Updating LDAP user information with Samba attributes

If you need to support SMB data access, LDAP schema must be extended to store more attributes such as SID, Windows password hash to the POSIX user object. To use Samba accounts, update LDAP user information with unique Samba attributes.

The following sample LDIF file shows the minimum required samba attributes:

dn: cn=SMBuser,ou=People,dc=ibm,dc=com
changetype: modify
add : objectClass
objectClass: sambaSamAccount
-
add: sambaSID
sambaSID: S-1-5-21-1528920847-3529959213-2931869277-1102
- 
add:sambaPasswordHistory 
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
- 
add:sambaNTPassword 
sambaNTPassword: (valid samba password hash )  
- 
add:sambaPwdLastSet 
sambaPwdLastSet: 1263386096 
- 
add:SambaAcctFlags 
sambaAcctFlags: [U          ]

Note: Attributes must be separated with a dash as the first and only character on a separate line.

Perform the following steps to create the values for sambaNTPassword, sambaPwdLastSet, and SambaAcctFlags, which must be generated from a PERL module:

Download the module from http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm. Create and install the module by following the readme file.

Use the following PERL script to generate the LM and NT password hashes:

# cat /tmp/Crypt-SmbHash-0.12/gen_hash.pl
#!/usr/local/bin/perl
use Crypt::SmbHash;
$username = $ARGV[0];
$password = $ARGV[1];
if ( !$password ) {
        print "Not enough arguments\n";
        print "Usage: $0 username password\n";
        exit 1;
}
$uid = (getpwnam($username))[2];
my ($login,undef,$uid) = getpwnam($ARGV[0]);
ntlmgen $password, $lm, $nt;
printf "%s:%d:%s:%s:[%-11s]:LCT-%08X\n", $login, $uid, $lm, $nt, "U", time;

Generate the password hashes for any user as in the following example for the user test01:
```
# perl gen_hash.pl SMBuser test01

:0:47F9DBCCD37D6B40AAD3B435B51404EE:82E6D500C194BA5B9716495691FB7DD6:
[U          ]:LCT-4C18B9FC
```
Note: The output contains login name, uid, LM hash, NT hash, flags, and time, with each field separated from the next by a colon. The login name and uid are omitted because the command was not run on the LDAP server.
Use the information from step 3 to update the LDIF file in the format that is provided in the example at the beginning of this topic.
- To generate the sambaPwdLastSet value, use the hexadecimal time value from step 3 after the dash character and convert it into decimal.
- A valid samba SID is required for a user to enable that user’s access to an IBM Spectrum Scale™ share. To generate the samba SID, multiply the user's UID by 2 and add 1000. The users's SID must contain the samba SID from the sambaDomainName, which is either generated or picked up from the LDAP server, if it exists. The following attributes for sambaDomainName LDIF entry are required:
```
dn: sambaDomainName=(IBM Spectrum Scale system),dc=ibm,dc=com
sambaDomainName: (IBM Spectrum Scale system name)
sambaSID: S-1-5-21-1528920847-3529959213-2931869277
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
```
  This entry can be created by the LDAP server administrator by using either of the following two methods:
  - Write and run a bash script similar to the following example:
```
sambaSID=
        for num in 1 2 3 ;do
            randNum=$(od -vAn -N4 -tu4 < /dev/urandom | sed -e 's/ //g')
            if [ -z     "$sambaSID" ];then
                sambaSID="S-1-5-21-$randNum"
            else
                sambaSID="${sambaSID}-$    {randNum}"
            fi
        done
echo $sambaSID
```
    Then, use the samba SID generated to create the LDIF file. The sambaDomainName must match the IBM Spectrum Scale system name.
  - When you run the mmuserauth service create command, the system creates the sambaDomainName, if it does not exist.
The sambaSID for every user must have the following format: (samba SID for the domain)-(userID*2+1000). For example: S-1-5-21-1528920847-3529959213-2931869277-1102
Note: To enable access using the same LDAP server domain to more than one IBM Spectrum Scale system or other IBM® NAS like IBM SONAS or IBM V7000 Unified, the Samba domain SID prefix of all of the systems must match. The Samba domain SID prefix is used to prepare the SID of users/groups planning to access the IBM Spectrum Scale system via CIFS. So, if you change the Samba domain SID for an IBM Spectrum Scale system on the LDAP server, you must restart the CES Samba service on that IBM Spectrum Scale system for the change to take effect.
Submit the ldapmodify command as shown in the following example to update the user's information :
```
# ldapmodify -h localhost -D cn=Manager,dc=ibm,dc=com -W -x -f /tmp/samba_user.ldif
```