Samba LDAP configuration

Samba is open-source software which allows a Linux server to provide filesystems to Microsoft Windows clients using the SMB protocol. It may also act as a Primary Domain Controller for a Windows domain allowing users of the Windows clients to authenticate using Linux accounts. Specifically, it also includes support for authenticating against an OpenLDAP server.

We assume that an LDAP directory has already been set up to support UNIX authentication of users, Samba has been installed, and one or more Windows clients have been configured to authenticate using Samba and a standard UNIX authentication mechanism (usually PAM).
Enabling Samba support in LDAP

Samba requires more information in LDAP than that provided by the UNIX authentication fields. An additional LDAP schema is included with the samba-doc package which includes the necessary support.

aptitude update
aptitude install samba-doc

Adding the Samba schema

To enable Samba support in the OpenLDAP server, copy the schema to the LDAP directory and decompress it.

cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
gunzip /etc/ldap/schema/samba.schema.gz

Edit /etc/ldap/slapd.conf and add the necessary inclusion line to load the schema

include /etc/ldap/schema/samba.schema

and restart slapd

/etc/init.d/slapd restart

Adding Samba attributes to users

Each user entry in LDAP must be augmented with certain attributes necessary to support Samba. For a handful of users, this can be done manually using a tool such as ldapvi, but for a larger database of users, the process probably wants to be scripted. The Samba attributes are encapsulated in the sambaSamAccount objectClass, which must be added to all users.

objectClass: sambaSamAccount

Then, the generally useful fields are

sambaSID: S-1-5-21-298858960-1863792627-3661451959-21002
sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-513
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaHomeDrive: H:
sambaHomePath: \\server\username
sambaLogonScript: logon.bat
sambaProfilePath: \\server\profiles\username
sambaPasswordHistory: 000000000000000000000000000000000000
sambaAcctFlags: [U ]
sambaLMPassword: 3F989D17222E4A53D1E24CDB5D226E42
sambaNTPassword: 4F7168D3809B98481943148407380ACE
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1259410705
sambaPwdLastSet: 1259410705

The sambaSID attribute holds the SID of the user on the server. The value is the same for every entry in the directory, except for the digits after the last hyphen. For users, this is computed as twice the UNIX uidNumber + 1000.

Adding Samba attributes to groups

For the correct display of elements of the Security box in Windows, the sambaGroupMapping should be added to each group in LDAP.

sambaSID: S-1-5-21-298858960-1863792627-3661451959-21003
sambaGroupType: 2

Here, the sambaSID attribute is computed as twice the UNIX gidNumber + 1001. This ensures the group SIDs do not clash with user SIDs defined above.

Enabling LDAP support in Samba

We assume there exists a working Samba configuration which can authenticate users against a standard UNIX authentication mechanism. We now add the LDAP specific entries to smb.conf.

security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap suffix = dc=example,dc=co,dc=uk
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap admin dn = cn=admin,dc=example,dc=co,dc=uk
ldap passwd sync = yes
obey pam restrictions = yes
guest account = nobody
invalid users =
unix password sync = no
Article last modified on January 26, 2014 at 3:37 pm.

Leave a Reply

Your email address will not be published. Required fields are marked *