1

I am trying to setup Samba fileshares on an Ubuntu 19.04 system using an existing LDAP-Server as authentication backend.

What I have: A fully operational OpenLDAP server containing all user and group information

What I want: A Samba fileshare using this data to authenticate users and give group-specific permissions for (common) fileshares.

If I understood this correctly (e.g. based on this answer), there is no way that Samba can perform a bind authentication, like most applications offer as an option. Therefore, I would need PAM to use my LDAP server as a backend, and then use PAM for Samba auth.

I tried to follow the Ubuntu Tutorial, but couldn't configure the LDAP profile for NSS because the auth-client-config command could not be found; even though I installed the ldap-auth-config package.

Why is there no way to get Samba perform a bind authentication by just trying to login like any other service? Am I even remotely on the right path? And if Samba utilizes a NTLM-Hash stored in the sambaNTPassword-Attribute, wouldn't that drastically lower my security in comparison to the salted SHA2-Hash I use in the userPassword attribute?

Edit: I only need Samba to act as a fileshare server, not as an active directory.
My users should only be able to log on to a fileshare/network drive with the credentials currently stored in the LDAP directory (uid and userPassword), if possible.

NilsH
  • 23
  • 1
  • 5
  • No, samba can successfully use LDAP without any unneeded PAM modules. You do not understand correctly. – drookie Oct 25 '19 at 16:02
  • That is entirely possible, as I have little experience with Samba. Could you elaborate a little further on how I could perform this? – NilsH Oct 25 '19 at 16:08
  • Mate, there’s really a handful of examples and how-tos concerning this matter on samba.org, did you check them out ? If you have troubles with them I can really give you a working config, but samba.org examples are more complete and comprehensive. – drookie Oct 27 '19 at 05:54
  • Yes, I have searched the web quite a lot, this is why I ultimately asked here. Almost any guide or other document assumes that I want to install an AD or other Domain Controller, which is not what I need. Maybe I am searching for the wrong terms, or try to do something very exotic here, but I just want users (not in any Domain) to be able to log on to a fileshare using their existing OpenLDAP passwords. – NilsH Oct 27 '19 at 10:16
  • @drookie if you could provide a working config or some help on whether or not my assumptions are correct, that would be very helpful for me. Thanks in advance :) – NilsH Oct 27 '19 at 18:47
  • You can try something like this - http://sys-adm.org.ua/net/samba-domain-member-server – ALex_hha Nov 24 '20 at 20:51

2 Answers2

3

In case other people find these answers on Google. There is an important caveat. You cannot setup a Samba share and have it use your existing OpenLDAP. It is absolutely impossible to do this and anyone who tells you otherwise is misinforming you. You must either use Samba's independent LDAP which means you now have to maintain two completely different user databases. Or you must use Samba in a deprecated format and still have to add Samba passwords and IDs to all of your OpenLDAP users. Or, you must authenticate it against a Windows AD environment. All of which are extremely unhelpful and are artificially placed requirements by the Samba programmers. Proof in the pudding is that Netapp appliances have windows shares that can fully authenticate against your normal UID, UIDNumber and LDAP password. No Samba setup required at all. But the Samba folks did what they did and now people have to live with it.

  • What if some script synchronizes between the samba and the central ldap? – peterh Nov 24 '20 at 21:03
  • Can you add some references for these claims? How do we know that what you're saying is true? – Andrew Schulman Nov 26 '20 at 15:41
  • I would also like to see some kind of reference, since there have been opposing claims by different users. As far as I understand @chapter-hawk is correct, but I want to be sure before I mark it as correct answer. But for now, we went the way suggested by the top commenter in this thread and use a script to synchronise periodically. – NilsH Jan 14 '21 at 16:45
0

this has been answered several times. Samba 4 in AD mode can't use LDAP as backend:

https://wiki.samba.org/index.php/Samba4/LDAP_Backend

there's some parts of the windows service that can't be emulated with a standard LDAP so samba devs implemented their own LDAP solution.

you can however configure it as PDC, but this is legacy and is hard to mantain and administer with current windows clients:

https://wiki.samba.org/index.php/Required_Settings_for_Samba_NT4_Domains

there is also other projects like UCS that try to sync both LDAP:

https://www.univention.com/blog-en/2018/06/how-ucs-synchronizes-linux-windows-it-infrastructures-with-samba-ad/

but they require to use the whole solution, I wish they do a connector that could be configured with any backend.

so you have to decide what solution suits your environment best.

muzzol
  • 31
  • 1
  • Thanks for your answer! This was probably not clear from my question, but I don't even need Samba running in AD mode. In fact, I would be very happy if all user data would stay in my OpenLDAP directory, and have Samba only serve as a fileshare server. Do you know where I can get any information on this specific use case? – NilsH Oct 30 '19 at 15:25
  • well, you can take a look at this guide: https://wiki.samba.org/index.php/Ldapsam_Editposix is talks about PDC but you can just ignore that part and disable domain logons. – muzzol Nov 05 '19 at 14:07