U          ]
gidnumber: 0
uidnumber: 506
rid: 1f4

dn: uid=nobody, $ldap_base
objectclass: sambaAccount
uid: nobody
uidnumber: 99
ntuid: nobody
rid: 1f5
pwdlastset: 39856D06
acctflags: [NU         ]
lmpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
ntpassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

pagina

        close (LDIF);
}
 
 

sub create_ldif_builtin() {

        open (LDIF, ">builtin_ldif");

print LDIF <<pagina;
dn: cn=Domain Admins, $ldap_base
objectclass: sambaGroup
ntuid: Domain Admins
rid: 200
cn: Domain Admins
sambaMember: Administrator,1f4,1

dn: cn=Domain Users, $ldap_base
objectclass: sambaGroup
ntuid: Domain Users
rid: 201
cn: Domain Users

dn: cn=Domain Guests, $ldap_base
objectclass: sambaGroup
ntuid: Domain Guests
rid: 202
cn: Domain Guests
sambaMember: nobody,1f5,1

dn: cn=Administrators, $ldap_base
description: Members can fully administer the computer/domain
sid: S-1-5-32-544
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Administrators
rid: 220
cn: Administrators

dn: cn=Users, $ldap_base
sid: S-1-5-32-545
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Users
rid: 221
cn: Users

dn: cn=Guests, $ldap_base
sid: S-1-5-32-546
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Guests
rid: 222
cn: Guests

dn: cn=Power Users, $ldap_base
description: Members can share directories and printers
sid: S-1-5-32-547
objectclass: sambaBuiltin
ntuid: Power Users
rid: 223
cn: Power Users

dn: cn=Account Operators, $ldap_base
sid: S-1-5-32-548
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Account Operators
rid: 224
cn: Account Operators

dn: cn=Server Operators, $ldap_base
sid: S-1-5-32-549
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Server Operators
rid: 225
cn: Server Operators

dn: cn=Print Operators, $ldap_base
sid: S-1-5-32-550
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Print Operators
rid: 226
cn: Print Operators

dn: cn=Backup Operators, $ldap_base
sid: S-1-5-32-551
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Backup Operators
rid: 227
cn: Backup Operators

dn: cn=Replicator, $ldap_base
sid: S-1-5-32-552
objectclass: sambaBuiltin
objectclass: sambaAlias
ntuid: Replicator
rid: 228
cn: Replicator

pagina

        close (LDIF);
}
 
 

# Are these useful???
sub create_ldif_adds {

open (LDIF, ">adds_ldif");

print LDIF <<pagina;
dn: cn=Everyone, $ldap_base
sid: S-1-1-0
objectclass: sambaBuiltin
ntuid: Everyone
cn: Everyone

dn: cn=Local, $ldap_base
sid: S-1-2-0
objectclass: sambaBuiltin
ntuid: Local
cn: Local

dn: cn=Network, $ldap_base
sid: S-1-5-2
objectclass: sambaBuiltin
ntuid: Network
cn: Network

dn: cn=Interactive, $ldap_base
sid: S-1-5-4
objectclass: sambaBuiltin
ntuid: Interactive
cn: Interactive

dn: cn=Authenticated Users, $ldap_base
sid: S-1-5-11
objectclass: sambaBuiltin
ntuid: Authenticated Users
cn: Authenticated Users

pagina

        close (LDIF);
}