Archive for category Windows

No samba password expiration with ldap

If you are using LDAP for samba authentication and you don’t want samba to reject the user for expired password, set the sambaPwdLastSet attribute to -1.

If password expiration is the problem then your samba server log should have an error labeled “NT_STATUS_PASSWORD_EXPIRED”.

Samba doesn’t like special characters in ldap password

Ok, So I’m trying to set Linux Samba up as a filserver for Windows clients with Fedora Directory Server (FDS) ldap as the backend for user information. In the process you have to add a directive like this to your smb.conf.

security = user
passdb backend = ldapsam:ldap://
ldap admin dn = cn=Directory Manager
ldap suffix = dc=ldapserver,dc=com
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
ldap password sync = yes

That tells samba to look in ldap for sambaSamAccounts. Only problem is you have to give samba the password for the administrator ldap account of “cn=Directory Manager”. You do that by running the command

smbpasswd -w my_password_in_clear_text

Only problem is some of us make complex passwords with special characters(!@#$%^&*()) in them. Since this accepts passwords on command line some of those special characters are parsed by the shell. So when I ran

net getlocalsid

I got errors like:

failed to bind to server ldap:// with dn="cn=Directory Manager" Error: Invalid credentials

Like I said, I bet you could fix this by escaping your special characters (ie replace $ with \$). But I needed to change my ldap directory manager password to not be the root linux password so I just removed all special characters and created a long plain-text password. I re-ran smbpasswd -w, and net getlocalsid and poof, it works!

Tags: , , ,


I finally got the hardware working for the linux file server. Yay! The next step is to start configuring software for moving all of the users files to the server.

To do this I decided to setup a new LDAP directory server using Fedora Directory Server. The initial steps weren’t too hard. Of course the Install Guide and PAM Configuration how-to helped. Within a couple hours I had the server running and a user able to login. The harder steps were customizing it for our systems and getting it to work with samba so that users could mount their home directories from Windows.