Christakis Angeli

3 minute read

Integrating LDAP into Samba

Installation

Gentoo

  • Enable sambakr5passwd and samba USE flags for OpenLDAP

  • Enable ldap USE flag for Samba

    1. USE="smbkrb5passwd samba" emerge openldap
    2. USE="ldap" emerge samba
    3. emerge net-nds/smbldap-tools

Configuration

  1. Edit /etc/openldap/slapd.conf to include the following:

     include /etc/openldap/schema/samba.schema

 access to attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange,sambaPwdLastSet,sambaPwdMustChange
 	by dn="cn=Samba Admin,ou=SystemAccounts,dc=canet,dc=me,dc=uk" write

 access to *
 	by dn="cn=Samba Admin,ou=SystemAccounts,dc=canet,dc=me,dc=uk" write  This grants the `Samba Admin` account full access to LDAP once authenticated.

  2. We need to add an OU for the Samba required entries as well as the Samba Admin account. To do this, add to the LDIF data the following (use slapcat > myldif.ldif to generate an LDIF file including all the current data):

     dn: ou=SystemAccounts,dc=canet,dc=me,dc=uk
 objectClass: organizationalUnit
 objectClass: top
 objectClass: domainRelatedObject
 associatedDomain: canet.co.uk
 ou: SystemAccounts

 dn: cn=Samba Admin,ou=SystemAccounts,dc=canet,dc=me,dc=uk
 givenName: Samba
 sn: Admin
 uid: smbadmin
 cn: Samba Admin
 userPassword: {SSHA}eXKqB5iVZnu+sValdI3Omqbyvt1el6c5
 objectClass: inetOrgPerson
 objectClass: top

  3. Load the LDIF changes into LDAP with the following (you are free to add the data into LDAP any other way you wish as long as it gets there!)

     rm -rf /var/lib/openldap*
 slapadd -l myldif.ldif
 chown -R ldap:ldap /var/lib/openldap/

  4. Edit the Samba config to reflect the following so it knows how to connect to the LDAP server (/etc/samba/smb.conf):

     # LDAP server location
 passdb backend = ldapsam:ldap://127.0.0.1:389/
	
 # The Base DN
 ldap suffix = dc=canet,dc=me,dc=uk
	
 # The LDAP path to computer, user and group account OUs
 ldap machine suffix = ou=Computers
 ldap user suffix = ou=People
 ldap group suffix = ou=Groups
	
 # Samba Admin account in LDAP to use for Administrative tasks
 ldap admin dn = cn=Samba Admin,ou=SystemAccounts,dc=canet,dc=me,dc=uk
	
 # Not sure what this is for
 ldap delete dn = no
   
 # This is for password synchronisation between the Unix and the Samba password in LDAP. 
 # So if you change your Samba password over smbpasswd or Windows this option changes your Unix/Linux password too.
 ldap password sync = yes

  5. Run smbpasswd -W to update local secret for accessing the Samba Admin account.

  6. Run smbldap-config
    • Set . where required to generate blank fields.
    • Set password validation time to 99999
  7. Run smbldap-populate -e server.ldif. This generates an LDIF file with all the required LDAP users and groups.
    1. Remove entries that already exist and remove the root and nobody accounts. Make sure your Groups OU is set correctly!
    2. Make sure it picks up the correct domain. It picked up my workgroup instead (as it was previously something else). If you run net getlocalsid it will give you the domain in capitals.

  8. Load the Samba accounts with ldapadd -x -D "cn=Manager,dc=canet,dc=me,dc=uk" -f server.ldif -W (this uses the LDAP Admin account to update from the LDIF file)

  9. Once done, we need to update existing ldap entries with SAM entries so need to run:

     smbldap-usermod -a christakis  WARNING: If the ACLs in `slapd.conf` are too restrictive, this WON'T work
  10. smbpasswd christakis should then update both LDAP and Samba passwords as we’ve set Samba to sync them with ldap password sync = yes in the configuration file earlier.
    • At this point, if we update the LDAP password without smbpasswd, it won’t update the Samba password!!

Enable smbk5pwd Overlay

This overlay enables the updating of Kerberos and Samba passwords via an LDAP overlay whenever the LDAP password is changed via LDAP. Following the instructions for initial installation, the relevant library should be installed so it should only need configuration

  1. Edit /etc/openldap/slapd.conf:

     moduleload /usr/lib64/openldap/openldap/smbk5pwd.so
	
 #
 # More configuration…
 #
 # Database definition…
 #
	
 overlay smbk5pwd
 smbk5pwd-enable samba
 smbk5pwd-must-change 0

    This enables the overlay in LDAP to propegate the changes to LDAP

  2. Edit /etc/samba/smb.conf:

     ldap password sync = only

    This tells Samba to only update the LDAP password and let the LDAP server do the rest (so use the new overlay!)

You May Also Enjoy

Cloud Mirrors & Backup Storage

This is going to end up more of a personal reference page for myself than anything else most likely as I sometimes find it hard to remember why I did what I ...

Backups and Google Drive

Having recently migrated from a dedicated server to VPS for hosting a mirrored solution of some of my home setup (Dovecot/Postfix), I had a bit of an issue i...