Samba (v.3) PDC LDAP howto

20040811.05

Ignacio Coupeau
CTI, University of Navarra

I hope this document can help: express our personal experience at University of Navarra using Samba and OpenLDAP together.

This document covers the SAMBA_3 LDAP v3. In short: running SAMBA_3 with LDAP new schemas and functionality with full ldap-v3 protocol support. This howto has been tested for: NT-WS-4-SP3+/W2K/XP; linux RH7.1+, Debian 3.0, Kernel 2.x.y and Openldap 2.0.21+.
The SAMBA_3 with LDAP compat mode with old schemas was covered in the smb-ldap-3-compat-howto.
The Samba-2.2.8+ [SAMBA_2_2], runs fine and has Ldap official support. If you do have plan to implement OpenLdap 2.x you must read a note about AUXILIARY objectClass. Please, for SAMBA_2_2 versions you should use the ldap-smb-2_2 document.

If you do have plan to implement OpenLdap 2.x (x>1), and you comes from 2.0.y you must read a note about AUXILIARY objectClass.

Many thanks to Andrew Bartlett and many others that help me a lot with some changes and several updates.

Preliminary notes
Identification and Authentification Scenarios
Most recent changes 2004/05/22
How to download 2004/05/22
Proposed patches
How to compile
Ldap server configuration slap.conf
Comments about the schemas
Samba schema 3.0
A note about AUXILIARY and STRUCTURAL objectClass
Ldap basic entries (also with posixAccount)
Windows XP and W2K requirements
Builtin accounts
Group mapping 2004/08/10
Configuring smb server 2004/04/10
A note about charsets (internationalization)
Configuring smb server with ssl (tls)
Setting the admin dn passwd with smbpasswd
Migrating from samba+ldap old versions to 3.x
Starting (and stopping) the samba server
Adding accounts with smbpasswd
Refine the ldap account entries
Joining workstations (NT, W2K, XP) to the samba domain
A complex and real example: several domains(PDC), several share servers (no PDC), two ldap (master/slave) servers
Migrating accounts from smbpasswd to ldap
Some notes about mandatory and roaming profiles
Password sync
A shortcut for building a pam,nss and ldap cetralized accounting system.

Documentation

The official Samba PDC documentation and the Samba-HOWTO-Collection in pdf or html format.
The more recent documentation (very improved, of course!) may be found in the distribution tree in the docs/ directory:
samba/docs/htmldocs/samba-ldap-howto.html (a must read!)
samba/docs/Samba-HOWTO-Collection.pdf (a must read!)
also the directories: samba/docs/htmldocs/
samba/docs/textdocs
The chapters 21 and 22 of the Teach Yourself Samba in 24 hours (Gerald Carter, SAMS, 1st or 2nd edition); Using Samba (R. Eckstein, D. Collier-Brown & P. Kelly, O'Reilly) may help.
The chapter 20th of the book Special Edition: Using Samba(Richard Sharpe, with Tim Potter & Jim Morris, QUE), covers the LDAP stuff for the old HEAD pre-2.1.
LDAP System Administration (Gerald Carter, O'Reilly); a real and recent system administrator book: a must read for systems' integration with LDAP.

Identification and authentification scenarios [toc]

Some one ask me about scenarios about samba and ldap. This may explain roughly some basic ideas for that one new in samba.
A good idea may be take a look to

About SAMBA Scenarios:

1. A samba server grant the access to services based on user/password@resource. Samba stores the smb passwd secrets in two fashions: lmPassword and ntPassword
when an user logs in a resource, the server compares the nt/lmpassword client's with the hashes stored in the smbpasswd file or in the ldap that replaces the local smbpasswd file.

2. If you need grant access to a samba resource (share, printer, fax, etc.) from a client -an user/passwd@workstation (NT/W2K/XP)- you must supply a source of pairs user:<nt|lm>hash to grant/deny the access. The authentication may be performed:
- local: resolved locally, in the same server, via a smbpasswd or some passwd source (ldap, ...)
- external: the authetication is resolved by an external server (a PDC in short). The difference between "server" and "domain" mechanismsis a bit complex: domain is better for connections; server is maintained for backward compatibility with old versions. If domain is used, the server may be a samba-PDC or NT-PDC.In the new implementations domain is recomended. A samba-PDC may act as PDC and server (file, print, fax, etc.).

3. To access from a client to a samba server (PDC or server) you need provide an unix account, this may be provided via:
- /etc/passwd
- nsswitch --> ldap or nis (posixAccount)
- winbind (virtual accounting mapping: NT users are mapped in unix systems with a virtual uid/uidNumber).

Conclusion: samba uses two kind of accounting information: sambaAccounts (local or remote) AND posix(unix)Accounts. The sambaAccounts may be local or remote (from a PDC). The posix(unix)Accounts arealways local, but may be stored externaly (ldap or nis). May be several posible scenarios:

PDC

1. smbpasswd + /etc/passwd
2. ldap + /etc/passwd
3. ldap + nsswitch(via ldap, nis)
4. smbpasswd + nsswitch(via ldap, nis)

server only (shares, printers...):

1. smbpasswd + etc/passwd
2. ldap + /etc/passwd
3. ldap + nsswitch(via ldap, nis)
4. smbpasswd +nsswitch(via ldap, nis) 5. winbind(virtual users form an NT or PDC server)
6. against an external PDC (security server|domain) +/etc/passwd 7. against an external PDC (security server|domain) +nsswitch(via ldap, nis, ...)

A more formal clasification:
This section about scenarios is under absolute de-construction...

Intended use	passwd class	Config.	implementation topics	in this doc.
samba as external validator: use lm/ntpasswd for authenticate services (squid, ftp)	lm/ntpasswd	`pam_smbpass`	- transparent to ldap - managed by pam via rpc	covered as implementation scenario
access to samba services (shares, printers) validating against pam module	pam dep. plain/MD4 passwd.	`with-pam`	- managed by pam modules (ie pam_ldap)	no, at all
samba services (squid, ftp) and shares validating and authenticating against an AD or an NT PDC	lm/ntpasswd kerberos	`winbind``idmap backend`	- rpc `<->` AD, PDC - ldap may be used for store AD accounting data in the future	no
samba as PDC for validating against external PDC (also shares, printers, may be provided) with unix accounts	lm/ntpasswd	`ldapsam_compat`	- required LDAP database - local or nss methods	covered `smb.conf(5)`
samba as PDC for validating against external PDC (also shares, printers, may be provided) without unix accounts in the local samba-PDC server	lm/ntpasswd	`ldapsam`	- required LDAP database - accounts are mapped as local - required nss_ldap??	covered `smb.conf(5)`
access to samba services (shares, printers) in a local server validating against an external PDC	lm/ntpasswd	`user domain`	- rpc - transparent to ldap	covered as implementation scenario

Most recent changes [toc]

040522

CVS replaced by subversion.

040407

'ldap replication sleep' fixes a problem in the replication time: the slave may be updated prior to new request, or some troubles about sync data (because slurpd replication delay) may be found.

How to download [toc]

There are two ways:

the easy way, ftp, tar files and binaries.
the develop way via Subversion. In April Samba development changed from using CVS to Subversion for version control. Please see the subversion information for details.

Download with subversion (svn):

If you don't have subversion installed, some packages may be required:

rpm -i --force zlib-1.1.4-8.i386.rpm
(--force if you have other zlib: take care)
rpm -i neon-0.24.6-1.i386.rpm
rpm -i apache-libapr-2.0.48-0.1.i386.rpm
rpm -i subversion-1.0.3-1.rh7x.i386.rpm
rpm -i --nodeps subversion-1.0.3-1.rh7x.i386.rpm
rpm -i /root/db4-4.0.14-0.4.i386.rpm

for download the code follow the instructions for the required branche (trunk-stable, develop 3, develop4...). Some examples:

svn co svn://svnanon.samba.org/samba/branches/SAMBA_3_0 samba-3_0
svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0 samba-4_0
svn co svn://svnanon.samba.org/samba/trunk samba-trunk

Proposed patches [toc ]

n/a

How to complile [toc]

In this example, I assume:

ldap distribution libraries are in /usr/local/etc/openldap/lib
ldap distribution includes are in /usr/local/etc/openldap/include

Step #1:
Before run the configure script you need make a copy of the ldap includes and libraries to the default places (for example, in linux /usr/include/ and /usr/lib):

cp -p /usr/local/etc/openldap/include/* /usr/include/
cp -p /usr/local/etc/openldap/lib/* /usr/lib
or the place where the libs/includes are:
<openldap_source>/configure --prefix=/usr/local/etc/openldap
as you can decide in the openldap configure step.

You need the ldap libraries (with tls support) installed in your system BEFORE compiling the samba code.

Step #2:
Compile... with the desired options (ldapsam -compat mode- is not loaded by default):

./configure --prefix=/usr/local/etc2/samba_3 --with-ldapsam
if you don't have configure script, you should generate one:
sh autogen.sh
./configure --prefix=/usr/local/etc2/samba_3 --with-ldapsam make
make install
Note:
This may be useful if the unix (linux) distribution has been recently updated on your unix-box:

rm config.log config.cache config.status

If you have any trouble, or you don't have a ./configure script, please try before:

make realclean
sh autogen.sh

then run your configure stuff.

Backward compatibility note:

If you want use the old samba 2.2 ldapsam smb.conf style you should configure with the both classic and default-new support:

--with-ldapsam : Include LDAP SAM 2.2 compatible configuration (default=no).

./configure --prefix=/usr/local/etc/samba --with-ldapsam
the flag "--with-ldapsam" provides backward compatibility:
	
if you configure with-ldapsam, you can use Samba with the old-historical schema (sambaAccount) or the new schema (sambaSamAccount), if not, by default, only the new sambaSamAccount.

Ldap server configuration slap.conf [toc]

Create/update the slapd.conf file. The order in the icluded schemas are sensitive:

------ snip ------

# This file should NOT be world readable.
#
include /usr/local/etc2/openldap_2/etc/openldap/schema/core.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/cosine.schema
# to support the RFC2307 (NIS) schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/nis.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc2/openldap_2/etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#referral ldap://arcos.cti.unav.es

pidfile /usr/local/etc2/openldap_2/var/slapd.pid
argsfile /usr/local/etc2/openldap_2/var/slapd.args

#The <hash> to use for userPassword generation. One
#of   {SSHA},   {SHA},   {SMD5},   {MD5},   {CRYPT},
#KERBEROS}, {SASL}, and {UNIX}.   The default is {SSHA}.
password-hash   {CRYPT}

#Server and CA Certificates
TLSCertificateFile      /usr/local/etc2/ssl/arcos-cert.pem
TLSCertificateKeyFile   /usr/local/etc2/ssl/arcos-key.pem
TLSCACertificateFile    /usr/local/etc2/ssl/CAcerts
#TLSCipherSuite         EXPORT56

#######################################################################
# ldbm database definitions
#######################################################################
#
#
#######################################################################
# UNAV SMB
#######################################################################
#
database        ldbm
suffix          "o=smb,dc=unav,dc=es"
rootdn          "cn=root,o=smb,dc=unav,dc=es"
rootpw          <a_very_secret_word>
directory       /usr/local/etc2/openldap_2/unav-smb-2
# # dbcachesize is required only if you use ldbm (DB Berkeley 3.x)cachesize       40000 dbcachesize     60000000 # # index           cn,sn,uid,displayName           pres,sub,eq index           uidNumber,gidNumber             eq index           sambaSID                        eq index           sambaPrimaryGroupSID            eq index           sambaDomainName                 eq index           objectClass                     pres,eq #               old 2.x samba attrs index           rid,primaryGroupID              eq # index           default                         sub

## posixGroup entries in the directory as well
# index memberUid eq

#
access to dn=".*dc=unav,dc=es"
by self write
by * read
----

Comments about the schemas [toc]

The samba-2.x comes with and old schema. The samba-3.x may use the old or the new one.
The official samba.schema is provided in the examples/LDAP directory from the source.

Remember the in the smb.conf, the passwd backend entry instruct about the schema type:
# passdb backend =ldapsam_compat requires --with-ldapsam configure AND uses 2.x samba schema# passdb backend =ldapsam do not requires --with-ldapsam configure AND uses 3.x samba schema by default

If you compiled --with--ldapsam, then you may run samba in compat (2.x schema) or in the 3.x schema mode; by default, only the samba-3.x schema is supported.

The OID and name from attributes and classes has been modified and someone are new: some mapping stuff schema are added to support dynamical user mapping (winbind) or specify the domain name or SID, the params for the algorithmic mapping, or the last rid used.

Some changes are intended to avoid name clash, like:

lmPassword --> sambaLMPassword

other like next[<User|Group>]Rid are intended to store the next rid to be used,

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'

or the base for algorithmic calculation of the rid<-->uid mapping in the unix side:

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'

Samba schema 3.0.x [toc]

Copy the samba schema from {samba_dist}/exalmples/LDAP/samba.schema to {openLDAP}/schemas/samba.schema:

------ snip --------

#######################################################################
##                Attributes used by Samba 3.0 schema                ##
#######################################################################

##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
        DESC 'LanManager Password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
        DESC 'MD4 hash of the unicode password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX     ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
        DESC 'Account Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
        DESC 'Timestamp of the last password update'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
        DESC 'Timestamp of when the user is allowed to update the password'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
        DESC 'Timestamp of when the password will expire'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
        DESC 'Timestamp of last logon'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
        DESC 'Timestamp of last logoff'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
        DESC 'Timestamp of when the user will be logged off automatically'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
        DESC 'Bad password attempt count'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
        DESC 'Time of the last bad password attempt'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
        DESC 'Driver letter of home directory mapping'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
        DESC 'Logon script path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
        DESC 'Roaming profile path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
        DESC 'List of user workstations the user is allowed to logon to'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
        DESC 'Home directory UNC path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
        DESC 'Windows NT domain to which the user belongs'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
        DESC ''
        EQUALITY caseExactMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )

##
## SID, of any type
##

attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )


##
## Primary group SID, compatible with ntSid
##

attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
        DESC 'Primary Group Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
        DESC 'Security ID List'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )

##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
        DESC 'NT Group Type'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## Store info on the domain
##

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
        DESC 'Next NT rid to give our for users'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
        DESC 'Next NT rid to give out for groups'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
        DESC 'Next NT rid to give out for anything'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
        DESC 'Base at which the samba RID generation algorithm should operate'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


#######################################################################
##              objectClasses used by Samba 3.0 schema               ##
#######################################################################

## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
## this currently but will in v2.1

##
## added new objectclass (and OID) for 3.0 to help us deal with backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
        DESC 'Samba 3.0 Auxilary SAM Account'
        MUST ( uid $ sambaSID )
        MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
               sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
               sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
               sambaProfilePath $ description $ sambaUserWorkstations $
               sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
               sambaBadPasswordCount $ sambaBadPasswordTime))

##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
        DESC 'Samba Group Mapping'
        MUST ( gidNumber $ sambaSID $ sambaGroupType )
        MAY  ( displayName $ description $ sambaSIDList ))

##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
        DESC 'Samba Domain Information'
        MUST ( sambaDomainName $ 
               sambaSID ) 
        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
              sambaAlgorithmicRidBase ) )

## used for idmap_ldap module
objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
        DESC 'Pool for allocating UNIX uids/gids'
        MUST ( uidNumber $ gidNumber ) )


objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
        DESC 'Mapping from a SID to an ID'
        MUST ( sambaSID )
        MAY ( uidNumber $ gidNumber ) )

objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
        DESC 'Structural Class for a SID'
        MUST ( sambaSID ) )

------ snip --------

If you are migrating from v2 schema to v3 schema, please, read the migrating from 2.2 section.

AUXILIARY and STRUCTURAL objectClass [toc]

If you use the ldif files as porovided in this document or in the samba one with the OpenLdap 2.1.3 server, you may found your ldap server stops the import with a message similar to:

slapadd: dn="uid=071453,o=smb,dc=unav,dc=es" (line=25): no structural object classes provided

Reason from the RFCs: every database entry requires one and only one structural objectClass. If you takes a look at the ldif provided you can see something like this:

dn: uid=Administrator, o=smb, dc=unav, dc=escn: AdministratorobjectClass: sambaAccountobjectClass: posixAccountuid: Administrator ...

both of objectClass are auxiliary objects:

objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
        DESC 'Samba Auxilary Account'
        MUST ( uid $ rid )
        MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
        ...

objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )

and you must provide one structural object. This issue becomes with the openldap 2.1.x and the strong (and correct) schema checking. If you need a fast solution, you should add an structural object.

Several structural objectClass may be provided (person, account, etc.), but this one may be a good criterion:

From: Luke Howard <lukeh@PADL.COM>

The fact that "sn" is required is a constant annoyance. :-) It's
good to use person or a subclass thereof for compatibility with white
pages-type clients (e-mail address books, etc). The Active Directory
"User" object class is also derived from person.

Here however, it is perhaps better that the user of "person" as a
structural object class is best left to administrators. SAMBA can
just add the sambaAccount auxiliary object class to such entries.

In the case where there is no existing entry, then SAMBA should
probably use the "account" structural object class which only
requires the "uid" attribute. See section 5.3 of RFC 2307.

-- Luke

The account definition don't require any additional attribute (BTW, uid is an alias for userid):

objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) )

so, the ldif now must add an account objectClass:

dn: uid=083882, o=smb, dc=unav, dc=es objectClass: sambaAccount objectClass: posixAccount objectClass: account gecos: perez andres cn: perez andres displayName: perez andres homeDirectory: / loginShell: /dev/null uid: 073882-4 acctFlags: [UX ] smbHome: \\saco1\disco2 lmPassword: A24A7663AC487A107B9C170DE51404EE ntPassword: B8FC94FFFEE634BC974FFFEE634B81F9 logoffTime: 2147483647 logonTime: 0 kickoffTime: 2147483647 pwdLastSet: 1012401967 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 23662 primaryGroupID: 1403 uidNumber: 11331 gidNumber: 201

Ldap basic entries (also with posixAccount) [toc]

In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody and administrator BUT an account with uidNumber=0 (root or administrator) MUST be present if you need add XP/W2K ws. The reason: an administrative account is demanded in the ws side in the join process, and that account must have a uidNumber=0 in the unix world.

Remember that in the ldapsam backend the rid mapping is algorthmic based:
rid='2*uidNumber+1000'
and
primaryGroup='2*gidNumber+1000+1'

The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins group (rid=512).

Notes:
Samba now copes much better with 'default' attributes - so we don't need a lmPassword or an ntPassword, and it won't add them unless there really is a password set there. You should not set the 'N' (no password required) for the nobody account, as then there would be 'authenticated' access as guest, rather than 'guest' access. This is important with regard to 'guest ok' and the like.(Andrew Bartlett)

The <nt|lm>Password in the Administrator account may be set initially to anything, but MUST be setwith smbpasswd or a similar tool as soon as possible. In the example the Administrator's <lm|nt>passwd are figured.

Create basic ldap records; keep in mind that if you are using LDAP, you MUST add some of these accounts in the ldap database:

Domain Admins
Domain Users
Domain Guests

with the ldapadd, add these 3 records; note that gidnumber and uidnumber must be the same that in /etc/passwd and /etc/group files:

--------- snip -------------
dn: o=smb,dc=unav,dc=es o: smb objectClass: organization dn: ou=groups,o=smb,dc=unav,dc=es objectClass: organizationalUnit ou: groups dn: sambaDomainName=CTI-SMB-DEV-A,o=smb,dc=unav,dc=es objectClass: sambaDomain sambaDomainName: CTI-SMB-DEV-A sambaNextGroupRid: 90000 sambaNextUserRid: 90000 sambaSID: S-1-5-21-298858960-1863792627-3661451959 sambaNextRid: 90000 sambaAlgorithmicRidBase: 2000 dn: uid=root,o=smb,dc=unav,dc=es uid: root sambaSID: S-1-5-21-2656270644-2771678393-2525940785-500 sambaPrimaryGroupSID: S-1-5-21-2656270644-2771678393-2525940785-512 displayName: root sambaAcctFlags: [U ] objectClass: account objectClass: sambaSamAccount sambaPwdCanChange: 1092042993 sambaPwdMustChange: 1093857393 sambaLMPassword: 76A3FC60A3BD71347CA65F36030673DD sambaNTPassword: 6417743473EDE7C479846482F4CC21AA sambaPwdLastSet: 1092042993 dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-298858960-1863792627-3661451959-512 sambaGroupType: 2 displayName: Domain Admins dn: cn=Domain Users,ou=groups,o=smb,dc=unav,dc=es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-298858960-1863792627-3661451959-513 sambaGroupType: 2 displayName: Domain Users dn: cn=Domain Guests,ou=groups,o=smb,dc=unav,dc=es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-298858960-1863792627-3661451959-514 sambaGroupType: 2 displayName: Domain Guests dn: uid=nobody,o=smb,dc=unav,dc=es objectClass: account objectClass: sambaSamAccount uid: nobody sambaPwdLastSet: 1026225030 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: Nobody cn: Nobody sambaSID: S-1-5-21-298858960-1863792627-3661451959-501 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-514 sambaAcctFlags: [UX ]

---------- snip ----------------

If you need posix account attributes in your accounts (i.e. pam/nsswitchaccounting) you can add the posixAccount attrs/objectClasses like this:

-------- snip -------------
dn: uid=Administrator, o=smb, dc=unav, dc=es
objectClass: account
objectClass: sambaSamAccount
objectClass: posixAccount
gecos: Samba Admin
homeDirectory: /
loginShell: /dev/null
uidNumber: 506
gidNumber: 0
uid: Administrator
sambaPwdLastSet: 1042526918
sambaLogonTime: 0
sambaLogoffTime: 0
sambaKickoffTime: 0
sambaPwdCanChange: 0
sambaPwdMustChange: 0
displayName: Administrator
cn: Administrator
sambaHomePath: \\%N\
sambaHomeDrive: U:
sambaProfilePath: \\%N\\profile
sambaSID: S-1-5-21-2656270644-2771678393-2525940785-500
sambaPrimaryGroupSID: S-1-5-21-2656270644-2771678393-2525940785-512
sambaLMPassword: 7DDDDD60A3BD71AAAAA65F36030673DD
sambaNTPassword: 6417743DD60A3BD71AAAAA82F4CC21AA
sambaAcctFlags: [UX         ]

dn: uid=nobody,o=smb, dc=unav, dc=es
objectClass: account
objectClass: sambaSamAccount
objectClass: posixAccount
uid: nobody
sambaPwdLastSet: 1026225030
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: Nobody
cn: Nobody
sambaSID: S-1-5-21-2656270644-2771678393-2525940785-501
sambaPrimaryGroupSID: S-1-5-21-2656270644-2771678393-2525940785-514
gecos: Nobody or Guest
homeDirectory: /
loginShell: /dev/null
uidNumber: 99
gidNumber: 99
sambaAcctFlags: [UX         ]

dn: uid=root,o=smb,dc=unav,dc=es
uid: root
sambaSID: S-1-5-21-2656270644-2771678393-2525940785-1000
sambaPrimaryGroupSID: S-1-5-21-2656270644-2771678393-2525940785-1001
displayName: root
sambaPwdCanChange: 1056998752
sambaPwdMustChange: 1058813152
sambaLMPassword: 180887AAAABBBBCCCDDDA26A841A86FA
sambaNTPassword: 069CCCDDDA26A8453887AAAABDDD3C48
sambaPwdLastSet: 1056998752
sambaAcctFlags: [U          ]
objectClass: account
objectClass: sambaSamAccount
objectClass: account
# take care about the security implications derived from here
objectClass: posixAccounthomeDirectory: /rootloginShell: /dev/bash gecos: Admin uidNumber: 0 gidNumber: 0 userPassword:: gtNABCDUfTFhOS5OOEowcm9pXWc=--------- snip ----------

Notes:

In the case of posixAccount ldif file, you must supply your unix uid/gid Number for nobody and Administrator.
Remember that if you need join a XP to the domain, an uidNumber=0 account is ALSO required (ie Administrator or root accounts).
To add new accounts (users or workstations) you can use the smbpasswd utility. There are complete new interface for manage accounts... comes soon.

Windows XP and W2K requirements [toc]

The Windows XP (and probably the W2K) requires set an special registry entry to "0" (by default is set to "1"). This is documented in the samba/docs/Registry/WinXP_SignOrSeal.reg :

---
;
; This registry key (gathered from the Samba-tng lists) is needed
; for a Windows XP client to join and logon to a Samba domain
;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"RequireSignOrSeal"=dword:00000000

---

As an alternative, Luke Howard <lukeh@PADL.COM> (9 Nov 2001), tell me:
I noticed today that you can change this in the Local or Domain
policy editor in Windows 2000, too.
so, this should be the normal way:

Local Security Settings
    Local Policies
    Security Options
        Domain member: Digitally encript ot sign secure channel data (always) -> DISABLE

Remember that you must provide an uidNumber=0 account when a W2K/XP joins to a domain.
If you change the registry entries, remember that several "CurrentControlSet\Services*\" may be present, and you should change all, or set (better) the policy that replaces all the entries with "0".

Builtin accounts [toc]

This section is now implemented internally in the Samba server side in the secrets.tdb database.
If you are using LDAP, you MUST add some of these accounts in the ldap database:

Domain Admins
Domain Users
Domain Guests

So if you are in a hurry, you can skip this section but may be useful if you need a bit of SID/RID background.

The RID and SID stuff follows docs/textdocs/cifsntdomain.txt (A2) :

A2) SIDs and RIDs
-----------------
SIDs and RIDs are well documented elsewhere.
A SID is an NT Security ID (see DOM_SID structure). They are of the form:
        S-revision-NN-SubAuth1-SubAuth2-SubAuth3...
        S-revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...

currently, the SID revision is 1.
The Sub-Authorities are known as Relative IDs (RIDs).

A2.1) Well-known SIDs
---------------------

A2.1.1) Universal well-known SIDs
---------------------------------
        Null SID                     S-1-0-0
        World                        S-1-1-0
        Local                        S-1-2-0
        Creator Owner ID             S-1-3-0
        Creator Group ID             S-1-3-1
        Creator Owner Server ID      S-1-3-2
        Creator Group Server ID      S-1-3-3
        (Non-unique IDs)             S-1-4

A2.1.2) NT well-known SIDs
--------------------------

        NT Authority          S-1-5
        Dialup                S-1-5-1

        Network              S-1-5-2
        Batch                 S-1-5-3
        Interactive           S-1-5-4
        Service               S-1-5-6
        AnonymousLogon        S-1-5-7       (aka null logon session)
        Proxy                 S-1-5-8
        ServerLogon           S-1-5-8       (aka domain controller account)
        (Logon IDs)           S-1-5-5-X-Y
        (NT non-unique IDs)   S-1-5-0x15-...
        (Built-in domain)     s-1-5-0x20

A2.2) Well-known RIDS
---------------------

A RID is a sub-authority value, as part of either a SID, or in the case
of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1
structure, in the LSA SAM Logon response.

A2.2.1) Well-known RID users
----------------------------
        DOMAIN_USER_RID_ADMIN          0x0000 01F4
        DOMAIN_USER_RID_GUEST          0x0000 01F5

A2.2.2) Well-known RID groups
----------------------------
        DOMAIN_GROUP_RID_ADMINS        0x0000 0200
        DOMAIN_GROUP_RID_USERS         0x0000 0201
        DOMAIN_GROUP_RID_GUESTS        0x0000 0202

A2.2.3) Well-known RID aliases
------------------------------
        DOMAIN_ALIAS_RID_ADMINS        0x0000 0220
        DOMAIN_ALIAS_RID_USERS         0x0000 0221
        DOMAIN_ALIAS_RID_GUESTS        0x0000 0222
        DOMAIN_ALIAS_RID_POWER_USERS   0x0000 0223

        DOMAIN_ALIAS_RID_ACCOUNT_OPS   0x0000 0224
        DOMAIN_ALIAS_RID_SYSTEM_OPS    0x0000 0225
        DOMAIN_ALIAS_RID_PRINT_OPS     0x0000 0226
        DOMAIN_ALIAS_RID_BACKUP_OPS    0x0000 0227

        DOMAIN_ALIAS_RID_REPLICATOR    0x0000 0228

Group mapping [toc]

All this section must be rewritten based on bin/net util:

NEW STUFF

Firs of all: you MUST have the posix groups in LDAP. Sounds strong, but is required. The group maping requires that the original group have an objectClass posixGroup or sambaIdMapEntry in LDAP:

"(& (|(objectClass=posixGroup)(objectClass=sambaIdmapEntry)) (gidNumber=0))"

So, is strongly recomended the use of the nsswitch/pam_ldap stuff.

Mandatory Samba internal groups:

When the passdb backend uses LDAP (ldapsam) it is the admininstrators’
responsibility to create the essential Domain Groups, and to assign each its
default RID.

You sould obtain some like this (at least):

root# net groupmap list
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest

You can add the mandatory Samba internals with a ldif like this (take care: the SID mustbe your domain's SID):

------------------ BOF ------------------------------
dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-298858960-1863792627-3661451959-512
sambaGroupType: 2
displayName: Domain Admins

dn: cn=Domain Users,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-298858960-1863792627-3661451959-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=Domain Guests,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-298858960-1863792627-3661451959-514
sambaGroupType: 2
displayName: Domain Guests
-------------------- EOF -------------------------------

The "net" family commands may ask for a root passwd. This passwd is for the "root" sambaAccount that must be present in the ldap (the LDAP rootdn is another thing). Remember that the passwd may be set with the bin/smbpasswd utility.

To manage group-maps:

bin/net help groupmap

net groupmap add
Create a new group mapping
net groupmap modify
Update a group mapping
net groupmap delete
Remove a group mapping
net groupmap list
List current group map

You can create a map between posix and Windows groups from /etc/group . Also, the groups may be located in the LDAP with posixGroup objects;nsswitch manage the group' source ( /etc/group or ldap or both):

group: files ldap

The posixGroup's schema is:

##objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL DESC 'Abstraction of a group of accounts' MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description )

The sambaGroupMapping schema is:

## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
        DESC 'Samba Group Mapping'
        MUST ( gidNumber $ sambaSID $ sambaGroupType )
        MAY ( displayName $ description ))

You may provide some unix groups in the /etc/group or you may use this ldif example for populate the unix(posix)Groups in LDAP if you plans redirect the nsswitch to ldap:

-----------------------------------------------------

dn: cn=nobody, o=smb, dc=unav, dc=es
objectClass: posixGroup
gidNumber: 99
cn: nobody

dn: cn=smbusers, o=smb, dc=unav, dc=es
objectClass: posixGroup
gidNumber: 200
cn: smbusers
memberUid: alumno,alumno1,alumno2

dn: cn=admins, o=smb, dc=unav, dc=es
objectClass: posixGroup
gidNumber: 0
cn: admins

----------------------------------------------------------

The "groupmap <add|modify>" uses these parameters:

    {rid=<int>|sid=<string>}
    unixgroup=<string>
    [type=<domain|local|builtin>]
    [ntgroup=<string>]
    [comment=<string>]

the "type" (stored in the LDAP as an integer) maps one of the SID types:

/* SID Types */
enum SID_NAME_USE
{
        SID_NAME_USE_NONE = 0,/* NOTUSED */
        SID_NAME_USER    = 1, /* user */
        SID_NAME_DOM_GRP = 2, /* domain group */
        SID_NAME_DOMAIN = 3, /* domain: don't know what this is */
        SID_NAME_ALIAS   = 4, /* local group */
        SID_NAME_WKN_GRP = 5, /* well-known group */
        SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
        SID_NAME_INVALID = 7, /* invalid account */
        SID_NAME_UNKNOWN = 8 /* oops. */
};

you can set the RID/SID as:
    SID: <local_SID>+RID
    RID: from <well_know_RIDS>
        OR from the sambaAccount rid attribute
        OR samba may set one RID on the fly with the "algorithmic base" and "enable rid algorithm" params.

and you can fetch the local_SID with "bin/net getlocalsid"

FIX: explain the relationship between main posixGroup and RID mappings vs enumerate posixGroups before use the mapping in the windows side...

Some examples:

get the local SID:
bin/net getlocalsid
SID for domain BILBO is: S-1-5-21-298858960-1863792627-3661451959

the "Domain Admins" RID is 512, then:

bin/net groupmap add sid=S-1-5-21-298858960-1863792627-3661451959-512 unixgroup=root type=domain
Successully added group admins to the mapping db

please replace <S-1-5-21-298858960-1863792627-3661451959> with YOUR LOCAL SID.

and with a know,internal-predefined, SID like nobody (guest):

bin/net groupmap add sid=S-1-5-32-546 unixgroup=nobody
Successully added group nobody to the mapping db

a listing:

    bin/net groupmap list
        nobody (S-1-5-32-546) -> nobody
        prn1 (S-1-5-32-545) -> prn1
        admins (S-1-5-21-298858960-1863792627-3661451959-512) -> admins

After this, you can see the changes from the ldap:

../../bin/ldapsearch -H "ldap://bilbo.cti.unav.es/" -LLL -ZZ -D "cn=root,dc=unav,dc=es" -W -b "o=smb,dc=unav,dc=es" "(objectClass=sambaGroupMapping)"
---------------------------------------

dn: cn=nobody, o=smb, dc=unav, dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 99
cn: nobody
ntSid: S-1-5-32-546
ntGroupType: 2
displayName: nobody

dn: cn=admins, o=smb, dc=unav, dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 0
cn: admins
memberUid: Administrator,icoupeau,liglesia
ntSid: S-1-5-21-298858960-1863792627-3661451959-512
ntGroupType: 2
displayName: admins

----------------------------

Some examples with the mandatory internal groups and well-know-rids:

bin/net groupmap add rid=514 ntgroup="Domain Guests" unixgroup=nobody
bin/net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users
bin/net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=admins

Configuring smb server [toc]

to be fixed
Note: If you configure in the classic 2.2 style (ldapsam_compat), the smb.conf file should be the 2.2.x version.

This section shows a configuration file for start the samba server using an ldap server as security database. If you needs (recomended) a secure channel between the samba server and the ldap server, you must set also the ssl options.

Modify the smb.conf file for your site:

------ snip ------
#       CTI, Universidad de Navarra
#       Ignacio Coupeau 001011.01;
#
[global] # LDAPsam updates (abartlet): #    - Now runtime selectable (when configured) #    - ldap user suffix and ldap group suffix support. #    - non unix account support #    - select with 'passdb backend = ldapsam' or 'passdb backend = ldapsam_nua' #    - from smb.conf(5) #       o   ldapsam - The LDAP based passdb backend.
#           Takes an LDAP URL as an optional argument (defaults to ldap://localhost)
#           Example: passdb backend = ldapsam:ldaps://ldap.example.com
#
#       o   ldapsam_nua - The LDAP based passdb backend, with non unix account support.
#           Takes an LDAP URL as an optional argument (defaults to ldap://localhost)
#               Example: passdb backend = ldapsam_nua:ldaps://ldap.example.com
#
#       o and the nua mapping for ldapsam_nua:
#               Default: non unix account range = <empty string>
#               Example: non unix account range = 10000-20000
# # ldap filter = (&(uid=%u)(objectclass=sambaAccount))

# passdb backend = ldapsam_compat requires --with-ldapsam configure AND uses 2.x samba schema# passdb backend = ldapsam do not requires --with-ldapsam configure AND uses 3.x samba schema #passdb backend = ldapsam_compat:ldap://arcos.cti.unav.es/ldap suffix = o=smb,dc=unav,dc=es
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap admin dn = "cn=root,o=smb,dc=unav,dc=es"# # the ldap admin dn password is stored in secrets.tdb # and is set using "smbpasswd -w passphrase". It is no # longer stored in the smb.conf file. # # start tls by default #ldap ssl = No #ldap ssl = Yes ldap ssl = start tls

# comes with 3.0.2 # ldap replication sleep = 1000 # value specified in milliseconds: is a grace time for read after update the master ldap # take care: don't check that the update form master to slave are performed.

# smbpasswd -x delete the entire dn-entry
ldap delete dn = no

workgroup = CTI-SMB-3
netbios name = arcos
comment = Linux RedHat Samba Server
security = user
null passwords = Yes
encrypt passwords = yes

logon drive = U:
logon path = \\%N\profiles\%g

domain master = yes
domain logons = yes
preferred master = yes
os level = 255

# we have other wins server (samba, of course)
#wins support = yes
wins support = no
wins proxy = no
wins server = 159.237.12.25

log file = /usr/local/etc2/samba_2_2/logs
public = No
browseable = No
writable = No

; necessary share for domain controller
[netlogon]
path = /usr/local/etc2/samba_2_2/netlogon
locking = no
read only = yes
write list = ntadmin

; share for storing user profiles
[profiles]
path = /usr/local/etc2/samba2_2/profiles
read only = no
writeable = yes
create mask = 0600
directory mask = 0700

--------- eof -----------

Note about LDAP-smb.conf params:

The path values you have in the smb.conf file (logon script, logon drive, the profile logon path , etc.), may be overruns by the particular values stored into a ldap (or so I understant today -2002/01/03- to Gerald Carter).

A note about charsets (internationalization) [toc ]

Copied from the 3.0a whatisnew:

Unicode support. Samba will now negotiate unicode on the wire and interally there is now a much better infrastructure for multi-byte and unicode character sets. You may need the "dos charset", "unix charset" and "display charset" options. The unicode support is not yet documented.

My personal experience is that in spanish a file name with diacritics (as Menú inicio) may cause a lot of troubles (for example, loading the roaming profile tree ) if you don't specify in the smb.conf file some like:

unix charset = "CP850"

Date: Tue, 22 Oct 2002 16:32:10 -0500
From: Steve Langasek <vorlon@netexpress.net>

Steve Langasek tell me that although "unix charset = CP850" may be useful for Samba 2.2 compatibility under some circumstances, in the unix side the filenames should be in a native charset as ISO-8859-15 o UTF-8.

This scrip from Steve may be useful for filename conversions in the unix side:

find /path/to/share -type f -exec bash -c 'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \
-t iso8859-15`; if [ "$CP" != "$ISO" ]; then mv "$CP" "$ISO"; fi' \;


This modification runs well, the previous, not (at least for me):

-----------------------------------------------
cd <profile_share>/<the_profile_to_change>

find . -type d -exec bash -c
'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \-t iso8859-1`; if [
"$CP" != "$ISO" ]; then echo "mkdir"  \"$ISO\"; fi' \; > dirs

find . -type f -exec bash -c
'CP="{}"; ISO=`echo -n "$CP" | iconv -f cp850 \-t iso8859-1`; if [
"$CP" != "$ISO" ]; then echo "cp -p" \"$CP\" \"$ISO\"; fi' \; > files

sh dirs
sh files
rm -rf <the_old_profile_tree>
----------------------------------------------

Configuring smb server with ssl or tls [toc ]

Note: ssl and tls are not the same; ldaps:// and start_tls are different mechanisms.

For the secure stuff you need modify the smb.conf file from the previous section in one of these two scenarios:

ldaps: ldap+ssl(tls) connects to one secure port(default 636)
This example asumes you're running a ldaps (secure) server in the port 9003. The default ldap port is the 389and the default ldaps port is the 636.

openldap_2/libexec/slapd -f slapd-3.conf -h "ldaps://arcos.cti.unav.es:9003/" -l LOCAL4
[global]
#
# the secure port default 636
ldap port = 636 #
ldap ssl = yes
#
# passdb backend = ldapsam_compat requires --with-ldapsam configure AND uses 2.x samba schema# passdb backend = ldapsam do not requires --with-ldapsam configure AND uses 3.x samba schema #passdb backend = ldapsam_compat:ldap://arcos.cti.unav.es/ldap suffix = o=smb,dc=unav,dc=es
#ldap user suffix = ou=People #ldap group suffix = ou=Groups #ldap machine suffix = ou=Computers
ldap admin dn = "cn=root,o=smb,dc=unav,dc=es"
# smbpasswd -x delete the entire dn-entry
ldap delete dn = no
ldap+start_tls starts always in the standard port (don't use the 636); the start_tls switches the secure/unsecure stream on fly.

This example asumes you're running a ldap server with support for TLS (secure) in the standard port. The standard ldap portis the 389 and for me, this runs:

openldap_2/libexec/slapd -f slapd-3.conf -h "ldap://arcos.cti.unav.es/" -l LOCAL4
[global]
#
# the secure port default 636, but START_TLS don't use it at all
ldap port = 389 # (off | start tls | on (default)) ldap ssl = start tls
#
# passdb backend = ldapsam_compat requires --with-ldapsam configure AND uses 2.x samba schema# passdb backend = ldapsam do not requires --with-ldapsam configure AND uses 3.x samba schema #passdb backend = ldapsam_compat:ldap://arcos.cti.unav.es/ldap suffix = o=smb,dc=unav,dc=es
#ldap user suffix = ou=People #ldap group suffix = ou=Groups #ldap machine suffix = ou=Computers
ldap admin dn = "cn=root,o=smb,dc=unav,dc=es"
# smbpasswd -x delete the entire dn-entry
ldap delete dn = no

You can read an explanation about TLS from the OpenLDAP team or in the RFC2830

A note about charsets [toc ]

Copied from the 3.0a whatisnew:

Unicode support Samba will now negotiate unicode on the wire and interally there is now a much better infrastructure for multi-byte and unicode character sets. You may need the "dos charset", "unix charset" and "display charset" options. The unicode support is not yet documented.

For example, in spanish, a file name with diacritics as "Menú inicio" may cause a lot of troubles loading the roaming profile if you don't specify in the smb.conf file some like:

unix charset = "CP850"

Setting the admin_dn password with smbpasswd [ toc ]

The ldap rootdn in the slapd.conf file contains a line like:

rootpw <a_very_secret_word>

and the smb.conf file contains a line like:

ldap admin dn = "cn=root, o=smb, dc=your, dc=es"

you must set the ldap's admin user (admin dn) password with the new option -w :

./bin/smbpasswd -w <a_very_secret_word>

Note that we are using "root" as"admin dn",but you can use other privileged account.

Migrating from samba+ldap old versions to 3.x [ toc ]

The ldap rootdn in the slapd.conf file varies, mainly the ldap section.
In some of the old versions the MACHINE.SID was called in several fashions but if you want maintain the old SID -and a change in the SID put all the workstations out of the domain-, you should rename the old <your_old_domain_name>.SID file to MACHINE.SIDand maintain a copy for a while.
If you want to export and old ldap base to the new (some attrs, syntaxes has been changed) a c program I wrote may help.

Migrating from the old schema to new samba_3 schema (030515):

The script convertSambaAccount (perl with Net::LDAP::LDIF) from Jerry Carter may helps a lot in the migration from 2.x to 3.0, or you may run the samba in ldapsam_compat (2.x) mode.

But also, in a hurry or if you hate the perl modules, you can use this *fast* awk script:

more ldif2samAcount.akw
-----------------
BEGIN { 
        FS = ": " 
        SID = "S-1-5-21-2656270644-2771678393-2525940785" }
{
        if ($1=="rid") {print "sambaSID: "SID"-"$2}

        else if ($2=="sambaAccount") {print "objectClass: sambaSamAccount"}
        else if ($1=="ntSid") {print "sambaSID: "$2}
        else if ($1=="ntGroupType") {print "sambaGroupType: "$2}
        else if ($1=="primaryGroupID") {print "sambaPrimaryGroupSID: "SID"-"$2}
        else if ($1=="lmPassword") {print "sambaLMPassword: "$2}
        else if ($1=="ntPassword") {print "sambaNTPassword: "$2}
        else if ($1=="pwdLastSet") {print "sambaPwdLastSet: "$2}
        else if ($1=="pwdMustChange") {print "sambaPwdMustChange: "$2}
        else if ($1=="pwdCanChange") {print "sambaPwdCanChange: "$2}
        else if ($1=="homeDrive") {print "sambaHomeDrive: "$2}
        else if ($1=="smbHome") {print "sambaHomePath: "$2}
        else if ($1=="scriptPath") {print "sambaLogonScript: "$2}
        else if ($1=="profilePath") {print "sambaProfilePath: "$2}
        else if ($1=="kickoffTime") {print "sambaKickoffTime: "$2}
        else if ($1=="logonTime") {print "sambaLogonTime: "$2}
        else if ($1=="logoffTime") {print "sambaLogoffTime: "$2}
        else if ($1=="userWorkstations") {print "sambaUserWorkstations: "$2}
        else if ($1=="domain") {print "sambaDomainName: "$2}
        else if ($1=="acctFlags") {print "sambaAcctFlags: "$2}

        else {print $_}
}
-----------------------------

example:

./slapcat -f slapd-3.conf -b "o=smb,dc=unav,dc=es" -l smb-ldif-3-030515
awk -f ldif2samAcount.akw smb-ldif-030515 > smb-ldif-030515-v3
./slapadd -f slapd-3.conf -b "o=smb,dc=unav,dc=es" -l smb-ldif-030515-V3

Please, don't forget replace your personal SID.

to obtain your SID:
	bin/net getlocalsid

Starting (an stopping) the samba server [ toc]

You can use the standard way:

start: /etc/rc.d/init.d/smb start
stop: /etc/rc.d/init.d/smb stop

but, keep in mind that some linux comes with samba distributions and you need fix the path or you can waste a lot of time testing other samba.
This script should contain the new sbin path from your samba home (the older was bin/smbd bin/nmbd):

#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and nmbd daemons \
# used to provide SMB network services.

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

# Check that smb.conf exists.
[ -f /usr/local/etc2/samba_2_2/lib/smb.conf ] || exit 0

RETVAL=0

# See how we were called.
case "$1" in
start)
        echo -n "Starting SMB services: "
        /usr/local/etc2/samba_2_2/sbin/smbd -D -d 3
        RETVAL=$?
        echo
        echo -n "Starting NMB services: "
        /usr/local/etc2/samba_2_2/sbin/nmbd -D -d 3
        RETVAL2=$?
        echo
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && touch /var/lock/subsys/smb || \
           RETVAL=1
        ;;
stop)
        echo -n "Shutting down SMB services: "
        killproc smbd
        RETVAL=$?
        echo
        echo -n "Shutting down NMB services: "
        killproc nmbd
        RETVAL2=$?
        [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && rm -f /var/lock/subsys/smb
        echo ""
        ;;
restart)
        $0 stop
        $0 start
        RETVAL=$?
        ;;
reload)
        echo -n "Reloading smb.conf file: "
        killproc -HUP smbd
        RETVAL=$?
        echo
        ;;
status)
        status smbd
        status nmbd
        RETVAL=$?
        ;;
*)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit $RETVAL

Adding accounts with smbpasswd [toc]

Now, with the new year, the smbpasswd makes all the ldap stuff for you, from the scratch. Run the ./bin/smbpasswd to add new entries (ws or people),... of course, you need the /etc/passwdand/etc/groups (or equivalent files) contains the accounts and groups....

users ./bin/smbpasswd -a <user> -D 256

workstations ./bin/smbpasswd -m -a <ws_name>$ -D 256

the -D provides debug; is a '-D' not a '-d' that makes the account disable...

Example for (-a )dd a new (-m)achine named icb$ with debug (-D ) set to 256:

./bin/smbpasswd -m -a icb$ -D 256

After this, you can browse (ldapsearch) the filled accounts, for example for icb$ ws:

../../bin/ldapsearch -LL -H "ldap://arcos/" -b "o=smb,dc=unav,dc=es" "uid=icb$"

--
dn: uid=icb$, o=smb, dc=unav, dc=es
objectClass: sambaAccount
uid: icb$
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: desarrollo-WS
cn: desarrollo-WS
rid: 2054
primaryGroupID: 1201
lmPassword: 90D589A3C45BBED3482E8119C1D9E106
ntPassword: 90D589A3C45BBED3482E8119C1D9E106
acctFlags: [W ]
--

Note:
logoffTime: 2147483647 (seconds from 1970)implies that the account expires in the year 1970+68 = 2038 ;-)

Refine the ldap account entries [toc ]

With ldapmodify, you can add/replace some attributes as the "homeDrive",
"script" and "profile"...

You need only specify the relative "logon script" name (in this example
037148.bat); this scrip will be searched in the [netlogon] share.

For our classrooms I found the "pwdMustChange: 0" very useful,
because overrides the dialog box for passwd replacement in the first logon.

mods.ldif file:
------- snip-----------
dn: uid=037148, o=smb, dc=unav, dc=es
changetype: modify
replace: profilePath
profilePath: \\%N\profiles\prn2
-
replace: scripthPath
scripthPath: 037148.bat
-
replace: homeDrive
homeDrive: U:
-
replace: pwdCanChange
pwdCanChange: 1
-
replace: pwdMustChange
pwdMustChange: 0
-
replace: primaryGroupID
primaryGroupID: 513
-

------EOF------

and the command:
<openldapHome>/bin/ldapmodify -d 256 -H "ldap://<server:port>/" -D "<admin_DN>" -W -f mods-ldif
do the rest for you.

Joining workstations (NT, W2K, XP) to the Samba domain [toc]

Basically you need cover these steps to add (join) a windows NT/W2K/XP to the domain:

in the PDC samba server create an account for the machine
one entry in the /etc/passwd or equivalent (nsswitch...) for the machine_name$-ended
one basic entry in the ldap previous to call to the smbpasswd
one full entry in the ldapwithsmbpasswd -a -m <machine_name>$
in the MS workstation, if is a XP or W2K you need set in the registry: RequireSignOrSeal to "0"
in the MS workstation you need join to the domain ASAP via:

NT control pannel-> Network |Identification | Domain/Change domain

W2K/XP myPC-> System properties|Computer name| Domain/Change domain

More info at Samba-Howto-collection.

A complex and real example: several domains(PDC), several share servers (no PDC), two ldap (master/slave) servers [toc]

Need update!!
This example assume that you have several PDC, several shares distributed on several two Samba servers, and two (or more) LDAP synchronized servers. Please, don't forget replace the subfix "o=smb,dc=unav,dc=es" by the yours ;-)

Scenario

2 PDC compiled with LDAP support. In the real life we have 8 PDC Pentium 400/SCSI 2940/256MB RAM. The +128MB are essential for classrooms with 50-60 NT ws.
2 LDAP servers: master (ldap-smb1) and slave (ldap-smb2) syncronized with slurpd running in the master.The synchronization grants the consistency between master/slave(s) databases. For 420 ws, we have 2 HP E800 Netserver 2x400MHz/SCSI/512MB RAM, but with very low workload... a 400MHZ may be run. I strong recomed you a second LDAP for redundance.
2 Samba servers with the user data (the shares). In the real life, we have 4 disk servers HP LC3 with two processors.

The process

At login time, the user send the credentials (user:passwd) to the PDC from the NT's login window; if they're OK, then the PDC grants the access to the NT-WS, sent the profile and other params to the NT: smbhome, pwd*, *id, etc.
In the second stage, the NT-WS connects to the samba pointed by smbhome, sent - again - the credentials and the samba server mount the share if the credentials are OK.

The phrase "if the credentials are OK" can be expanded in "the PDC (or the Samba server) ask to the LDAP server if the credentials are OK; if so, then update the record and returns; if not, returns false".
As you can see in the ldif-user's record, the profile is fetched from the PDC server (\\L%\profiles\<a_profile>) look at PDC's smb.conf files). Also, you can specify a particular profile path in the ldap.
The smbhome points to the another samba server with the share.

PDC's configuration files

# CTI, Universidad de Navarra # Ignacio Coupeau 020814# [global] ldap suffix = "o=smb, dc=unav, dc=es" ldap server = trancos.cti.unav.es saruman.cti.unav.es ldap admin dn = "cn=root,o=smb,dc=unav,dc=es" ldap port = 389 ldap ssl = start tls workgroup = CTI-SMB-D1 netbios name = pdc2 comment = Linux RedHat Samba Server security = user null passwords = Yes encrypt passwords = yes logon drive = U: logon path = \\%L\profiles\%g domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 wins support = yes time offset = 60 time server = True log file = /usr/local/etc2/samba_2_2/logs public = No browseable = No writable = No [netlogon] path = /usr/local/etc2/samba_2_2/netlogon locking = no writeable = no guest ok = no browseable = yes [profiles] path = /usr/local/etc2/samba_2_2/profiles writeable = yes guest ok = yes browseable = yes create mode = 0777 # CTI, Universidad de Navarra # Ignacio Coupeau 020814 # [global] ldap suffix = "o=smb, dc=unav, dc=es" ldap server = trancos.cti.unav.es saruman.cti.unav.es ldap admin dn = "cn=root,o=smb,dc=unav,dc=es" ldap port = 389 ldap ssl = start tls workgroup = CTI-SMB-D1 netbios name = pdc1 comment = Linux RedHat Samba Server security = user null passwords = Yes encrypt passwords = yes logon drive = U: logon path = \\%L\profiles\%g domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 wins support = yes time offset = 60 time server = True log file = /usr/local/etc2/samba_2_2/logs public = No browseable = No writable = No [netlogon] path = /usr/local/etc2/samba_2_2/netlogon locking = no writeable = no guest ok = no browseable = yes [profiles] path = /usr/local/etc2/samba_2_2/profiles writeable = yes guest ok = yes browseable = yes create mode = 0777

LDAP's configuration files

You need a strong background in the ldap (slapd, slurpd and slapd.conf) proceedings. The documentation about the replication of LDAP directories are poor.

Also, you MUST provide an user for replication. In this example I assume tha an user "cn=replicator,o=smb,dc=unav,dc=es"with passwd: <an_other_secret> exists in the ldap databaseprevious to the first replication. Look a the bold lines:

#       master LDAP configuration file
#       CTI, Universidad de Navarra #       Ignacio Coupeau 020910 # # This file should NOT be world readable. # include /usr/local/etc2/openldap_2/etc/openldap/schema/core.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/cosine.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/nis.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/inetorgperson.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral       ldap://root.openldap.org #referral       ldap://trancos.cti.unav.es pidfile         /usr/local/etc2/openldap_2/var/slapd.pid argsfile        /usr/local/etc2/openldap_2/var/slapd.args sizelimit       25 #The <hash> to use for userPassword generation. One #of   {SSHA},   {SHA},   {SMD5},   {MD5},   {CRYPT}, #KERBEROS}, {SASL}, and {UNIX}.   The default is {SSHA}. password-hash   {CRYPT} #Certificados TLSCertificateFile      /usr/local/etc2/openldap_2/etc/openldap/ssl/trancos-cert.pem TLSCertificateKeyFile   /usr/local/etc2/openldap_2/etc/openldap/ssl/trancos-key.pem TLSCACertificateFile    /usr/local/etc2/openldap_2/etc/openldap/ssl/CAcerts #TLSCipherSuite         EXPORT56 ####################################################################### # ldbm database definitions ####################################################################### # ####################################################################### # UNAV SMB ####################################################################### # database        ldbm suffix          "o=smb,dc=unav,dc=es" rootdn          "cn=root,o=smb,dc=unav,dc=es" rootpw           <a_deep_secret>
directory       /usr/local/etc2/openldap_2/unav-smb-2 # replogfile      /usr/local/etc2/openldap_2/var/openldap-slurp/slurpd.replog replica         host=saruman.cti.unav.es                 tls=yes                 binddn="cn=replicator,o=smb,dc=unav,dc=es"                 bindmethod=simple                 credentials=<an_other_secret>
# index           cn,sn,uid,displayName,mail          pres,sub,eq index           rid,uidNumber,gidNumber,primaryGroupID     eq index           objectClass             eq index           default                 sub # access to dn=".*,o=smb,dc=unav,dc=es"         by dn="cn=replicator,o=smb,dc=unav,dc=es" write         by self                         write         by *                            read access to dn="o=smb,dc=unav,dc=es"         by dn="cn=replicator,o=smb,dc=unav,dc=es" write         by self                         write         by *                            read # #

# slave LDAP configuration file # CTI, Universidad de Navarra # Ignacio Coupeau 020910 # # This file should NOT be world readable. # include /usr/local/etc2/openldap_2/etc/openldap/schema/core.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/cosine.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/nis.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/inetorgperson.schema include /usr/local/etc2/openldap_2/etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # access to dn=".*,dc=unav,dc=es" attrs=children by dn="cn=replicator,dc=unav,dc=es" write # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. # si se omiten los updateref, se usa este superior referral by default pidfile /usr/local/etc2/openldap_2/var/slapd.pid argsfile /usr/local/etc2/openldap_2/var/slapd.args #The <hash> to use for userPassword generation. One #of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, #KERBEROS}, {SASL}, and {UNIX}. The default is {SSHA}. password-hash {CRYPT} #Certificados TLSCertificateFile /usr/local/etc2/openldap_2/etc/openldap/ssl/saruman-cert.pem TLSCertificateKeyFile /usr/local/etc2/openldap_2/etc/openldap/ssl/saruman-key.pem TLSCACertificateFile /usr/local/etc2/openldap_2/etc/openldap/ssl/CAcerts #TLSCipherSuite EXPORT56 ####################################################################### # ldbm database definitions ####################################################################### # # ####################################################################### # UNAV SMB ####################################################################### # database ldbm suffix "o=smb,dc=unav,dc=es" rootdn "cn=root,o=smb,dc=unav,dc=es" rootpw <an_deep_secret>
directory /usr/local/etc2/openldap_2/unav-smb-2 # updatedn "cn=replicator,o=smb,dc=unav,dc=es" updateref ldap://trancos.cti.unav.es # index cn,sn,uid,displayName,mail pres,sub,eq index rid,uidNumber,gidNumber,primaryGroupID eq index objectClass eq index default sub # access to dn=".*,o=smb,dc=unav,dc=es" attrs=ntPassword,lmPassword by dn="cn=replicator,o=smb,dc=unav,dc=es" write by self write by anonymous auth by * none access to dn=".*,dc=unav,dc=es" by self write by dn="cn=replicator,o=smb,dc=unav,dc=es" write by * read # # #

Samba servers' configuration files

The servers (saco1 and saco2) have two shares: bag1 and bag2

# # CTI, Universidad de Navarra # Ignacio Coupeau 020711; # samba-2.2.5; nuevo path [global] comment = Linux RedHat Samba Server Saco1 netbios name = SACO1 workgroup = CTI-SMB-2 security = server password server = PDC1 PDC2 encrypt passwords = yes null passwords = yes guest ok = no wins support = no wins proxy = no wins server = 159.237.12.29 domain master = no local master = no preferred master = no os level = 0 log file = /usr/local/etc2/samba_2_2/logs [bag2] comment = Home Directories path = /disco1/%u read only = No create mask = 0700

# # CTI, Universidad de Navarra # Ignacio Coupeau 020711; # samba-2.2.5; nuevo path [global] comment = Linux RedHat Samba Server Saco2 netbios name = SACO1 workgroup = CTI-SMB-2 security = server password server = PDC1 PDC2 encrypt passwords = yes null passwords = yes guest ok = no wins support = no wins proxy = no wins server = 159.237.12.29 domain master = no local master = no preferred master = no os level = 0 log file = /usr/local/etc2/samba_2_2/logs [bag1] comment = Home Directories path = /disco1/%u read only = No create mask = 0700

Note: I strong recommend you, test the replication. With Linux RH 5.2 kernel 2.2.10 I need runs the slurpd in one shot mode every 1-2 hours; as demon not runs fine at all.

Import from /etc/passwd [toc]

Please, use samba/examples/LDAP/*passwd* utilities.

Migrating from smbpasswd to ldap [toc]

Please, use samba/examples/LDAP/*passwd* utilities.

Some notes about mandatory and roaming profiles [toc]

XP stuff

Some deep changes has been made in the roaming and mandatory profiles in XP.
Our experience points that the Samba-HOWTO-Collection works fine:

23.1 DESKTOP PROFILE MANAGEMENT
23.2.2.3 Windows 2000/XP Professional

Take care about the steps in the asign "<domain>/everyone" access to the roaming profile candidate; specially, ensure that "everyone" comes from domain and not from local (the domain ask: root/passwd).

Make the roaming profile... or making a desired profile roaming

23.2.2.3 Windows 2000/XP Professional
You must first convert the profile from a local profile to a domain profile on the MSWindows
workstation as follows:
1. Log on as the local workstation administrator.
2. Right-click on the My Computer Icon, select Properties.
3. Click on the User Profiles tab.
4. Select the profile you wish to convert (click it once).
5. Click on the Copy To button.
6. In the Permitted to use box, click on the Change button.
Section 23.2. Roaming Profiles 377
7. Click on the Look in area that lists the machine name. When you click here, it will
open up a selection box. Click on the domain to which the profile must be accessible.
Note
You will need to log on if a logon box opens up. For example,
connect as DOMAIN\root, password: mypassword.
8. To make the profile capable of being used by anyone, select “Everyone”.
9. Click on OK and the Selection box will close.
10. Now click on OK to create the profile in the path you nominated.
Done. You now have a profile that can be edited using the Samba profiles tool.

Fix the acl policy in the smb.conf

[profiles]
path = /usr/local/etc2/samba_PDC7/profiles
writeable = no
guest ok = yes
browseable = yes
create mode = 0776
csc policy = disable
profile acls = yes

If you set the policy rule about "don't store the profile changes in the server" and renames the "ntuser.dat" to "ntuser.man", the "writeable = nyes" should not be a pain, but our experiencie is: sel the machine policy and rename the ntuser.dat tom man(datory) and made the profiles share "writeable = no"... of course, "under NO circunstances..."

Set the local policies
Local Computer Policy\Computer Configuration\Administrative Templates\System\User Profiles\
Do not check for user ownership of Roaming Profile Folders

Local Computer Policy\Computer Configuration\Administrative Templates\System\User Profiles\
Prevent Roaming Profile changes from propagating to the server

At last, set the correct SID into the ntuser.man (step not required)

obtain your domain's SID:

bin/net getlocalsid

S-1-5-21-2715378125-3642892448-1277082696

check the SID from the ntuser.man

bin/profiles -v profiles/profile_example/ntuser.man

S-1-5-21-471028381-1047030085-1551032810-500S-1-5-21-471028381-1047030085-1551032810-513S-1-5-21-471028381-1047030085-1551032810-1003

if the SID don't are the same, change them (each rid object):

bin/profiles -c S-1-5-21-471028381-1047030085-1551032810-500 -n S-1-5-21-2715378125-3642892448-1277082696-500 profiles/profiler_mm/ntuser.man

run this line for each rid: 500, 513, 1003 in my example.

`NT stuff`

Subject: Re: Working on LDAP support in HEAD
Date: Tue, 16 May 2000 05:43:51 +1000
From: Inge-Håvard Hunstad <inge@cc.uit.no>
To: Multiple recipients of list SAMBA-DOCS <samba-docs@samba.org>
References: 1 , 2 , 3 , 4 , 5

David Collier-Brown wrote:
>
> Inge-Håvard Hunstad wrote Re: Working on LDAP support in HEAD
>
> > I just wanted to say that those who where using my setup where *lucky*
> > because they didn't have to worry, because I did a lot of this. But I
> > see the point that those who have users with local files on the NTws,
> > and roaming profiles have a problem if the rid is changed.
>
>         Could you write a short message to samba-docs@samba.org
>         describing your profile setup, so we'll have it
>         available when we rewrite textdocs/PROFILES.txt
>         (which is getting out of date).
>
Hi,

Thanks for asking David.

We have a sever running samba ver 2.1prealpha from October 15. with
support for LDAP, but this description should work for everyone using NT
clients. This server serves only NT4ws clients. Our users are students
in computer labs so we wanted a uniform setup for all the machines.
Therefor we use a mandatory profile that all the users in our domain
gets. Our users also doesn't use the same machine every time so to avoid
having 6000 profiles stored on every machine in the domain we delete the
profile when the users log out using this reg. hack:
Add this REG_DWORD value key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\DeleteRoamingCache
the Value should be 1.

To create the mandatory profile you have to start from scratch with a
brand new user to keep the profile size down. Then you have to configure
the user as you want all your users should have it. Then you logout and
login as a administrator and use "Control Panel->System->User Profiles"
to copy the profile to the profile server. Make sure that "everyone" is
able to use the profile. When you have done this you have to go to the
profile server to change the name of Ntuser.dat in the profile to
Ntuser.man and change the permission on the directory so that it's only
readable by "world". Here you also have the possibility to change the
extension of the directory containing the profile so that it has a .man
extension but this is not necessary. If you do this then your users are
kicked out to the logon screen if the profile server is not available. I
have noted that if the user have logged on to an NT box before and then
the user is removed from the server he can still log on if the server is
unavailable. You prevent this if you are having the .man extension on
the profile directory. The configuration I did of samba was this:

smb.conf
[global]
logon path = \\%L\Profiles\users.man

[Profiles]
        path = /opt/samba-pdc/profiles
        browseable = yes
        read only = Yes
        write list = @staff
        guest ok = yes
        locking = no

Note that this is a setup without LDAP. If you use ldap the logon path
is controlled by this entry in the record for the user:

profile: \\ProfileServerNetbiosName\Profiles\users.man

You can't use the normal variable substitution in the LDAP directory.
I'm not sure why, but I haven't been able to get it to work properly.

Also if you are using Internet Explorer (we are not) you have to do this
reg. edit:
Delete the Loadwc.exe from the BrowserWebCheck value from this registry
key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

I would also recommend this reg. edit that I got from Martin
Kuppinger(Samba-NTDOM mailing list):

I believe this one turns off the slow link connection:
---> CUT HERE <---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"SlowLinkDetectEnabled"=dword:00000000

---> END CUT <---

[>] It turns off the message displayed. There is another parameter
SlowLinkTimeOut
which you could use to set the time in milliseconds. Default is 2000,
maximum
in system policy is 20000, in registry i've read about 120.000

Here is some links to MS Knowlegebase:
Q168476 - How to Create Mandatory Profiles with Windows NT 4.0
http://support.microsoft.com/support/kb/articles/Q168/4/76.ASP
Q236436 - "Setting Up Personalized Settings" Message at Every Boot
http://support.microsoft.com/support/kb/articles/Q236/4/36.ASP

Yes I've been cheating, shame on me:)

People that have helped me setting this up so that it worked is Dejan
Ilic (Samba-NTDOM) and John Terje Hunstad(NT administrator).

Cheers,

Inge-Håvard Hunstad

PS. David please feel free to edit this text if it suits the samba
community. I also hope that there is some sense in the text somewhere.
Sorry that it is so long. I couldn't help myself:-)

Password sync [toc]

The smb.conf directive

ldap passwd sync (G)

provides several ldap passwd sync on fly:

  ldap passwd sync = yes|on

  ldap passwd sync = no|off

  ldap passwd sync = only

this is only available if the ldap libs support LDAP_EXOP_X_MODIFY_PASSWD.

This option is used to define whether or not Samba should

sync the LDAP password with the NT and LM hashes for normal accounts

(NOT for workstation, server or domain trusts) on a password change via SAMBA.



The ldap passwd sync can be set to one of three values:

(a) yes - Try to update the LDAP, NT and LM passwords and update the pwdLastSet time,
(b) no - Do it like before, only update NT and LM passwords and update the pwdLastSet time,
(c) only - Only update the LDAP password and let the LDAP server doing the rest.



Default : ldap passwd sync = no

users	`./bin/smbpasswd -a <user> -D 256`
workstations	`./bin/smbpasswd -m -a <ws_name>$ -D 256`

NT	`control pannel-> Network \|Identification \| Domain/Change domain`
W2K/XP	`myPC-> System properties\|Computer name\| Domain/Change domain`