Installing smbldap-tools

If you haven’t installed LDAP yet, do so now. This will be a rather short article, where we just get smbldap-tools working. This is a collection of programs to handle Samba users (and groups) stored in an LDAP database. We will use them later when configuring Samba.

First, copy the configuration examples for smbldap-tools to your /etc directory:

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > ~/smbldap.conf
sudo cp ~/smbldap.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo chmod 0644 /etc/smbldap-tools/smbldap.conf
sudo chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now, you should edit your new smbldap.conf to match your environment, but first we need to find the SID of the Samba server; Do this with:

sudo /etc/init.d/samba start
sudo net getlocalsid

Save it to your clipboard for now (or write it down, if you like). Then edit smbldap.conf, changing all the relevant lines. These were my changes:

SID="S-1-5-21-9999999999-587502800-999999999"
sambaDomain="GODTJOD-NT"
ldapTLS="0"
suffix="dc=godtjod,dc=net"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
defaultMaxPasswordAge="365"
mailDomain="godtjod.net"
no_banner="1"

(Note: You can do a search for those attributes you want to change by pressing Ctrl+w (for where).)

Edit the /etc/smbldap-tools/smbldap_bind.conf, which defines how to bind (authenticate) to the LDAP server, and add lines like:

slaveDN="cn=admin,dc=godtjod,dc=net"
slavePw="pa$$w0rd"
masterDN="cn=admin,dc=godtjod,dc=net"
masterPw="pa$$w0rd"

The default superuser call name (cn) for a Debian install of OpenLDAP is “admin”, not “manager” (which you might’ve expected from other LDAPs).
Now, pray that everything is ok and start populating the LDAP database with entries for Samba:

sudo smbldap-polulate

You will be asked for a root password, so provide a good one here. Then check everything went in:

ldapsearch -x

That’s it for now. Soon we will be starting Samba itself, so stay tuned.

(If you follow the original guide, he talks about the Administrator (uid=Administrator) account, but in my installation it was called root, and we already changed password for that so there’s no need to change it again, huh?)

Installing LDAP

At first, I was going to wait with installing LDAP on the slug, because it isn’t really needed at this point, and I just wanted to get the file serving up and running. But then I found this great guide to LDAP/Samba installation and I thought I’d try it out. So these instructions should follow Edd Dumbill’s quite closely, but with some extra details about how I did things.

First I installed the things I needed from the apt archives:

sudo apt-get install slapd ldap-utils libnss-ldap libpam-ldap samba smbldap-tools smbclient samba-doc

I followed the advice from the guide and didn’t configure the packages at this time. Instead I configured them one at-a-time with dpkg-reconfigre, like so:

sudo dpkg-reconfigure -plow slapd

This will start the configuration for LDAP. It asks some questions, most of which should be really obvious. Some tips though: You should create a database backup, even if it will just contain rubbish, because, like it says, the old data could break your installation. If you don’t plan on using any services that need LDAPv2 (I don’t), you should disable it.
Also clean out the backup (as I said it is just rubbish):

sudo rm -R /var/backups/unknown-2.3.30-5.ldapdb

Edit your configuration for the LDAP tools with:

sudo nano -wL /etc/ldap/ldap.conf

(ldap.conf is for the client, slapd.conf is for the server) and add the following lines:

BASE dc=godtjod,dc=net
URI ldap://127.0.0.1

Now check your database with:

sudo ldapsearch -x

If it returns two entries (your domain, and your superuser) then you are ready to continue with setting up a samba database in your LDAP-service. First we copy the schema (a model for a database) for samba:

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > ~/samba.schema
sudo cp ~/samba.schema /etc/ldap/schema/

and configure slapd to include this schema by adding the following lines to slapd.conf (right after the existing includes):

include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema

In the same file tell slapd to use some indexes (the slug isn’t terribly fast and so could use the speed-up); In the database section add the lines (after the existing index line):

index uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq

Also in slapd.conf, change the access rules to allow your users to change their own passwords. Do this by changing the line

access to attrs=userPassword,shadowLastChange

to

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword

Then restart your LDAP server to load the changes and again check that everything works:

sudo /etc/init.d/slapd restart
sudo ldapsearch -x

Did it work? Good, then take a break and wait for the next part: how to use samba with ldap.