directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffre Reynolds" <>
Subject Apache DS to Authenticate Samba
Date Thu, 03 Feb 2011 03:31:51 GMT
Hello all,

This is my first mailing list post, so God help me if I muck something up with the tagging
and what not.  Anyway, I want to configure Apache DS (1.5.7) to act as the passwd backend
for a few Samba servers on our local network.  Apache DS is already running and successfully
authenticating for several Apache webservers, Mercurial repos, and an Openfire server.  I
don't need to have a full blown PDC, just being able to use pre-exsiting credentials to authenticate
for Samba would be nice.

Right now, I've been able to use Directory Studio to enable the Samba schema in my ADS instance.
 It kind of threw me off for a bit because I didn't immediately realize that in order to enable
it I had to make sure each of the dependecies was enabled, and it seems that NIS (or some
other dependecy of Samba) was not enabled by default.  I've got LDAP Account Manager running
to help manage my server, and its how I've added a Samba Domain object to my directory.  Here's
some LDIF entires from my directory:

dn: sambaDomainName=MYDOMAIN,dc=example, dc=com

objectClass: sambaDomain

objectClass: top

sambaDomainName: MYDOMAIN

sambaSID: S-1-5-21-3194997645-334687660-1995094790

sambaAlgorithmicRidBase: 1000

sambaNextUserRid: 1000

dn: ou=People,dc=example,dc=com

objectClass: organizationalUnit

objectClass: top

ou: People

dn: uid=smbtest,ou=People,dc=example,dc=com

objectClass: organizationalPerson

objectClass: person

objectClass: posixAccount

objectClass: shadowAccount

objectClass: inetOrgPerson

objectClass: top

cn: smbtest

gidnumber: 513

homedirectory: /home/smbtest

sn: smbtest

uid: smbtest

uidnumber: 10005

gecos: System User

givenname: smbtest

loginshell: /bin/bash

shadowLastChange: 14995

shadowMax: 45

userPassword:: blah

dn: uid=person,ou=People,dc=example,dc=com

objectClass: organizationalPerson

objectClass: person

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: sambaSamAccount

objectClass: shadowAccount

objectClass: top

cn: Person

gidNumber: 20000

homeDirectory: /home/person

sambaSID: S-1-5-21-3194997645-334687660-1995094790-21002

sn: Person

uid: person

uidNumber: 10001

displayName: Person

loginShell: /usr/bin/bash

sambaAcctFlags: [XU ]

sambaDomainName: mydomain

sambaPasswordHistory: 10

sambaPrimaryGroupSID: S-1-5-21-3194997645-334687660-1995094790-512

userPassword:: blah

And here's part of my smb.conf file:


workgroup = MYDOMAIN

server string = Samba Server Version %v

netbios name = mydomain

interfaces = lo eth0

hosts allow = 127. 192.168.160. x.x.x.0

passdb backend = ldapsam:ldap://myldapserver:389/

ldap suffix = dc=example, dc=com

ldap group suffix = ou=group

ldap user suffix = ou=People

ldap admin dn = uid=admin,ou=system

security = user

enable privileges = yes 

map to guest = bad user

guest account = smbguest


comment = Test Share

path = /test

browseable = yes

Now, I know that samba is able to communicate with ADS because when I run the "net getlocalsid"
command, it gives me no errors.  But when I run the command and alter the admin dn information,
I get a failure to authenticate message (I've set the admin dn passwd using "smbpasswd -w").
 However, when I try to connect to my test share using a Win XP Pro SP3 client, the share
behaves like it can't authenticate either of my users (person or smbtest).  I have also used
smbldap to add the smbtest account successfuly (most likely the reason why it contains different
attributes then the person account, person was added using LAM).  Additionally, smbldap-userlist
shows the smbtest user, but no others.  I'm thinking that the issue is most likely due to
a lack of the proper attributes to the People group, or something I'm missing in either individual
account.  Any information on the subject would be very helpful, or even a good place to go
to try to find out more about how to integrate ApacheDS with Samba.

Thanks in advance for any advice on this issue.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message