Samba and LDAP

This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See „OpenLDAP Server” and „LDAP Authentication” for details on setting up OpenLDAP.

Telepítés

There are three packages needed when integrating Samba with LDAP. samba, samba-doc, and smbldap-tools packages . To install the packages, from a terminal enter:

sudo apt-get install samba samba-doc smbldap-tools

Strictly speaking the smbldap-tools package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed.

OpenLDAP Configuration

In order for Samba to use OpenLDAP as a passdb backend, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes.

  • The Samba attributes are defined in the samba.schema file which is part of the samba-doc package. The schema file needs to be unzipped and copied to /etc/ldap/schema. From a terminal prompt enter:

    sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
    sudo gzip -d /etc/ldap/schema/samba.schema.gz
    
  • The samba schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in „Beállítás”.

    1. First, create a configuration file named schema_convert.conf, or a similar descriptive name, containing the following lines:

      include /etc/ldap/schema/core.schema
      include /etc/ldap/schema/collective.schema
      include /etc/ldap/schema/corba.schema
      include /etc/ldap/schema/cosine.schema
      include /etc/ldap/schema/duaconf.schema
      include /etc/ldap/schema/dyngroup.schema
      include /etc/ldap/schema/inetorgperson.schema
      include /etc/ldap/schema/java.schema
      include /etc/ldap/schema/misc.schema
      include /etc/ldap/schema/nis.schema
      include /etc/ldap/schema/openldap.schema
      include /etc/ldap/schema/ppolicy.schema
      include /etc/ldap/schema/samba.schema
      
    2. Next, create a temporary directory to hold the output:

      mkdir /tmp/ldif_output
      
    3. Now use slaptest to convert the schema files:

      slaptest -f schema_convert.conf -F /tmp/ldif_output
      

      Change the above file and path names to match your own if they are different.

    4. Edit the generated /tmp/ldif_output/cn=config/cn=schema/cn={12}samba.ldif file, changing the following attributes:

      dn: cn=samba,cn=schema,cn=config
      ...
      cn: samba
      

      And remove the following lines from the bottom of the file:

      structuralObjectClass: olcSchemaConfig
      entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
      creatorsName: cn=config
      createTimestamp: 20080827045234Z
      entryCSN: 20080827045234.341425Z#000000#000#000000
      modifiersName: cn=config
      modifyTimestamp: 20080827045234Z
      
      [Megjegyzés]

      The attribute values will vary, just be sure the attributes are removed.

    5. Finally, using the ldapadd utility, add the new schema to the directory:

      ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}samba.ldif
      

    There should now be a dn: cn={X}misc,cn=schema,cn=config, where "X" is the next sequential schema, entry in the cn=config tree.

  • Copy and paste the following into a file named samba_indexes.ldif:

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    add: olcDbIndex
    olcDbIndex: uidNumber eq
    olcDbIndex: gidNumber eq
    olcDbIndex: loginShell eq
    olcDbIndex: uid eq,pres,sub
    olcDbIndex: memberUid eq,pres,sub
    olcDbIndex: uniqueMember eq,pres
    olcDbIndex: sambaSID eq
    olcDbIndex: sambaPrimaryGroupSID eq
    olcDbIndex: sambaGroupType eq
    olcDbIndex: sambaSIDList eq
    olcDbIndex: sambaDomainName eq
    olcDbIndex: default sub
    

    Using the ldapmodify utility load the new indexes:

    ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif
    

    If all went well you should see the new indexes using ldapsearch:

    ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb
    
  • Next, configure the smbldap-tools package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:

    sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
    sudo perl /usr/share/doc/smbldap-tools/configure.pl
    

    Once you have answered the questions, there should be /etc/smbldap-tools/smbldap.conf and /etc/smbldap-tools/smbldap_bind.conf files. These files are generated by the configure script, so if you made any mistakes while executing the script it may be simpler to edit the file appropriately.

  • The smbldap-populate script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with slapcat before executing the command:

    sudo slapcat -l backup.ldif
    
  • Once you have a current backup execute smbldap-populate by entering:

    sudo smbldap-populate
    
    [Megjegyzés]

    You can create an LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct.

Your LDAP directory now has the necessary domain information to authenticate Samba users.

Samba Configuration

There a multiple ways to configure Samba for details on some common configurations see 15. fejezet - Windows hálózat. To configure Samba to use LDAP, edit the main Samba configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following:

#   passdb backend = tdbsam

# LDAP Settings
   passdb backend = ldapsam:ldap://hostname
   ldap suffix = dc=example,dc=com
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=admin,dc=example,dc=com
   ldap ssl = start tls
   ldap passwd sync = yes
...
   add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Restart samba to enable the new settings:

sudo /etc/init.d/samba restart

Now Samba needs to know the LDAP admin password. From a terminal prompt enter:

sudo smbpasswd -w secret
[Megjegyzés]

Replacing secret with your LDAP admin password.

If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the samba.schema file. Add the Samba attributes to existing users using the smbpasswd utility, replacing username with an actual user:

sudo smbpasswd -a username

You will then be asked to enter the user's password.

To add new user, group, and machine accounts use the utilities from the smbldap-tools package. Here are some examples:

  • To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:

    sudo smbldap-useradd -a -P username
    

    The -a option adds the Samba attributes, and the -P options calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user.

  • To remove a user from the directory enter:

    sudo smbldap-userdel username
    

    The smbldap-userdel utility also has a -r option to remove the user's home directory.

  • Use smbldap-groupadd to add a group, replacing groupname with an appropriate group:

    sudo smbldap-groupadd -a groupname
    

    Similar to smbldap-useradd, the -a adds the Samba attributes.

  • To add a user to a group use smbldap-groupmod:

    sudo smbldap-groupmod -m username groupname
    

    Be sure to replace username with a real user. Also, the -m option can add more than one user at a time by listing them in comma separated format.

  • smbldap-groupmod can also be used to remove a user from a group:

    sudo smbldap-groupmod -x username groupname
    
  • Additionally, the smbldap-useradd utility can add Samba machine accounts:

    sudo smbldap-useradd -t 0 -w username
    

    Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script option in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are more useful utilities and options in the smbldap-tools package. The man page for each utility provides more details.

Resources

  • There are multiple places where LDAP and Samba is documented in the Samba HOWTO Collection.

  • Specifically see the passdb section.

  • Another good site is Samba OpenLDAP HOWTO.

  • Again, for more information on smbldap-tools see the man pages: man smbldap-useradd, man smbldap-groupadd, man smbldap-populate, etc.