7

I'm looking to set up a new Samba file share that uses LDAP for back-end authentication. The LDAP server is already set up, and the machine the Samba server will be on is already set up to allow SSH access using LDAP authentication.

It seems the most common use cases documented for Samba/LDAP integration involve storing Samba schemas on the LDAP server, synchronizing passwords, allowing password updates to LDAP via Samba, and so forth. I'm not looking for any of that - all I want to do is have the Samba server anonymously authenticate through LDAP, and retrieve group data on the user so authorization can be handled in Samba configuration.

If it matters:

  • LDAP: OpenLDAP 2.4 on RHEL 7.4
  • SMB: Samba 4.7 on Ubuntu 18.04

Here's what I have so far:

[global] server string = Samba Server (%v) workgroup = WORKGROUP interfaces = eno1 server role = standalone server log file = /var/log/samba/smb.log max log size = 10000 log level = 3 passdb:5 auth:5 passdb backend = ldapsam:ldaps://hostname ldap suffix = dc=hostname,dc=TLD ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts [Share1] path = /srv/share1 valid users = @group1, @group3 force group = @group1 read only = no browsable = yes [Share2] path = /srv/share2 valid users = @group2, @group3 force group = @group2 read only = no browsable = yes

Samba won't start, however. Systemctl status displays the following:

../source3/passdb/secrets.c:362(fetch_ldap_pw) fetch_ldap_pw: neither ldap secret retrieved! ../source3/passdb/pdb_ldap.c:6542(pdb_init_ldapsam_common) pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb ../source3/passdb/pdb_interface.c:180(make_pdb_method_name) pdb backend ldapsam:ldaps://hostname did not correctly init (error was NT_STATUS_NO_MEMORY)

I'd like to not have to do the following:

  • Set up a new user for the Samba server itself to use
  • Allow Samba to modify LDAP
  • Upload the Samba scheme to LDAP

I just want Samba to:

  • Confirm that inbound requests have a valid user/pass configured in LDAP
  • Use LDAP's data on the user (name, groups, etc) for its own share permissions configuration

What else do I need to do?

Improve this question
1

1 Answer 1

Reset to default
6

I assume that you want to run Samba in simple WinNT-compatible domain controller mode, not the full Active Directory mode.

First you have to understand that SMB authentication is based on a NTLM password hash. Basically this is a clear-text credential for a challenge-response authentication which can be stored in LDAP user entries, but in separate attribute sambaNTPassword. Attribute userPassword is not used at all and Samba does not send a bind request to the LDAP server to check the user's password.

=> You must install the Samba schema and add auxiliary object class sambaSamAccount to the user entries.

In a proper setup you have to authorize your Samba DC's service user to read this attribute sambaNTPassword. Your ACLs must prevent anybody else from reading that attribute.

=> You must create a service entry for Samba DC in your LDAP directory and grant read access to user entries.

There is also a OpenLDAP server overlay called slapo-smbk5pwd which updates sambaNTPassword in case attribute userPassword is set via Password Modify extended operation (see RFC 3062). By using this you won't have to grant Samba write access to the user entry.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.