If you haven’t installed LDAP yet, do so now. This will be a rather short article, where we just get smbldap-tools working. This is a collection of programs to handle Samba users (and groups) stored in an LDAP database. We will use them later when configuring Samba.
First, copy the configuration examples for smbldap-tools to your /etc directory:
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > ~/smbldap.conf
sudo cp ~/smbldap.conf /etc/smbldap-tools/
sudo cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
sudo chmod 0644 /etc/smbldap-tools/smbldap.conf
sudo chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
Now, you should edit your new smbldap.conf to match your environment, but first we need to find the SID of the Samba server; Do this with:
sudo /etc/init.d/samba start
sudo net getlocalsid
Save it to your clipboard for now (or write it down, if you like). Then edit smbldap.conf, changing all the relevant lines. These were my changes:
SID="S-1-5-21-9999999999-587502800-999999999"
sambaDomain="GODTJOD-NT"
ldapTLS="0"
suffix="dc=godtjod,dc=net"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
defaultMaxPasswordAge="365"
mailDomain="godtjod.net"
no_banner="1"
(Note: You can do a search for those attributes you want to change by pressing Ctrl+w (for where).)
Edit the /etc/smbldap-tools/smbldap_bind.conf, which defines how to bind (authenticate) to the LDAP server, and add lines like:
slaveDN="cn=admin,dc=godtjod,dc=net"
slavePw="pa$$w0rd"
masterDN="cn=admin,dc=godtjod,dc=net"
masterPw="pa$$w0rd"
The default superuser call name (cn) for a Debian install of OpenLDAP is “admin”, not “manager” (which you might’ve expected from other LDAPs).
Now, pray that everything is ok and start populating the LDAP database with entries for Samba:
sudo smbldap-polulate
You will be asked for a root password, so provide a good one here. Then check everything went in:
ldapsearch -x
That’s it for now. Soon we will be starting Samba itself, so stay tuned.
(If you follow the original guide, he talks about the Administrator (uid=Administrator) account, but in my installation it was called root, and we already changed password for that so there’s no need to change it again, huh?)
