I am trying to setup Samba fileshares on an Ubuntu 19.04 system using an existing LDAP-Server as authentication backend.
What I have: A fully operational OpenLDAP server containing all user and group information
What I want: A Samba fileshare using this data to authenticate users and give group-specific permissions for (common) fileshares.
If I understood this correctly (e.g. based on this answer), there is no way that Samba can perform a bind authentication, like most applications offer as an option. Therefore, I would need PAM to use my LDAP server as a backend, and then use PAM for Samba auth.
I tried to follow the Ubuntu Tutorial, but couldn't configure the LDAP profile for NSS because the auth-client-config
command could not be found; even though I installed the ldap-auth-config
package.
Why is there no way to get Samba perform a bind authentication by just trying to login like any other service? Am I even remotely on the right path?
And if Samba utilizes a NTLM-Hash stored in the sambaNTPassword
-Attribute, wouldn't that drastically lower my security in comparison to the salted SHA2-Hash I use in the userPassword
attribute?
Edit: I only need Samba to act as a fileshare server, not as an active directory.
My users should only be able to log on to a fileshare/network drive with the credentials currently stored in the LDAP directory (uid
and userPassword
), if possible.