I'm looking to set up a new Samba file share that uses LDAP for back-end authentication. The LDAP server is already set up, and the machine the Samba server will be on is already set up to allow SSH access using LDAP authentication.
It seems the most common use cases documented for Samba/LDAP integration involve storing Samba schemas on the LDAP server, synchronizing passwords, allowing password updates to LDAP via Samba, and so forth. I'm not looking for any of that - all I want to do is have the Samba server anonymously authenticate through LDAP, and retrieve group data on the user so authorization can be handled in Samba configuration.
If it matters:
- LDAP: OpenLDAP 2.4 on RHEL 7.4
- SMB: Samba 4.7 on Ubuntu 18.04
Here's what I have so far:
[global]
server string = Samba Server (%v)
workgroup = WORKGROUP
interfaces = eno1
server role = standalone server
log file = /var/log/samba/smb.log
max log size = 10000
log level = 3 passdb:5 auth:5
passdb backend = ldapsam:ldaps://hostname
ldap suffix = dc=hostname,dc=TLD
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
[Share1]
path = /srv/share1
valid users = @group1, @group3
force group = @group1
read only = no
browsable = yes
[Share2]
path = /srv/share2
valid users = @group2, @group3
force group = @group2
read only = no
browsable = yes
Samba won't start, however. Systemctl status displays the following:
../source3/passdb/secrets.c:362(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
../source3/passdb/pdb_ldap.c:6542(pdb_init_ldapsam_common)
pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldaps://hostname did not correctly init (error was NT_STATUS_NO_MEMORY)
I'd like to not have to do the following:
- Set up a new user for the Samba server itself to use
- Allow Samba to modify LDAP
- Upload the Samba scheme to LDAP
I just want Samba to:
- Confirm that inbound requests have a valid user/pass configured in LDAP
- Use LDAP's data on the user (name, groups, etc) for its own share permissions configuration
What else do I need to do?