Creating samba shares

The samba server is THE fileserver solution for linux. It can server linux clients as well as windows or mac clients and provides host, user or group based access control. In this post I’ll describe how I setup up a samba server using accounts stored in my ldap replica.
Note that this howto is referring to debian wheezy.

This is a post from my old blog http://tech.cbjck.de. It has been moved here and slightly edited for better readability. It's also been adjusted to the new layout.
The content however is old and might be outdated.

Prepare LDAP

If not already done include the samba.schema into your LDAP. I’ve already done this before so here is just a short description.
If you use LDAP with cn=config like me, you will have to convert the samba.schema to a .ldif before you add it using

ldapadd -D cn=admin,cn=config -W -f samba.schema.ldif

A longer description you can find for example in the ubuntu dos
It might be a good idea to index some of the fields from the samba schema. Use

ldapvi -h ldap://localhost -D cn=admin,cn=config -b cn=config -W

to edit cn=config and insert the following in the appropriate section:

  index         uid,uidNumber,gidNumber,memberUid       eq
  index         cn,mail,surname,givenname               eq,subinitial
  index         sambaSID                                eq
  index         sambaPrimaryGroupSID                    eq
  index         sambaDomainName                         eq

Then give users access to their samba passwords by changing the line

access to attribute=userPassword

to

access to attrs=userPassword,sambaNTPassword,sambaLMPassword

Now the LDAP server is prepared.

Install necessary software

aptitude install smbfs samba smbldap-tools

This will pull in some dependencies. Just install them.

Configure samba

The configuration is done in /etc/samba/smb.conf. Make sure the following line is set (in section “Authentication”):

security = user

It will probably be commented out.
Then change

passdb backend = tdbsam guest

to

passdb backend = ldapsam:ldap://127.0.0.1/

using the IP or URI of your LDAP server.
Add configuration directives for passdb and smbldap-tools:

  obey pam restrictions = no
  ldap admin dn = cn=admin,dc=example,dc=com
  ldap suffix = dc=example, dc=com
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=computers
  ldap idmap suffix = ou=people
  ; Don't use samba's internal LDAP password sync
  ldap passwd sync = No
  ; Use an external program to sync the LDAP password
  unix password sync = Yes
  passwd program = /usr/sbin/smbldap-passwd -u %u
  passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated*

Make sure to comment out or delete other settings for passwd program and passwd chat. If using a local (or local network) LDAP server you can disable SSl by

  ldap ssl = off

In the section “Share Definitions” define your shares like this:

[music]
   comment = Music Share
   path = /data/music
   writeable = yes
   valid users = @users
   guest ok = no

This will create a share music using the directory /data/music whre users in the group users will be able to write to and guest will have no access.

Now restart samba

/etc/init.d/samba restart

and tell samba the admin password for ldap

smbpasswd -w YOUR_LDAP_ADMIN_PASSWORD

Configure smbldap-tools

First copy the files smbldap.conf and smbldap_bind.conf from /usr/share/doc/slmldap-tools/examples/ to /etc/smbldap/tools:

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > /etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf /etc/smbldap-tools/smbldap_bind.conf

Get the SID by

net getlocalsid

and edit smbldap.conf. Watch out for the SID and LDAP settings. Insert dn and password of your ldap admin into smbldap_bind.conf. Then fix file permissions:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now is’t time to populate your LDAP with the necessary data. If your LDAP already contains data, the script will not overwrite them. Though it still is a good idea to have a backup…

smbldap-populate

Now you can add users to your LDAP or fix the entries of already existing users. Eg this will set the samba password for user dummy:

smbpasswd -a dummy

Testing

On a (linux) client try

smblient //sambaserver.yourdomein/share youruser

to check for errors before using a file browser to connect to a share.

[Edit 01.05.2014] Make sure the group “users” exists and users can login authenticating against LDAP.

6. References

2 Comments

  1. Hi Jan,

    My ldap server is on windows server 2008 with LDAP URL: ldap://lab.xxx.com and samba server is on ubuntu machine with hostname XYZ I read lot of articles to authenticate samba share with ldap but stuck in it, please tell me appropriate solution.

    • I have no clue how LDAP works on windows. You are probably using a Microsoft ActiveDirectory server.

      First I would check if user login on the ubuntu box is working (using pam-ldapd). Once you go that working revisit your samba settings.

Leave a Reply

Your email address will not be published. Required fields are marked *