I have a OpenLDAP server (v2.4) running on CentOS 6.4. It works great! I'm using this OpenLdap server as authenticate backend for several service like Gitlab, Redmine, etc.
Now I want to setup another Samba standalone server and use the OpenLDAP server as auth backend for existed users in OpenLDAP. I tried with samba v3.6.9 but after configure auth backend as ldapsam in smb.conf I can't login using LDAP account.
When I run
smbclient -L localhost -U%
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Sharename Type Comment
--------- ---- -------
allusers Disk All Users
IPC$ IPC IPC Service (Samba Server Version 3.6.9-151.el6_4.1)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.9-151.el6_4.1]
Server Comment
--------- -------
VAGRANT-CENTOS64 Samba Server Version 3.6.9-151.el6_4.1
Workgroup Master
--------- -------
WORKGROUP MY_MACHINE
But when I login with my test acc
smbclient -L localhost -U test
Enter test's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Here is my /etc/samba/smb.conf (print out from testparm)
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://192.168.1.201/
log file = /var/log/samba/log.%m
max log size = 50
ldap admin dn = cn=Manager,dc=mycompany,dc=com
ldap passwd sync = yes
ldap suffix = dc=mycompany,dc=com
ldap ssl = no
ldap debug level = 1
idmap config * : backend = tdb
cups options = raw
In the Samba server. I use sssd to authenticate with OpenLDAP. From this Samba machine I can query user by ldapsearch command. I can get the user info by id LDAP_USER and ssh to this machine by any LDAP_USER/password. Here is my /etc/sssd/sssd.conf
[domain/mycompany.com]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=mycompany,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.1.201:636
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = never
[sssd]
services = nss, pam
config_file_version = 2
domains = mycompany.com
On OpenLDAP server, I use LDAP Account Manager to manage user/group. I import samba schema and check everything ok in LAM. I also enable samba3 extension for some users in LDAP to test. I also open ports 137, 138, 139, 445 (tcp) in Samba server.
So what should I do next? I just want to reuse the user from OpenLDAP server. I don't want to create any user from samba. Please give me suggestions about this case.
Thank you!
You need to make sure samba knows the password of the admin DN to bind to LDAP server. This is done with
smbpasswd -w <secret>
before starting Samba.
Now, if that is done, do you have NTLM passwords created for your users? Samba checks sambaNTPassword and sambaLMPassword attributes when performing authentication for the user. For changing these attributes at the time user changes own password through LDAP, you need to use smbk5pwd OpenLDAP overlay and set ldap passwd sync = only in smb.conf instead of ldap passwd sync = yes as you did.