< Previous | Contents | Next >
2.2.3. Adding Samba LDAP objects
Next, configure the smbldap-tools package to match your environment. The package comes with a configuration helper script called smbldap-config. Before running it, though, you should decide on two important configuration settings in /etc/samba/smb.conf:
• netbios name: how this server will be known. The default value is derived from the server's hostname, but truncated at 15 characters.
• workgroup: the workgroup name for this server, or, if you later decide to make it a domain controller, this will be the domain.
It's important to make these choices now because smbldap-config will use them to generate the config that will be later stored in the LDAP directory. If you run smbldap-config now and later change these values in / etc/samba/smb.conf there will be an inconsistency.
Once you are happy with netbios name and workgroup, proceed to generat the smbldap-tools configuration by running the configuration script which will ask you some questions:
sudo smbldap-config
Some of the more important ones:
• workgroup name: has to match what you will configure in /etc/samba/smb.conf later on.
• ldap suffix: has to match the ldap suffix you chose when you configured the LDAP server.
• other ldap suffixes: they are all relative to ldap suffix above. For example, for ldap user suffix you should use ou=People.
• ldap master bind dn and bind password: use the rootDN credentials.
The smbldap-populate script will then add the LDAP objects required for Samba. It is a good idea to first make a backup of your DIT using slapcat:
sudo slapcat -l backup.ldif
Once you have a backup proceed to populate your directory. It will ask you for a password for the "domain root" user, which is also the "root" user stored in LDAP:
sudo smbldap-populate -g 10000 -u 10000 -r 10000
The -g, -u and -r parameters tell smbldap-tools where to start the numeric uid and gid allocation for the LDAP users. You should pick a range start that does not overlap with your local /etc/passwd users.
You can create a LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e' switch. Alternatively, you can take the LDIF file and import its data per usual.
Your LDAP directory now has the necessary information to authenticate Samba users.