LDAP Samba on Solaris 9
Build and install Samba
Download the latest version of Samba (2.2.8a) from http://www.samba.org/.
Then install it. Ensure that gcc is installed and correctly configured on your machine. This will install samba into
root@ldap > gunzip samba-2.2.8a.tar.gz
root@ldap > tar -xvf samba-2.2.8a.tar
root@ldap > cd samba-2.2.8a/source/
root@ldap > export LD_LIBRARY_PATH
root@ldap > LD_LIBRARY_PATH=/usr/local/lib
root@ldap > ./configure --with-ldapsam --with-ssl --with-pam --with-pam_smbpass
root@ldap > make
root@ldap > make install
NOTE: If you need to go back and do this again, remove
config.cache. It may save you some headaches.
One persistent error with samba binaries was their inability to find libpopt.so.0, which is in
/usr/local/lib. This give errors such as:
ld.so.1: /usr/local/samba/bin/smbstatus: fatal: libpopt.so.0: open failed: No such file or directory
My solution was to create a symbolic link pointing /usr/lib/libpopt.so.0 -> /usr/local/lib/libpopt.so.0
ln -s /usr/local/lib/libpopt.so.0 /usr/lib/libpopt.so.0
smb.confis located in
libdirectory of your samba installation e.g.
/usr/local/samba/lib/smb.conf. This requires some careful configuration to get things to work. Let's consider some of the essential settings.
Please Note: This will NOT setup a Primary Domain Controller (PDC)
[global] workgroup = workgroupname server string = Server running samba %v netbios name = servername # SAMBA-LDAP declarations ldap suffix = dc=your,dc=site,dc=com # User with write access to the LDAP directory ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com ldap port = 389 ldap server = ldap.your.site.com ldap ssl = start tls wins server = wins.your.site.com # Create machine trust accounts automatically add user script = /usr/local/sbin/smbldap-useradd.pl -w %u # this tells Samba to use a separate log file for each machine # that connects log file = /usr/local/samba/var/log.%m # How much information do you want to see in the logs? # default (1) is only to log critical messages log level = 2 # Put a capping on the size of the log files (in Kb). max log size = 50 # MUST be security = user for PDC security = user # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value (20) should be reasonable os level = 90 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = no # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = yes # I have stuck this in because it was in a HOWTO but I have no idea what it does - but it does not sound good null passwords = Yes # You MUST use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. encrypt passwords = yes passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u # When using encrypted passwords, Samba can synchronize the local # UNIX password as well. You will also need the "passwd chat" parameters unix password sync = yes # how should smbd talk to the local system when changing a UNIX # password? See smb.conf(5) for details passwd chat = *new*password* %n\n *new*password* %n\n *successfully* # Enable this if you want Samba act as a domain controller. domain logons = no # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # This refers to the [profiles] share below # The permissions on the profiles directory should be # logon path = (Means do not use roving profiles) logon path = # What drive should the "logon home" be mounted at upon login ? # only used when acting as a DC for WinNT/2k/XP. Ignored by Win9x clients logon drive = Z: [files] comment = Shared Directory writable = yes valid users = @a_valid_group_name,root public = no
Set Administration Password
smb.conf we referred to
ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com. This user must exist in the LDAP directory and its password needs to be set in
secrets.tdb. This needs to match the password in your directory.
root@ldap > /usr/local/samba/bin/smbpasswd -w ldap_admin_password
Setting stored password for "uid=root,cn=users,dc=your,dc=site,dc=com" in secrets.tdb
Install Samba-LDAP tools
IDEALX (http://www.idealx.org/index.en.html) provide some very useful perl scripts that can be configured to suit your set up. The current file
smbldap-tools-0.7.tgz can be downloaded from http://www.idealx.org/prj/samba/index.en.html
Unpack these and copy *.pl and *.pm to
Symbolic links need to be created to
smbldap_tools.pm so that PERL is aware of these packages.
ln -s /usr/local/sbin/*.pm /usr/local/lib/perl5/5.8.0/
Correction to smbldap-passwd.plWhen trying to change passwords using
smbldap-passwd.plI got the error:Change password of an LDAP user usage: ldappasswd [options] [user] user: the autentication identity, commonly a DN Password change options: -a secret old password -A prompt for old password -t file read file for old password -s secret new password -S prompt for new password -T file read file for new password Common options: -C chase referrals -d level set LDAP debugging level to `level' -D binddn bind DN -e [!]
[= ] general controls (! indicates criticality) [!]authzid= ("dn: " or "u: ") [!]manageDSAit (alternate form, see -M) [!]noop -h host LDAP server -H URI LDAP Uniform Resource Indentifier(s) -I use SASL Interactive mode -n show what would be done but don't actually do it -O props SASL security properties -p port port on LDAP server -Q use SASL Quiet mode -R realm SASL realm -U authcid SASL authentication identity -v run in verbose mode (diagnostics to standard output) -V print version info (-VV only) -w passwd bind password (for simple authentication) -W prompt for bind password -x Simple authentication -X authzid SASL authorization identity ("dn: " or "u: ") -y file Read password from file -Y mech SASL mechanism -Z Start TLS request (-ZZ to require successful response)
To fix this change the call to ldappasswd in
smbldap-passwd.plfrom:# change unix password $ret = system "$ldappasswd $dn -s '$pass' > /dev/null";to:# change unix password $ret = system "$ldappasswd -s '$pass' $dn > /dev/null";