LDAP Samba on Solaris 9

Build and install Samba

Download the latest version of Samba (2.2.8a) from http://www.samba.org/.

Then install it. Ensure that gcc is installed and correctly configured on your machine. This will install samba into /usr/local/samba/.

root@ldap > gunzip samba-2.2.8a.tar.gz
root@ldap > tar -xvf samba-2.2.8a.tar
root@ldap > cd samba-2.2.8a/source/
root@ldap > export LD_LIBRARY_PATH
root@ldap > LD_LIBRARY_PATH=/usr/local/lib
root@ldap > ./configure --with-ldapsam --with-ssl --with-pam --with-pam_smbpass
root@ldap > make
root@ldap > make install

NOTE: If you need to go back and do this again, remove config.cache. It may save you some headaches.

One persistent error with samba binaries was their inability to find libpopt.so.0, which is in /usr/local/lib. This give errors such as:

ld.so.1: /usr/local/samba/bin/smbstatus: fatal: libpopt.so.0: open failed: No such file or directory

My solution was to create a symbolic link pointing /usr/lib/libpopt.so.0 -> /usr/local/lib/libpopt.so.0

ln -s /usr/local/lib/libpopt.so.0 /usr/lib/libpopt.so.0

Configure smb.conf

smb.conf is located in lib directory of your samba installation e.g. /usr/local/samba/lib/smb.conf. This requires some careful configuration to get things to work. Let's consider some of the essential settings.

Please Note: This will NOT setup a Primary Domain Controller (PDC)


workgroup = workgroupname 
server string = Server running samba %v
netbios name = servername

# SAMBA-LDAP declarations
ldap suffix = dc=your,dc=site,dc=com
# User with write access to the LDAP directory
ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com
ldap port = 389
ldap server = ldap.your.site.com
ldap ssl = start tls

wins server = wins.your.site.com

# Create machine trust accounts automatically 
add user script = /usr/local/sbin/smbldap-useradd.pl -w %u

# this tells Samba to use a separate log file for each machine
# that connects
log file = /usr/local/samba/var/log.%m
# How much information do you want to see in the logs?
# default (1) is only to log critical messages
log level = 2

# Put a capping on the size of the log files (in Kb).
max log size = 50

# MUST be security = user for PDC
security = user

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value (20) should be reasonable
os level = 90

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = no

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes

# I have stuck this in because it was in a HOWTO but I have no idea what it does - but it does not sound good
null passwords = Yes

# You MUST use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
encrypt passwords = yes

passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u

# When using encrypted passwords, Samba can synchronize the local
# UNIX password as well.  You will also need the "passwd chat" parameters
unix password sync = yes

# how should smbd talk to the local system when changing a UNIX
# password?  See smb.conf(5) for details
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*

# Enable this if you want Samba act as a domain controller.
domain logons = no

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# This refers to the [profiles] share below
# The permissions on the profiles directory should be 
# logon path = (Means do not use roving profiles)
logon path = 

# What drive should the "logon home" be mounted at upon login ?
# only used when acting as a DC for WinNT/2k/XP.  Ignored by Win9x clients
logon drive = Z:

     comment = Shared Directory
     writable = yes
     valid users = @a_valid_group_name,root
     public = no

Set Administration Password

In smb.conf we referred to ldap admin dn = uid=root,cn=users,dc=your,dc=site,dc=com. This user must exist in the LDAP directory and its password needs to be set in secrets.tdb. This needs to match the password in your directory.

root@ldap > /usr/local/samba/bin/smbpasswd -w ldap_admin_password
Setting stored password for "uid=root,cn=users,dc=your,dc=site,dc=com" in secrets.tdb

Install Samba-LDAP tools

IDEALX (http://www.idealx.org/index.en.html) provide some very useful perl scripts that can be configured to suit your set up. The current file smbldap-tools-0.7.tgz can be downloaded from http://www.idealx.org/prj/samba/index.en.html

Unpack these and copy *.pl and *.pm to /usr/local/sbin

Symbolic links need to be created to smbldap_conf.pm and smbldap_tools.pm so that PERL is aware of these packages.

ln -s /usr/local/sbin/*.pm /usr/local/lib/perl5/5.8.0/

Correction to smbldap-passwd.pl

When trying to change passwords using smbldap-passwd.pl I got the error:
Change password of an LDAP user

usage: ldappasswd [options] [user]
  user: the autentication identity, commonly a DN
Password change options:
  -a secret  old password
  -A         prompt for old password
  -t file    read file for old password
  -s secret  new password
  -S         prompt for new password
  -T file    read file for new password
Common options:
  -C         chase referrals
  -d level   set LDAP debugging level to `level'
  -D binddn  bind DN
  -e [!][=] general controls (! indicates criticality)
             [!]authzid= ("dn:" or "u:")
             [!]manageDSAit       (alternate form, see -M)
  -h host    LDAP server
  -H URI     LDAP Uniform Resource Indentifier(s)
  -I         use SASL Interactive mode
  -n         show what would be done but don't actually do it
  -O props   SASL security properties
  -p port    port on LDAP server
  -Q         use SASL Quiet mode
  -R realm   SASL realm
  -U authcid SASL authentication identity
  -v         run in verbose mode (diagnostics to standard output)
  -V         print version info (-VV only)
  -w passwd  bind password (for simple authentication)
  -W         prompt for bind password
  -x         Simple authentication
  -X authzid SASL authorization identity ("dn:" or "u:")
  -y file    Read password from file
  -Y mech    SASL mechanism
  -Z         Start TLS request (-ZZ to require successful response)

To fix this change the call to ldappasswd in smbldap-passwd.pl from:

# change unix password
$ret = system "$ldappasswd $dn -s '$pass' > /dev/null";
# change unix password
$ret = system "$ldappasswd -s '$pass' $dn > /dev/null";

Author: Lance Rathbone
Last modified: Wednesday June 18, 2008