This article was first written in October 2004 for the BeezNest technical website (http://glasnost.beeznest.org/articles/180).Starting from Debian Sarge, the Samba version which ship with Debian is 3.0.x. This is the first real version to support well being a PDC while using LDAP as backend. Here is how to use Samba as PDC with LDAP backend for authentication on Debian.
Install the following packages, which are all part of Samba
- samba: The server itself
- samba-doc: The documentation (very complete)
- smbclient: FTP-like client for SMB/CiFS
- swat: Samba Web Administration Tool (web interface to configure Samba and access the full documentation through a browser, if installed)
Aside, we will install LDAP
- slapd: the server itself
- smbldap-tools: IDEALX tools for Samba use to ease installation and migration when using together with LDAP
Configure the Name Service Switch to use LDAP
Install package libnss-ldap and configure it according to the LDAP configuration [1]. Edit /etc/nsswitch.conf by adding a mention ldap to the end of the three following lines: passwd:, group:, shadow: and a mention wins to the end of the line hosts:.Configure PAM to also use LDAP
Install package libpam-ldap and configure it according to the LDAP configuration. Edit /etc/pam.d/common-account and add the following line before the existing second line:account sufficient pam_ldap.so account required pam_unix.soEdit /etc/pam.d/common-auth and add the following line before the existing second line:
auth sufficient pam_ldap.so auth required pam_unix.so nullok_secureEdit /etc/pam.d/common-password and add the following line before the existing second line:
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5
Set the LDAP password in Samba
Samba stores its passwords in /var/lib/samba/secrets.tdb, and also stores there the LDAP admin password to use to connect to OpenLDAP. To set/change the password:smbpasswd -w MySecretPasswordwhere MySecretPassword is LDAP's admin password. WARNING: with that configuration, it asks twice to type password to authenticate anyone! TODO
Add the Samba schema to OpenLDAP's list of schemas
An example that you can copy "as is" (well, you just need to unzip it first) is available in /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz in /etc/ldap/schemas and edit /etc/ldap/slapd.conf to use it. Configure /etc/ldap/ldap.conf and /etc/ldap/slapd.conf.Tools to manage it afterwards
LDAP Account Manager (LAM) (web-based frontend to Samba accounts for machines, users and groups in LDAP) or phpLDAPadmin (which is not specific for managing Samba, but can also manage addressbooks, UNIX authentication, …).Create your machines in the Domain
To be continued…
[1] it will configure /etc/libnss-ldap.conf