Converting single Samba PDC with tdbsam backend to PDC + BDC with ldapsam backend
- Convert PDC backend to LDAP
- Create replica LDAP on BDC
- Setup BDC smb.conf (don't start)
- On BDC:
- smbpasswd -w
- net rpc getsid
- service smb start
LDAP
I used the LDAP System Administration book from O'Reilly to set up my LDAP server. I set it up to use nss_ldap as described in chapter 6 using the PADL scripts.
ACLs
Although "the default policy allows anyone and everyone to read anything but restricts updates to rootdn. (e.g., "access to * by * read")", according to this thread, an excplicit ACL must be used to allow the ldap passwd sync to work. Like this:
access to dn.base=""
by * read
This allows anyone to read the Root DSE. Samba needs to query the LDAP server for its capabilities.
Samba
I use the IDEALX scripts as well as LDAPAdmin to manage accounts.
Migrating Samba user data
# pdbedit -i tdbsam -e ldapsam
LDAP settings in smb.conf
# LDAP related parameters:
# Define the DN used when binding to the LDAP servers.
# The password for this DN is not stored in smb.conf
# Set it using 'smbpasswd -w secret' to store the
# passphrase in the secrets.tdb file.
# If the "ldap admin dn" value changes, it must be reset.
ldap admin dn = "cn=Manager,dc=example,dc=com"
# SSL directory connections can be configured by:
# ('off', 'start tls', or 'on' (default))
ldap ssl = off
# smbpasswd -x delete the entire dn-entry
ldap delete dn = no
# The machine and user suffix are added to the base suffix
# wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
# Trust UNIX account information in LDAP
# (see the smb.conf man page for details)
# Specify the base DN to use when searching the directory
ldap suffix = dc=example,dc=com
# Change Unix password when user changes Windows password.
# Will be subject to Unix password restrictions
ldap passwd sync = Yes
# This I still haven't got working yet!
#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = *\n*New*password* %n\n *new*password* %n\n
add user script = /opt/IDEALX/sbin/smbldap-useradd -m -n -g users '%u'
delete user script = /opt/IDEALX/sbin/smbldap-userdel -r '%u'
add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'
delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'
Add machine script
Add machine script was failing with "The user name could not be found".
From here:
This is because Samba is attempting to do a "getpwnam" on the newly added computer name. In short, first it does: # smbldap-useradd.pl -w 'computer_name$' # Then it does getpwnam("computer_name$")
The problem is that the second step kept failing because my ldap.conf did not list "ou=Computers,dc=somedomain,dc=org" as a naming context for nss_base_passwd. I updated /etc/ldap.conf to the following and was able to successfully add the computer:
nss_base_passwd ou=Users,dc=somedomain,dc=org?one nss_base_passwd ou=Computers,dc=somedomain,dc=org?one # This line was added
Multiple sambaDomainName entries
I had two sambaDomainName entries in my LDAP directory; one for my actual domain name and another for the name of the domain controller. These were being inserted because they were present in secrets.tdb. Luckily the secrets.tdb file on my BDC was correct so I just copied that across to the PDC and deleted the entry from the LDAP directory.