Make Samba work with iRedMail's OpenLDAP database backend

First you should follow the steps in this howto to use iRedMail's OpenLDAP database for Unix user authentication!

Generate SambaSID

Create sidgenerateor.sh file

Create the sidgenerator.sh file with the following content:

#!/bin/sh

sambaSID=
for num in 1 2 3 ;do
  randNum=$(od -vAn -N4 -tu4 < /dev/urandom | sed -e 's/ //g')
  if [ -z "$sambaSID" ]; then
    sambaSID="S-1-5-21-$randNum"
  else
    sambaSID="${sambaSID}-${randNum}"
  fi
done
echo $sambaSID

exit 0

This script is created by naterator

Make it executable

chmod +x sidgenerator.sh

Generate sid

bash ./sidgenerator.sh

Set up Samba

Install samba

apt-get install samba smbldap-tools -y

Edit /etc/samba/smb.conf

We use root dn because we want to allow samba to create the sambaDomainName=SERVERNAME entry.

[global]
 ...
   netbios name = SERVERNAME
 ...
   passdb backend = ldapsam:ldap://127.0.0.1
   ldap ssl = no
   ldap admin dn = cn=Manager,dc=domain,dc=com
   ldap suffix = dc=domain,dc=com
 ...

Set LDAP password for Samba

Enter the password of ldap admin dn

smbpasswd -w *************SECRETPASSWORD*************

Restart Samba

service smbd restart

Set up OpenLDAP

Add the needed Samba settings to the domain group

{ou=Groups,domainName=domain.com,o=domains,dc=domain,dc=com}

objectClass->(new entry)->sambaGroupMapping

sambagrouptype=2
sambaSID=YOU-NEED-GENERATE-WITH-SCRIPT

Valid numbers for sambagrouptype entry

SID_NAME_USE_NONE=0,
SID_NAME_USER=1,
SID_NAME_DOM_GRP=2,
SID_NAME_DOMAIN=3,
SID_NAME_ALIAS=4,
SID_NAME_WKN_GRP=5,
SID_NAME_DELETED=6,
SID_NAME_INVALID=7,
SID_NAME_UNKNOWN=8,
SID_NAME_COMPUTER=9

Set up user

{ou=Users,domainName=domain.com,o=domains,dc=domain,dc=com}

objectClass->(new entry)->sambaSamAccount

Create the following entries under the user

(new attribute)->sambaGroupMapping

sambaSID=SID-OF-THE-SAMBA-SERVER-3000 # Increment the 3000 part
sambaAcctFlags=[U]
sambaLMPassword=*****************SAMBAPASSWORD*****************
sambaNTPassword=*****************SAMBAPASSWORD*****************
sambaPrimaryGroupSID=SID-OF-THE-CREATED-GROUP-  # Add '-' character to the end of the group sid
sambaPwdLastSet=-1

Troubleshoot

Samba

  1. Troubleshooting Samba

OpenLDAP

  1. Troubleshooting OpenLDAP

Revision #1
Created Mon, Jul 1, 2019 11:02 AM by Tamas Toth
Updated Mon, Jul 1, 2019 11:05 AM by Tamas Toth