/ Markus Amersdorfer:home / university / about:me /

OpenLDAP on Debian Woody - Add-On: smbldap-tools

Introduction

This doc basically is just a "work-log" of experimenting with the smbldap-tools by IDEALX. It's thought to be an add-on to my LDAP HOWTO "Using OpenLDAP on Debian Woody to serve Linux and Samba users".
The smbldap-tools consist of Perl-scripts which can ease the administration of Linux- and Samba-Users as well as Windows-client-machines with an LDAP-tree.

Though this sounds promising, I did not use the smbldap-tools eventually in my LDAP-setup for the following reasons:

Most of our users will not be Samba-users. For those who will be, a simple "smbpasswd (-a) user" works perfectly fine!
I could not get on-the-fly creation of machine-accounts (for other Windows- or Samba-machines joining the domain) working here.
The seperation of machine accounts into their own LDAP-"ou" (ou=Computers,dc=,dc=) didn't work either as I would have expected.

Nevertheless, if you're interested, here's my work-log (which is based on the article Implementing a Samba LDAP Primary Domain Controller Setup on Mandrake 9.x) ...

The work-log

Create "ou=Computers,dc=subnet,dc=at" using this smbldap_computers.ldif and run

  ldapadd -H ldap://ldap.subnet.at/ -D "cn=manager,dc=subnet,dc=at" -x -W -f smbldap_computers.ldif

Download the smbldap-tools from samba.idealx.org or include the following in /etc/apt/sources.list:

  # smbldap-tools:
  deb ftp://ftp.samba.gr.jp/pub/samba-jp/debian/woody ./
  deb-src ftp://ftp.samba.gr.jp/pub/samba-jp/debian/woody ./

Locate smbldap_conf.pm (using the DEB-packages it's in /etc/samba/) and change:

   ### LDAP Configuration
   $slaveLDAP = "ldap.subnet.at";
   $masterLDAP = "ldap.subnet.at";
   $suffix = "dc=subnet,dc=at";
   $usersou = q(People);
   $usersdn = "ou=$usersou,$suffix";
   $computersou = q(Computers);
   $computersdn = "ou=$computersou,$suffix";
   $groupsou = q(Group);
   $groupsdn = "ou=$groupsou,$suffix";
   $scope = "sub";
   $binddn = "cn=manager,$suffix";
   $bindpasswd = "Manager's password in plaintext";

   ### Unix Accounts Configuration
   $_userLoginShell = q(/bin/bash);
   $_userHomePrefix = q(/data/home/);
   $_userGecos = q(System User - Gecos);
   $_defaultUserGid = 65001;
   $_defaultComputerGid = 65002;
   $_skeletonDir = q(/etc/skel);

   ### SAMBA Configuration
   $_userSmbHome = q(\\\\your-home-server\\homes);
   #$_userProfile = q(\\\\PDC-SRV\\profiles\\);
   $_userHomeDrive = q(Y:);
   #$_userScript = q(startup.cmd); # make sure script file is edited under dos

   ### SMBLDAP-TOOLS Configuration
   # use the defaults

Check for a user:

   # smbldap-usershow max
   dn: uid=max,ou=People,dc=subnet,dc=at
   [...]

If this succeeds, the smbldap-tools should be set up properly.

Check for a group:

   # smbldap-groupshow max
   dn: cn=max,ou=Group,dc=subnet,dc=at
   [...]

Add groups:

   # smbldap-groupadd -g 65001 lusers
   # smbldap-groupadd -g 65002 lmachines
   # smbldap-groupadd -g 65003 lstaff
   # smbldap-useradd -a wadmin
   # smbldap-passwd wadmin

Add the user "wadmin" to the group "wstaff". This is used in smb.conf's option "domain admin group = @lstaff".
smb.conf's option "add user script = /usr/sbin/smbldap-useradd.pl -w -d /dev/null -g -c 'Machine Account' -s /bin/false %u" should add the Linux- and Samba-Machine-Users on the fly as soon as a client tries to join the domain, but this didn't work here, so manually adding the machine-accounts prior to have the clients join the domain is necessary (see my main LDAP Howto).
Update: I missed the group in the line above needed for option "g". Perhaps that's why it didn't work here... You can find a working setup of automatically creating the user account for a joining client machine in my LDAP HOWTO.
In order to have the system find the machine-accounts (which boil down to normal user-accounts located in ou=Computers instead of ou=People), change /etc/libnss-ldap.conf:
```
   #nss_base_passwd ou=People,dc=subnet,dc=at
   nss_base_passwd dc=subnet,dc=at?sub
```

Back to the LDAP HOWTO.