This is still a work in progress at present, but I'm working on the migration of a set of user accounts from the traditional Linux shadow / Samba tdbsam back ends into an LDAP directory. This should result in a set up with much tidier administration and better sharing of credentials between servers.
A rough summary so far:
Installed slapd and samba and (I'm using Debian etch) the samba-doc package
Installed the smbldap-tools package
Added the samba.schema from the samba-doc package to the ldap config and amended the indices and permissions.
index objectClass,uidNumber,gidNumber,entryUUID,entryCSN eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPassword
by dn="cn=......" write
by anonymous auth
by self write
by * none
Got the domain SID and set up the smbldap-tools with appropriate defaults and done the base population of the LDAP directory with smbldap-populate
Amended samba to talk to the ldap directory
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=.......
ldap delete dn = Yes
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = dc=.......
ldap ssl = no
and add references to the tools to make user admin simple (we like simple!)
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
(one strange thing above is in the add user script - you may expect to include the -a option - which says this is a Samba account. This is only needed from the command line. Here we're after creating just the posix account and then Samba will separately add the extra bits to make it a Samba account. If you have the -a option in then trying to use the NT user manager will result in "a device attached to the system is not functioning" coming up when you try to add a user.)
Install libnss-ldap and libpam-ldap
Update /etc/nsswitch.conf to use "files ldap" for passwd, group and shadow
Amend the common-* PAM files as follows:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
account sufficient pam_ldap.so
account required pam_unix.so
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
#
# /etc/pam.d/common-password - password-related modules common to all services
#
password sufficient pam_ldap.so
password sufficient pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass use_authtok
password required pam_deny.so
#
# /etc/pam.d/common-session - session-related modules common to all services
#
session sufficient pam_ldap.so
session required pam_unix.so
For the main migration, the tools of interest are smbldap-migrate-unix-accounts, smbldap-migrate-unix-groups and pdbedit in that order. The first two are in the examples area of the documentation for smbldap-tools, gzipped by default, so you need to uncompress them and make them executable.
Take a copy of the old password and shadow files. Edit it down to just the accounts you want in LDAP (including taking machine accounts out). Then do
/usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-accounts -P
temp -S
temp/usr/share/doc/smbldap-tools/examples/migration_scripts/smbldap-migrate-unix-groups -G
tempThis pulls all the unix stuff in.
Then pdbedit -i tdbsam -e ldapsam (presuming your old passwd.tdb file is still in the same place and Samba is configured to talk to the LDAP server) will pull in the Samba attributes and passwords of the old Samba accounts (including machines).
The next trick I'm working on is getting exim to talk to the LDAP server for SMTP AUTH