Task 011: Samba and LDAP

WARNING: This is an after-the-fact note, so may not be covering some steps.

This is another dark magic that people never know how to correctly pull out. Few tutorials, outdated LDAP docs, undocumented, inconsistency, etc. But, I finally got it covered, thou it was the rougest ride ever.

Configuring LDAP server

You must add SMB schema to LDAP, so that SMB-specific fields can be added to users, groups, etc. You can find the schema from its documentation directory:

# assume `samba` package is installed
zcat "/usr/share/doc/samba/examples/LDAP/samba.ldif.gz" |\
    sudo ldapadd -Q -Y EXTERNAL -H ldapi://

In my case, I simply installed samba package on my LDAP server, but, if you don't like it, just copy one from your SMB server.

Configuring SMB server

There are many entires to add to /etc/samba/smb.conf:

### Use LDAP authentication by default
passdb backend = ldapsam:ldap://ldap.eon.lan/
ldap suffix = "dc=eon,dc=lan"
ldap ssl = off

### LDAP structure
### You don't need these normally.
;ldap group suffix = ou=Groups
;ldap user suffix = ou=Users
;ldap machine suffix = ou=Computers
;ldap idmap suffix = ou=Users

### admin account to read/write user info
ldap admin dn = "cn=admin,dc=eon,dc=lan"
ldap passwd sync = yes

The password for admin DN has to be provided to SMB, or the daemon will fail:

smbpasswd -W

This will save the admin password to /var/lib/samba/private/secrets.tdb.

smbldap-tools for easier management

smbldap-tools is, as its name indicates, just a bunch of helper scripts for samba-LDAP integration. It can initialize and update entries for samba.

However, using them requires some configuration. The package documentation contains example configs. Copy and edit them.

zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > \
    /etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \
    /etc/smbldap-tools/smbldap_bind.conf

It's long, but well commented, so you won't have problems following through it. There are only few items to change.

Note: upstream has a script called smbldap-config for guided configuration but Debian/Ubuntu don't ship it. You can still get a copy from upstream, which I did. If you choose this path, do so before modifying smb.conf.

After configuring the tool, you can auto-populate SMB information using:

smbldap-populate

... OR, since this script adds lots of unused Windows crap, you can manually add SMB domain to LDAP:

dn: sambaDomainName=WORKGROUP,dc=eon,dc=lan
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: WORKGROUP
sambaSID: S-X-X-XX-XXXXXXXXXX--XXXXXXXXX-XXXXXXXXXX <- change this!
sambaNextRid: 10000
uidNumber: 10000
gidNumber: 10000

(You can get SID with net getlocalsid)

But, be warned, I can't gurantee that the later option would work in general cases. It worked for me, so it's worth a shot if you like minimal config.

After this, you might have to manually convert(?) some user/group entries to valid SMB entries:

smbldap-usermod -a $USER
smbldap-usergroup -a $GROUP

This adds SMB-specific object classes (sambaSamAccount, sambaGroupMapping) to user/group entries, and auto-populates some fields needed for SMB to recognize them. Still, users need SMB passwords, which is covered in a later section.

Importing existing LDAP users to SMB

To log into SMB w/ existing LDAP users:

smbpasswd -a $USER

This will ask you for a new password, and both SMB and UNIX password will be updated. This is technically inevitable, because SMB passwords are seprately managed from UNIX passwords. That is, you can't just log into SMB using UNIX passwords, yet.

Syncing UNIX and SMB password on LDAP server

Samba uses a separate password field (samba*Password) than UNIX password (userPassword), used for PAM login. Changing password from SMB side (smbpasswd) is okay, w/ ldap passwd sync, because SMB updates both. However, changing password from LDAP side (e.g. ldappasswd) causes password desynchronization.

Apparently, this "separation" is because userPassword field has so many unintended behaviours, and SMB, who must follow another gigantic standard, simply can't support them. I mean, TBH, it totally makes sense if you consider the difference in their security models.

Anyways, all this confusion can be solved with smbk5pwd plugin. It's an overlay that automatically updates both SMB/LDAP passwords from LDAP side. So, once this is enabled, you can use both smbpasswd and ldappasswd to change user password, effectivley uniting both worlds into one.

The only reason people don't use this should be that configuring slapd is such a nightmare. Configuring slapd's OLC(on-line configuration) is like modifying a huge chunk of JSON w/ bizzare syntax, w/o documentation. I literally have zero idea what I'm doing, and everything here is mostly empirical. I still piss my pants every time I run ldapmodify on cn=config.

Enough rant. There are only few things to do:

1. Install smbk5pwd module.

   apt install slapd-smbk5pwd
   

2. Tell LDAP server to load the module:

   $ ldapmodify -Q -Y EXTERNAL -H ldapi:/// << EOF
   dn: cn=module{0},cn=config
   changetype: modify
   add: olcModuleLoad
   olcModuleLoad: smbk5pwd
   EOF
   

3. Enable the smbk5pwd overlay on the database:

   $ ldapadd -Q -Y EXTERNAL -H ldapi:/// << EOF
   dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config
   objectClass: olcOverlayConfig
   objectClass: olcSmbK5PwdConfig
   olcOverlay: smbk5pwd
   olcSmbK5PwdEnable: samba
   olcSmbK5PwdMustChange: 0
   EOF
   

   More details can be found in slapo-smbk5pwd(5)

References

• /usr/share/doc/smbldap-tools/README.Debian.gz
• Tyler's Guides - OpenLDAP memberof overlay
• Ubuntu Server Guide - Samba and LDAP

TODO

• Better LDAP access control: cn=admin for human, cn=sambaAdmin for samba (Somethingl like this?)