To use Samba4 on Ubuntu 14.04 in NT authentication mode, the following packages and settings are needed. The same setup works also with Samba3 in Ubuntu 12.04. There is no direct support to sync users from Puavo's LDAP directory to the internal directory server of Samba4.
The configuration assumes that passwords are stored only in LDAP and they are kept in sync with smbkrb5pwd on LDAP master. smbkrb5pwd takes care of updating Samba and kerberos information when LDAP password is changed, so Samba is instructed (unix password sync and ldap passwd sync options) to change only the LDAP password when a user requests a password change.
First install the samba package:
sudo apt-get install samba winbind
Samba3 and Samba4 both use the same configuration when using NT compatible authentication using local LDAP directory:
/etc/samba/smb.conf
[global]
workgroup = EDUORG
netbios name = <hostname from /etc/puavo/hostname>
enable privileges = yes
server string = <hostname from /etc/puavo/hostname>
wins support = yes
domain master = yes
domain logons = yes
os level = 99
preferred master = yes
dns proxy = yes
log level = 0
obey pam restrictions = yes
unix password sync = No
ldap passwd sync = Only
passdb backend = ldapsam:"ldap://<hostname from /etc/puavo/hostname>.<puavo domain from /etc/puavo/domain>/"
ldap admin dn = <bind dn from /etc/puavo/ldap/dn>
ldap suffix = <ldap base from /etc/puavo/ldap/base>
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Samba,ou=Hosts
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap debug threshold = 10
idmap config *:backend = ldap
idmap config *:readonly = no
idmap config *:range = 2000-9999
idmap config *:ldap_url="ldap://<ldap master server from /etc/puavo/ldap/master>/"
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap replication sleep = 5000
encrypt passwords = true
load printers = yes
printing = cups
printcap name = cups
dos charset = 850
unix charset = UTF8
[homes]
comment = Home directories
valid users = %U
read only = No
create mask = 0755
directory mask = 0755
browseable = No
[printers]
path = /var/spool/samba
printable = yes
read only = true
guest ok = Yes
[print$]
comment = Printer Drivers
path = /usr/share/cups/drivers
browseable = yes
guest ok = no
read only = no
write list = @"Domain Admins"
[netlogon]
path = /var/samba/netlogon/
browseable = No
read only = yes
[profiles]
path = %H/profile
read only = No
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = Yes
csc policy = disable
force user = %U
valid users = %U @"Domain Admins"
preexec = "mkdir -p %H/profile"
smb.conf does not include the LDAP password so it needs to be entered using smbpasswd command that stores the password on disk for Samba to use.
# smbpasswd -W
Setting stored password for "puavoId=xxxxx,ou=Servers,ou=Hosts,dc=edu,dc=example,dc=org" in secrets.tdb
New SMB password:
Retype new SMB password:
After this make sure to restart both smbd and nmbd processes:
service winbind stop
service nmbd stop
service smbd stop
service nmbd start
service smbd start
service winbind start