Configuring Samba with LDAP authentication (on Centos/RHEL 7)
I already had a working 389 Directory Server with users, groups, DNS (PowerDNS) and DHCP entries in our company. During a time I’ve already configured most of the services (jabber, SSH, Intranet, SMTP and IMAP) to work with LDAP and allow users to authenticate with a single password to all services. Samba was the last service left to be configured this way.
While searching for a documentation I found out the official Samba documentation describing the process of configuring samba with LDAP is pretty brief and actually it took me couple of days to get the things configured. I also had to solve a few issues myself for which I couldn’t find a reasonable solution on Internet. Considering a lack of documentation describing the configuration of Samba with LDAP authentication I’d be curious how many people are actually using this. Few documentations I’ve found rather described the installation and configuration of LDAP server from scratch and populating LDAP with Samba data structure. This didn’t work for me as my LDAP was already loaded with structured data and I just wanted to configure Samba the way it’d use the current data from LDAP without the need to create a new structure within.
Here I am sharing my experience of configuring Samba authentication with LDAP on Centos 7 which is actually very straightforward once you what needs to be done.
Prerequisites:
- working LDAP server (I’m using 389 DS) with the following data structure:
- ou=users,dc=company,dc=com containing users (each user entry consists of objectclass=inetOrgPerson,person,organizationalPrsion,posixAccount,shadowAccount,top)
- ou=groups,dc=company,dc=com containing groups (we’re using objectclass posixGroup with objectclass groupofuniquenames)
- Centos 7 configured to work with LDAP users and groups (sssd configuration)
- Access to LDAP data for cn=manager (it’s better to use a specific LDAP role for Samba account with limited access. Manager role is used just for simplicity and once you Samba working this can be changed to anything else)
Process of Samba configuration to authenticate users with LDAP passwords:
- Install samba-4.6.2-12.el7 and smbldap-tools
- Configure Samba in /etc/samba/smb.conf:
include = /etc/samba/smb.smbldap.conf
[global]
workgroup = COMPANY
netbiosname = COMPANY
security = user
passdb backend = ldapsam:ldap://<IP of LDAP SERVER>
ldap suffix = dc=company,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap delete dn = no
ldap admin dn = cn=manager
# or off if TLS/SSL is not configured
ldap ssl = start tls
# ldapsam:trusted=yes
# ldapsam:editposix=yes
printing = cups
printcap name = cups
load printers = no
cups options = raw
[shared]
comment = Example of shared folder
path = /srv
public = no
valid users = @users
writable = yes
csc policy = disable
# File permissions
create mask = 0660
force create mode = 0660
force directory mode = 0770
- run command net getlocalsid to get the unique SID (Security IDentifier) for Samba
- configure acces to LDAP for smbldap-tools scripts in /etc/smbldap-tools/smbldap_bind.conf and also main configuration in /etc/smbldap-tools/smbldap.conf:
SID=”<YOUR SID HERE>”
masterLDAP=”<IP OF LDAP SERVER>”
slaveLDAP=”<IP OF LDAP SERVER>”
slavePort=”389″
masterPort=”389″
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to “1”
ldapTLS=”1″
# How to verify the server’s certificate (none, optional or require)
# see “man Net::LDAP” in start_tls section for more details
verify=”none”
suffix=”dc=company,dc=com”
usersdn=”ou=users,dc=company,dc=com”
computersdn=”ou=computers,dc=company,dc=com”
groupsdn=”ou=groups,dc=company,dc=com”
# Default scope Used
scope=”sub”
# Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
# If set to “exop”, use LDAPv3 Password Modify (RFC 3062) extended operation.
password_hash=”SSHA”
userLoginShell=”/sbin/nologin”
userHome=”/home/%U”
userHomeDirectoryMode=”700″
userGecos=”System User”
# Default User (POSIX and Samba) GID
defaultUserGid=”1502″
# Default Computer (Samba) GID
defaultComputerGid=”515″
# Skel dir
skeletonDir=”/etc/skel”
# Treat shadowAccount object or not
shadowAccount=”0″
userSmbHome=”\\FILESERVER\%U”
userProfile=”\\FILESERVER\profiles\%U”
userHomeDrive=”H:”
userScript=””
mailDomain=”company.com”
# Allows not to use smbpasswd (if with_smbpasswd=”0″ in smbldap.conf) but
# prefer Crypt::SmbHash library
with_smbpasswd=”0″
smbpasswd=”/usr/bin/smbpasswd”
# Allows not to use slappasswd (if with_slappasswd=”0″ in smbldap.conf)
# but prefer Crypt:: libraries
with_slappasswd=”0″
slappasswd=”/usr/sbin/slappasswd”
# comment out the following line to get rid of the default banner
no_banner=”1″
- You can try to run smbldap-userlist and smbldap-grouplist which should get you the list of users and groups from LDAP. The smbldap- commands are part of smbldap-tools package which comes with collection of scripts to add, modify and delete users and groups and to change Unix and Samba passwords. These scripts can (but doesn’t have to) be used to manage groups and users in your LDAP database.
- It’s also necessary to set the password for ‘ldap admin dn’ which is done by this command: smbpasswd -W. Samba stores the password to its DB file and uses it to access the LDAP data.
- RECOMENNDED for configuration on on empty LDAP database:
If smbldap-tools package is configured correctly you should be able to run smbldap-populate which tries to create a necessary entries for Samba within LDAP. Once the data structure - RECOMMENDED if you already have your users and groups in LDAP:
If you don’t want to mess you LDAP up with plenty of unnecessary entries which would be created by smbldap-populate command you can run smbldap-populate -e output.dif and investigate the output dif to check out what’s supposed to be created.- I’ve found out smbldap-populate would create plenty of unnecesary entries for computers, groups and users. These are only changes needed to make Samba work with LDAP authentication:
- run smbpasswd -a <username already in LDAP> – this command should add an additional LDAP objectClass sambaSAMAccount for a user. It also adds other attributes used by Samba to user account. You can check whether the account is visible for samba by “pdbedit -L“
- if you run smbldap-populate -e output.dif and edit the output file you can see there should be sambaDomain object class created without the suffix path in LDAP. This object is important for Samba but it is also created automatically once Samba is started (systemctl start smb).
- no changes are needed for groups. I didn’t need to add additional sambaGroupMapping objectClass. Once the user is part of the group and Centos 7 knows about it (e.g. id <user> lists the user in the group myusers) valid users = @myusers parameter in smb.conf works as expected and allows mapping the network drive for users in group myusers.
- I’ve found out smbldap-populate would create plenty of unnecesary entries for computers, groups and users. These are only changes needed to make Samba work with LDAP authentication:
Posted in Fileserver, Server administration
One Response to “Configuring Samba with LDAP authentication (on Centos/RHEL 7)”
Leave a Reply
You must be logged in to post a comment.
[…] After setting up my Openldap on Centos 7, I got a problem while integrating Samba (I followed many tutorials, ex. https://admin.shamot.cz/?p=470). […]