thanks Brian for sharing this with us, will take a look at this and hopefully include them into the trunk soon.
On Sun, May 1, 2011 at 7:34 PM, Brian Burch <[email protected]> wrote: > On 04/02/11 22:16, Stefan Seelmann wrote: >> >> Hi Jeffrey, >> On Thu, Feb 3, 2011 at 4:31 AM, Jeffre Reynolds wrote: >> <snip> >>> >>> Any information on the subject would be very helpful, or even a good >>> place to go to try to find out more about how to integrate ApacheDS with >>> Samba. >> >> I'm no Samba expert (and I think most readers of this list are >> neither). But I doubt your problem is ApacheDS specific. As far as I >> know Samba can just use any LDAP server as backend. So I think you >> could try to adapt other documentation on how to integrate Samba+LDAP >> to ApacheDS ([1][2] are just two examples). In any case the Samba >> mailing lists [3] should be a good resource. >> >> Kind Regards, >> Stefan > > I've been meaning to convert my samba authentication to ldap for quite a > while. The recent activity on this topic encouraged me to get on with it. > > It was a long and painful task, made worse by the fact that a lot of > information is out of date, confusing or doesn't apply to apacheds. I do not > propose to go over everything here! > > However, after enabling the samba schema, converting my users, defining a > samba domain entry and a server authenticator, I hit problems when trying to > do anything as a samba user. The apacheds/bin/wrapper.log was quite > informative. > > To cut a long story short, there are LOTS of schema changes required for > samba 3, which are missing from apacheds. Sample openldap schema changes > were committed to the samba source repository in February 2006. I have > converted them to match the apacheds schema and applied them to my > directory. > > Here are my new attribute and objectclass definitions: > > # samba 3 attributes Schema > # > # see: http://lists.samba.org/archive/samba-cvs/2006-February/064786.html > # > # svn commit: samba r13290 - branches/SAMBA_3_0/examples/LDAP > trunk/examples/LDAP > # > dn: m-oid=1.3.6.1.4.1.7165.2.1.58,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.58 > m-collective: FALSE > m-description: Minimal password length (default: 5) > m-equality: integerMatch > m-name: sambaMinPwdLength > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.59,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.59 > m-collective: FALSE > m-description: Length of Password History Entries (default: 0 => off) > m-equality: integerMatch > m-name: sambaPwdHistoryLength > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.60,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.60 > m-collective: FALSE > m-description: Force Users to logon for password change (default: 0 => off, > 2 => on) > m-equality: integerMatch > m-name: sambaLogonToChgPwd > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.61,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.61 > m-collective: FALSE > m-description: Maximum password age, in seconds (default: -1 => never expire > passwords) > m-equality: integerMatch > m-name: sambaMaxPwdAge > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.62,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.62 > m-collective: FALSE > m-description: Minimum password age, in seconds (default: 0 => allow > immediate password change) > m-equality: integerMatch > m-name: sambaMinPwdAge > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.63,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.63 > m-collective: FALSE > m-description: Lockout duration in minutes (default: 30, -1 => forever) > m-equality: integerMatch > m-name: sambaLockoutDuration > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.64,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.64 > m-collective: FALSE > m-description: Reset time after lockout in minutes (default: 30) > m-equality: integerMatch > m-name: sambaLockoutObservationWindow > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.65,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.65 > m-collective: FALSE > m-description: Lockout users after bad logon attempts (default: 0 => off) > m-equality: integerMatch > m-name: sambaLockoutThreshold > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.66,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.66 > m-collective: FALSE > m-description: Disconnect Users outside logon hours (default: -1 => off, 0 > => on) > m-equality: integerMatch > m-name: sambaForceLogoff > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > dn: m-oid=1.3.6.1.4.1.7165.2.1.67,ou=attributeTypes,cn=samba,ou=schema > objectClass: metaAttributeType > objectClass: metaTop > objectClass: top > m-oid: 1.3.6.1.4.1.7165.2.1.67 > m-collective: FALSE > m-description: Allow Machine Password changes (default: 0 => off) > m-equality: integerMatch > m-name: sambaRefuseMachinePwdChange > m-noUserModification: FALSE > m-obsolete: FALSE > m-singleValue: TRUE > m-syntax: 1.3.6.1.4.1.1466.115.121.1.27 > m-usage: USER_APPLICATIONS > > > # samba domain Object Schema > # allow all samba 3 attributes > # > dn: m-oid=1.3.6.1.4.1.7165.2.2.5,ou=objectClasses,cn=samba,ou=schema > changetype: modify > add: m-may > m-may: sambaMinPwdLength > - > add: m-may > m-may: sambaPwdHistoryLength > - > add: m-may > m-may: sambaLogonToChgPwd > - > add: m-may > m-may: sambaMaxPwdAge > - > add: m-may > m-may: sambaMinPwdAge > - > add: m-may > m-may: sambaLockoutDuration > - > add: m-may > m-may: sambaLockoutObservationWindow > - > add: m-may > m-may: sambaLockoutThreshold > - > add: m-may > m-may: sambaForceLogoff > - > add: m-may > m-may: sambaRefuseMachinePwdChange > > > My ubuntu samba 3 (version 2:3.4.7) server is now working perfectly with > apacheds 1.5.4. Perhaps someone would like to update the source to include > these schema changes? > > Regards, > > Brian > > > > -- Kiran Ayyagari
