Linux Home Page




Linux System Administration and Configuration -- Samba User Account Administration



Before you can use Samba and OpenLDAP as a Windows Primary Domain Controller, you must first configure Samba and OpenLDAP. That is beyond the scope of this document, but there are plenty of resources on the web (and hopefully, there will be additional resources here in the near future). So, if you don't already have Samba and OpenLDAP configured as required to emulate Microsoft Networking and Active Directory, then head on over to Google to search for instructions on that, then come back here to add, delete and update your user accounts. Go ahead -- I'll wait for you ;)

Okay, now that you've got Samba and OpenLDAP set up, you need a LDIFF template for your ldapmodify commands. Here is a sample LDIFF that you can use to set up your own accounts: 
dn: uid=generic,ou=Users,dc=example,dc=com
objectClass: top
objectClass: inetcomPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: generic
sn: user
uid: generic
uidNumber: GET NEXT UNUSED UID FROM cn=NextFreeUnixID,dc=example,dc=com
gidNumber: 513
homeDirectory: /home/generic
loginShell: /bin/false
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-2287537920-2619082790-1759260786-(2 * uidNumber + 1000)
sambaPrimaryGroupSID: S-1-5-21-2287537920-2619082790-1759260786-513
sambaLogonScript: logon.bat
sambaProfilePath: \\samba\profiles\generic
sambaHomePath: \\samba\generic
sambaHomeDrive: H:
sambaPwdCanChange: 1169070386
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaAcctFlags: [U          ]
telephoneNumber:
description: generic user
title: 
displayName: generic user
givenName: generic
homePhone:
mail: generic@example.com
gecos: generic user
sambaLMPassword: USE PERL SCRIPT TO GENERATE LM PASSWORD
sambaNTPassword: USE PERL SCRIPT TO GENERATE NT PASSWORD
sambaPwdLastSet: 1187414470
userPassword:: USE PERL SCRIPT TO GENERATE CRYPT PASSWORD OR LEAVE BLANK TO USE NT PASSWORD
...or, if you like, you can download it here instead.

There are several fields in this file that you will need to modify to make this LDIFF file useful. If you aren't familiar with LDAP LDIFF files, let me give you a quick overview. The file is basically a list of LDAP attributes followed by a colon (":"), a space and then the value of the LDAP attribute. For example, the LDAP entry for the user "someuser" would have the LDAP attribute "UID" (UID is required to exist for all users), and the UID attribute would have the value "someuser". To use this LDIFF file, you will need to use a text editor like ViM, notepad (yech!) or whatever to change the value of a number of these attributes as required for your user(s).

The first attribute we will change is "dn". This attribute tells LDAP how to find a given user. For the sambaSamAccount object class, the value for this attribute should be of the form "dn: uid=<username>,ou=Users,dc=<domain name>,dc=<org|com|net|...>". Unless you own IANA, you will probably need to change this line in my generic LDIFF file ;)

Next, go through the file and change every occurrence of "generic" to whatever your user's name is. Next, change the value for "sn" to your user's last name (or leave it blank -- I don't think the "sn" attribute is a required attribute), and change "description", "displayName" and "gecos" to either hold the user's first name or the user's first and last names -- whichever you prefer. If you like, you can also add telephone numbers in the "telephoneNumber" and "homePhone" attributes. You should probably also change the "mail" attribute to your user's e-mail address -- particularly if you will be using LDAP to provision e-mail accounts on your network (also beyond the scope of this howto).

Still with me? Good -- so far, these have been simple changes, and with the exception of the "dn" and "uid" attributes (and possibly the "mail" attribute), they won't make much difference in the operation of your network. But that is about to change. The rest of the attributes we will be modifying are very definitely critical to the proper functioning of your network. The first thing we will do is set the "uidNumber" attribute. The uidNumber MUST BE UNIQUE on your network, as it uniquely identifies every user account in your domain. The way we do this where I work is we have created another LDAP entry on our server, dn=NextFreeUnixID,dc=example,dc=com, with two objectClass attributes (sambaUnixIdPool and inetOrgPerson), with a sn=NextFreeUnixId, a cn=NextFreeUnixId, a uidNumber and a gidNumber. The uidNumber contains the next uidNumber that can be assigned to a user, and the gidNumber contains the next gidNumber that can be assigned to a user. Every time we add a new user or a new group, we query this entry for uidNumber and/or gidNumber (which we assign to our new user or group), then increment the uidNumber and/or the gidNumber for this entry. Note that since the uidNumber must be unique, we have to increment the uidNumber for uid=NextFreeUnixID before we can assign the current uidNumber to our new user!

Next, you must change the sambaSid attribute. If you notice, this attribute is a long string of numbers and dashes. It consists of two parts, a domain portion and a user portion. In the example LDIFF file, the domain portion is filled in, but the user portion is a mathematical formula. Basically, to calculate the user portion, you take the uidNumber we obtained in the last step, multiply by two, then add 1,000. The sambaPrimaryGroupSid is created in much the same way, only with less math :) Take the domain portion of the sambaSid attribute, and stick it in the sambaPrimaryGroupSid, then append the gidNumber to the end. Easy, right?

So where does the domain portion come from? That's a really good question, and I don't have an answer yet. What I do know is that if you have multiple Windows domains on your network, those domain portions need to be different for each domain on your network, otherwise your users will have access to both domains. Unfortunately, I haven't (yet) done enough testing to know if you can simply make up a domain portion or if there is some kind of checksum built in to the domain portion. Try it -- I plan to, and I'll update this page as soon as I do.

Next, you can set the sambaAcctFlags as required. Unfortunately, I haven't yet figured out what flags are valid or what any of the flags mean, but I'll post that information here as soon as I figure it out. Have I mentioned that this document is a work in progress?

Finally, you need to set the sambaLMPassword and sambaNTPassword for the user. I have written a Perl script using the Perl Crypt::SmbHash module available on CPAN to do this. You can download the script here or you can use the Crypt::SmbHash module to write your own script if you are comfortable with Perl yourself. To use the script, copy it to your Linux host, download and install the Crypt::SmbHash module ("perl -MCPAN -e shell" then type "install Crypt::SmbHash" at the prompt), then run the Perl script with no parameters to get the usage. Copy the NT hash into the sambaNTPassword attribute and copy the LanManager hash into the sambaLMPassword attribute.

You are almost done, now. All that is left is running ldapmodify to add the user to LDAP. ldapmodify takes a number of parameters, most of which will be unique to your system, so you will need to get the following information:

Once you have the required information, you are ready to add the user to LDAP. Fire up your trusty CLI, and type...: 
ldapmodify -h <LDAP Server hostname> -D <Root DN> -W -f <path to new user LDIFF file>
...and press Enter. That's it -- if all went well, you should have a shiny new user in your LDAP directory. If not...time to hit Google to figure out what went wrong (troubleshooting to this howto soon).


Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License .