How can Samba be configured to use LDAP for authentication only?
I'm looking to set up a new Samba file share that uses LDAP for back-end authentication. The LDAP server is already set up, and the machine the Samba server will be on is already set up to allow SSH access using LDAP authentication.
It seems the most common use cases documented for Samba/LDAP integration involve storing Samba schemas on the LDAP server, synchronizing passwords, allowing password updates to LDAP via Samba, and so forth. I'm not looking for any of that - all I want to do is have the Samba server anonymously authenticate through LDAP, and retrieve group data on the user so authorization can be handled in Samba configuration.
If it matters:
- LDAP: OpenLDAP 2.4 on RHEL 7.4
- SMB: Samba 4.7 on Ubuntu 18.04
Here's what I have so far:
[global]
server string = Samba Server (%v)
workgroup = WORKGROUP
interfaces = eno1
server role = standalone server
log file = /var/log/samba/smb.log
max log size = 10000
log level = 3 passdb:5 auth:5
passdb backend = ldapsam:ldaps://hostname
ldap suffix = dc=hostname,dc=TLD
ldap user suffix = cn=users,cn=accounts
ldap group suffix = cn=groups,cn=accounts
[Share1]
path = /srv/share1
valid users = @group1, @group3
force group = @group1
read only = no
browsable = yes
[Share2]
path = /srv/share2
valid users = @group2, @group3
force group = @group2
read only = no
browsable = yes
Samba won't start, however. Systemctl status displays the following:
../source3/passdb/secrets.c:362(fetch_ldap_pw)
fetch_ldap_pw: neither ldap secret retrieved!
../source3/passdb/pdb_ldap.c:6542(pdb_init_ldapsam_common)
pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldaps://hostname did not correctly init (error was NT_STATUS_NO_MEMORY)
I'd like to not have to do the following:
- Set up a new user for the Samba server itself to use
- Allow Samba to modify LDAP
- Upload the Samba scheme to LDAP
I just want Samba to:
- Confirm that inbound requests have a valid user/pass configured in LDAP
- Use LDAP's data on the user (name, groups, etc) for its own share permissions configuration
What else do I need to do?
I assume that you want to run Samba in simple WinNT-compatible domain controller mode, not the full Active Directory mode.
First you have to understand that SMB authentication is based on a NTLM password hash. Basically this is a clear-text credential for a challenge-response authentication which can be stored in LDAP user entries, but in separate attribute sambaNTPassword. Attribute userPassword is not used at all and Samba does not send a bind request to the LDAP server to check the user's password.
=> You must install the Samba schema and add auxiliary object class sambaSamAccount to the user entries.
In a proper setup you have to authorize your Samba DC's service user to read this attribute sambaNTPassword. Your ACLs must prevent anybody else from reading that attribute.
=> You must create a service entry for Samba DC in your LDAP directory and grant read access to user entries.
There is also a OpenLDAP server overlay called slapo-smbk5pwd which updates sambaNTPassword in case attribute userPassword is set via Password Modify extended operation (see RFC 3062). By using this you won't have to grant Samba write access to the user entry.