Authenticate Samba against OpenLDAP
I am trying to setup Samba fileshares on an Ubuntu 19.04 system using an existing LDAP-Server as authentication backend.
What I have: A fully operational OpenLDAP server containing all user and group information
What I want: A Samba fileshare using this data to authenticate users and give group-specific permissions for (common) fileshares.
If I understood this correctly (e.g. based on this answer), there is no way that Samba can perform a bind authentication, like most applications offer as an option. Therefore, I would need PAM to use my LDAP server as a backend, and then use PAM for Samba auth.
I tried to follow the Ubuntu Tutorial, but couldn't configure the LDAP profile for NSS because the auth-client-config
command could not be found; even though I installed the ldap-auth-config
package.
Why is there no way to get Samba perform a bind authentication by just trying to login like any other service? Am I even remotely on the right path?
And if Samba utilizes a NTLM-Hash stored in the sambaNTPassword
-Attribute, wouldn't that drastically lower my security in comparison to the salted SHA2-Hash I use in the userPassword
attribute?
Edit: I only need Samba to act as a fileshare server, not as an active directory.
My users should only be able to log on to a fileshare/network drive with the credentials currently stored in the LDAP directory (uid
and userPassword
), if possible.
Solution 1:
In case other people find these answers on Google. There is an important caveat. You cannot setup a Samba share and have it use your existing OpenLDAP. It is absolutely impossible to do this and anyone who tells you otherwise is misinforming you. You must either use Samba's independent LDAP which means you now have to maintain two completely different user databases. Or you must use Samba in a deprecated format and still have to add Samba passwords and IDs to all of your OpenLDAP users. Or, you must authenticate it against a Windows AD environment. All of which are extremely unhelpful and are artificially placed requirements by the Samba programmers. Proof in the pudding is that Netapp appliances have windows shares that can fully authenticate against your normal UID, UIDNumber and LDAP password. No Samba setup required at all. But the Samba folks did what they did and now people have to live with it.