Samba is open-source software which allows a Linux server to provide filesystems to Microsoft Windows clients using the SMB protocol. It may also act as a Primary Domain Controller for a Windows domain allowing users of the Windows clients to authenticate using Linux accounts. Specifically, it also includes support for authenticating against an OpenLDAP server.
We assume that an LDAP directory has already been set up to support UNIX authentication of users, Samba has been installed, and one or more Windows clients have been configured to authenticate using Samba and a standard UNIX authentication mechanism (usually PAM).
Enabling Samba support in LDAP
Samba requires more information in LDAP than that provided by the UNIX authentication fields. An additional LDAP schema is included with the samba-doc package which includes the necessary support.
aptitude update aptitude install samba-doc
Adding the Samba schema
To enable Samba support in the OpenLDAP server, copy the schema to the LDAP directory and decompress it.
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema gunzip /etc/ldap/schema/samba.schema.gz
Edit /etc/ldap/slapd.conf and add the necessary inclusion line to load the schema
include /etc/ldap/schema/samba.schema
and restart slapd
/etc/init.d/slapd restart
Adding Samba attributes to users
Each user entry in LDAP must be augmented with certain attributes necessary to support Samba. For a handful of users, this can be done manually using a tool such as ldapvi, but for a larger database of users, the process probably wants to be scripted. The Samba attributes are encapsulated in the sambaSamAccount objectClass, which must be added to all users.
objectClass: sambaSamAccount
Then, the generally useful fields are
sambaSID: S-1-5-21-298858960-1863792627-3661451959-21002 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-513 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaHomeDrive: H: sambaHomePath: \\server\username sambaLogonScript: logon.bat sambaProfilePath: \\server\profiles\username sambaPasswordHistory: 000000000000000000000000000000000000 sambaAcctFlags: [U ] sambaLMPassword: 3F989D17222E4A53D1E24CDB5D226E42 sambaNTPassword: 4F7168D3809B98481943148407380ACE sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1259410705 sambaPwdLastSet: 1259410705
The sambaSID attribute holds the SID of the user on the server. The value is the same for every entry in the directory, except for the digits after the last hyphen. For users, this is computed as twice the UNIX uidNumber + 1000.
Adding Samba attributes to groups
For the correct display of elements of the Security box in Windows, the sambaGroupMapping should be added to each group in LDAP.
sambaSID: S-1-5-21-298858960-1863792627-3661451959-21003 sambaGroupType: 2
Here, the sambaSID attribute is computed as twice the UNIX gidNumber + 1001. This ensures the group SIDs do not clash with user SIDs defined above.
Enabling LDAP support in Samba
We assume there exists a working Samba configuration which can authenticate users against a standard UNIX authentication mechanism. We now add the LDAP specific entries to smb.conf.
security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1:389 ldap suffix = dc=example,dc=co,dc=uk ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap admin dn = cn=admin,dc=example,dc=co,dc=uk ldap passwd sync = yes obey pam restrictions = yes guest account = nobody invalid users = unix password sync = no