Samba OpenLDAP auth

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on Debian 8 (Jessie).
  • slapd version : 2.4.40
  • Samba version : 4.1.17

Aim of this page is to provide the process to configure an OpenLDAP authentication over Samba.

Configuration

Install requirements

aptitude install openldap samba samba-doc smbldap-tools sssd -y

OpenLDAP

  • Refer to OpenLDAP
    • Configure a minimal LDAP server
    • Configure sssd

Add LDAP schema to LDAP

zcat /usr/share/doc/samba-doc/examples/LDAP/samba.ldif.gz > /etc/ldap/schema/samba.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/samba.ldif
#>>>adding new entry "cn=samba,cn=schema,cn=config"

Modify openldap config

  • Edit /etc/ldap/slapd.conf

Allow users to change password

access to attrs=userPassword,shadowLastChange,sambaPwdMustCh ange,sambaLMPassword,sambaPwdLastSet,sambaNTPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none

Optionally : add indexes to optimize SAMBA access

index         uid,uidNumber,gidNumber,memberUid       eq
index         cn,mail,surname,givenname               eq,subinitial
index         sambaSID                                eq
index         sambaPrimaryGroupSID                    eq
index         sambaDomainName                         eq

Restart openldap

service slapd restart

Configure samba

  • Copy smb config file from smbldap-tools docs
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf
  • Now you can edit the samba configuration file /etc/samba/smb.conf
    • To avoid SSL/TLS problems, disable it : ldap ssl = off
    • Change these parameters to match your ldap configuration:
      • passdb backend
      • ldap admin dn
      • ldap suffix
  • (Re)start samba : service samba restart
  • Set the LDAP admin password : smbpasswd -w LDAP_ADMIN_PASSWORD

smbldap-tools

  • Documentation : /usr/share/doc/smbldap-tools/README.Debian.gz
  • Copy sample config from doc
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/
zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf

smbldap.conf

  • To obtain the SID execute the following command with your SAMBA server Running
net getlocalsid
  • Adapt this file to your config : /etc/smbldap-tools/smbldap.conf

smbldap_bind.conf

  • Change credentials to this : /etc/smbldap-tools/smbldap_bind.conf

Change permissions

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Initialize the LDAP database

smbldap-populate

smbldap commands

Create user

smbldap-useradd -a -c "Toto Tata" -m -P toto

Available commands

Groups management

  • smbldap-groupadd
  • smbldap-groupdel
  • smbldap-grouplist
  • smbldap-groupmod
  • smbldap-groupshow

Users management

  • smbldap-passwd
  • smbldap-useradd
  • smbldap-userdel
  • smbldap-userinfo
  • smbldap-userlist
  • smbldap-usermod
  • smbldap-usershow

Sources

Elliot
techUnit's cofounder