Difference between revisions of "Samba & LDAP"
(Beginning of setup description: Samba and LDAP)
|Line 45:||Line 45:|
--[[User:|]] 07:51, 2 March 2006 (CST)
Revision as of 20:43, 1 April 2006
- 1 Fedora Directory Server
- 2 OpenLDAP
- 3 GUI Tools
- 4 Integration into the system
Fedora Directory Server
Fedora Directory Server has a wiki page on integrating with Samba. See 
OpenLDAP is a widely used LDAP server in Linux environments. It can do a lot of things for all sorts of needs. Samba can use it as a storage backend for accounts and mappings from Windows (TM) SIDs to unix UID/GID. OpenLDAP can also be used to controll mail delivery and other things. You can find OpenLDAP at []
LAM  - A web frontend to maintain accounts for unix and samba in an ldap server
LUMA  - LDAP browser, utility and more (Python/QT)
ldapadmin [] - Ldap Admin is free Win32 application for managing LDAP directories.
LDAP Browser \Editor [] - A Java tool. It is quite old, but still usefull (I use it every time I have to implement a new LDAP tree)
GOsa  - A general purpose webbased LDAP User- and Groupmanagement Tool. Handles all aspects of samba accounts including mungedDial plus everything commonly related to user and group accounthandling
Integration into the system
It is not that easy to integrate an LDAP directory into a *NIX system. The most anoying thing is that samba relies on the host OS and thus needs uid/gid for a user. You can store these information in your passwd, but for a consistent setup it is recommended to store these things in your LDAP server too.
Given these you have to configure your OS to use an LDAP server as passwd backend and then let samba use the same as own password storage. This is valid for user, group and machine accounts.
Setting up PAM and NSS to use LDAP
It is quite simple but need changes at two places. You have to change nsswitch.conf and add the keyword 'ldap' to the passwd: and group: lines. Then you have to install the library libnss_ldap from your package system.
In the newer releases (as of 03/2006) pam_unix2 can use ldap servers for lookup. You just have to enable it in /etc/security/pam_unix2.conf. But it needs the /etc/ldap.conf file to get all needed parameters for ldap lookups.
Let Samba use LDAP
- passdb backend = ldapsam:ldap://<your-hostname>
- ldap suffix =
- ldap admin dn
then run smbpasswd -w <ldap-secret> to let samba know the password for the admin dn
Mapping the well known Windows groups to unix groups
net groupmap add --unixgroup=<unix-group> --ntgroup="<windows-group>"
Tools to manage accounts
smbldap-tools from IDEALIX.org
Add the first user
smbldap-useradd -a <username>
Add the first machine
smbldap-useradd -w <machine>
--rcsu 07:51, 2 March 2006 (CST)