Samba + LDAP

[1.] 設定 ldap server

include               /etc/openldap/schema/samba.schema
database            bdb
suffix                "dc=wow,dc=tw"
rootdn               "cn=Manager,dc=wow,dc=tw"
rootpw              secret
directory           /var/lib/ldap

# 註解預設的設定
# Indices to maintain for this database
#index    objectClass                                      eq,pres
#index    ou,cn,mail,surname,givenname       eq,pres,sub
#index    uidNumber,gidNumber,loginShell  eq,pres
#index    uid,memberUid                               eq,pres,sub
#index    nisMapName,nisMapEntry              eq,pres,sub

# 加入以下設定

# samba + ldap
index    cn,sn,uid,displayName       pres,sub,eq
index    uidNumber,gidNumber      eq
index    sambaSID                          eq
index    sambaPrimaryGroupSID    eq
index    sambaDomainName          eq
index    objectClass                        pres,eq
index    default                               sub

啟動 ldap

      service ldap start

執行
      authconfig
                -> 使用LDAP，使用LDAP認證
                -> 伺服器: localhsot，Base DN: dc=wow,dc=tw

[2.] 安裝 smbldap-tools
         apt-get install smbldap-tools

      修改config
         cd /etc/smbldap-tools/
         vi smbldap.conf
         vi smbldap_bind.conf

      或執行，順著提示設定
         /usr/share/doc/smbldap-tools-0.9.1/configure.pl

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
smbldap-tools script configuration
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Before starting, check
. if your samba controller is up and running.
. if the domain SID is defined (you can get it with the 'net getlocalsid')

. you can leave the configuration using the Crtl-c key combination
. empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Looking for configuration files…

Samba Configuration File Path [/etc/samba/smb.conf] >

The default directory in which the smbldap configuration files are stored is shown.
If you need to change this, enter the full directory path, then press enter to continue.
Smbldap-tools Configuration Directory Path [/etc/smbldap-tools/] >
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Let's start configuring the smbldap-tools scripts …

. workgroup name: name of the domain Samba act as a PDC
workgroup name [SMOC] >
. netbios name: netbios name of the samba controler
netbios name [smbcross] >
. logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'
logon drive [] > X:
. logon home: home directory location (for Win95/98 or NT Workstation).
(use %U as username) Ex:'smbcross\%U'
logon home (press the "." character if you don't want homeDirectory) [smbcross\%U] >
. logon path: directory where roaming profiles are stored. Ex:'smbcrossprofiles\%U'
logon path (press the "." character if you don't want roaming profile) [\%LProfiles\%U] >
. home directory prefix (use %U as username) [/home/%U] >
. default users' homeDirectory mode [700] >
. default user netlogon script (use %U as username) [%U.bat] >
default password validation time (time in days) [45] >
. ldap suffix [] > dc=wow,dc=tw
. ldap group suffix [] > ou=Groups
. ldap user suffix [] > ou=Users
. ldap machine suffix [] > ou=Computers
. Idmap suffix [ou=Idmap] >
. sambaUnixIdPooldn: object where you want to store the next uidNumber
and gidNumber available for new users and groups
sambaUnixIdPooldn object (relative to ${suffix}) [sambaDomainName=SMOC] >
. ldap master server: IP adress or DNS name of the master (writable) ldap server
ldap master server [127.0.0.1] >
. ldap master port [389] >
. ldap master bind dn [] > cn=Manager,dc=wow,dc=tw
. ldap master bind password [] >
. ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one
ldap slave server [127.0.0.1] >
. ldap slave port [389] >
. ldap slave bind dn [] > cn=Manager,dc=wow,dc=tw
. ldap slave bind password [] >
. ldap tls support (1/0) [0] >
. SID for domain SMOC: SID of the domain (can be obtained with 'net getlocalsid smbcross')
SID for domain SMOC [S-1-5-21-1098941358-3925841438-4089039526] >
. unix password encryption: encryption used for unix passwords
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] >
. default user gidNumber [513] > 513
. default computer gidNumber [515] > 515
. default login shell [/bin/bash] >
. default skeleton directory [/etc/skel] >
. default domain name to append to mail adress [] > mail.wow.tw
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
backup old configuration files:
/etc/smbldap-tools/smbldap.conf->/etc/smbldap-tools/smbldap.conf.old
/etc/smbldap-tools/smbldap_bind.conf->/etc/smbldap-tools/smbldap_bind.conf.old
writing new configuration file:
/etc/smbldap-tools/smbldap.conf done.
/etc/smbldap-tools/smbldap_bind.conf done.

執行，initialize the ldap directory
      /usr/sbin/smbldap-populate

Populating LDAP directory for domain IDEALX-NT (S-1-5-21-4205727931-4131263253-1851132061)
(using builtin directory structure)

adding new entry: dc=wow,dc=tw
adding new entry: ou=Users,dc=wow,dc=tw
adding new entry: ou=Groups,dc=wow,dc=tw
adding new entry: ou=Computers,dc=wow,dc=tw
adding new entry: ou=Idmap,dc=wow,dc=tw
adding new entry: uid=root,ou=Users,dc=wow,dc=tw
adding new entry: uid=nobody,ou=Users,dc=wow,dc=tw
adding new entry: cn=Domain Admins,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Domain Users,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Domain Guests,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Domain Computers,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Administrators,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Account Operators,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Print Operators,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Backup Operators,ou=Groups,dc=wow,dc=tw
adding new entry: cn=Replicators,ou=Groups,dc=wow,dc=tw
adding new entry: sambaDomainName=IDEALX-NT,dc=wow,dc=tw

Please provide a password for the domain root:
Changing password for root
New password :
Retype new password :

[2.] 設定 samba PDC，加Manager的密碼至secrets.tdb
      執行
         smbpasswd -w secret

Setting stored password for "cn=Manager,dc=wow,dc=tw" in secrets.tdb

      於smb.conf加上ldap的設定

         vi /etc/samba/smb.conf

[global] 
   # use smbldap-tools
   ldap delete dn = Yes
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   delete user script = /usr/sbin/smbldap-userdel "%u"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   # LDAP config
   passdb backend = ldapsam:ldap://localhost
   ldap suffix = "dc=wow,dc=tw"
   ldap admin dn = "cn=Manager,dc=wow,dc=tw"
   ldap user suffix = ou=Users
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap passwd sync = Yes
   ldap ssl = no
   ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))

[3.] 建帳號
         /usr/sbin/smbldap-useradd -a -m cross

      改密碼
         /usr/sbin/smbldap-passwd cross

      或，會與ldap同步

         smbpasswd cross
　

      替使用者加訊息
         /usr/sbin/smbldap-userinfo cross

[Q1.] Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 171, <DATA> line 283.
[A1.] vi /etc/smbldap-tools/smbldap.conf

defaultUserGid="513"

[Q2.] ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)

[Q3.] <= bdb_equality_candidates: (memberUid) index_param failed (18)