< Previous | Contents | Next >
2.3. Samba Configuration
There are multiple ways to configure Samba. For details on some common configurations see Chapter 18, Samba [p. 305]. To configure Samba to use LDAP, edit its configuration file /etc/samba/smb.conf commenting out the default passdb backend parameter and adding some ldap-related ones. Make sure to use the same values you used when running smbldap-populate:
# passdb backend = tdbsam workgroup = EXAMPLE
# LDAP Settings
passdb backend = ldapsam:ldap://hostname ldap suffix = dc=example,dc=com
ldap user suffix = ou=People ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
# or off if TLS/SSL is not configured ldap ssl = start tls
ldap passwd sync = yes
Change the values to match your environment.
The smb.conf as shipped by the package is quite long and has many configuration examples. An easy way to visualize it without any comments is to run testparm -s.
Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):
sudo smbpasswd -W
As a final step to have your LDAP users be able to connect to samba and authenticate, we need these users to also show up in the system as "unix" users. One way to do this is to use libnss-ldap. Detailed instructions can be found in the Section 1.10, “LDAP Authentication” [p. 134] section, but we only need the NSS part.
1. Install libnss-ldap
sudo apt install libnss-ldap
There is no need to use the LDAP rootDN login credentials, so you can skip that step.
2. Configure the LDAP profile for NSS:
sudo auth-client-config -t nss -p lac_ldap
3. Restart the Samba services:
sudo systemctl restart smbd.service nmbd.service
4. To quickly test the setup, see if getent can list the Samba groups:
getent group
...
Account Operators:*:548: Print Operators:*:550: Backup Operators:*:551: Replicators:*:552:
If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra Samba specific attributes. The smbpasswd utility can do this for you:
sudo smbpasswd -a username
You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable. Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using ldapsam:trusted and ldapsam:editposix, not covered in this guide).
To manage user, group, and machine accounts use the utilities provided by the smbldap-tools package. Here are some examples:
• To add a new user with a home directory:
sudo smbldap-useradd -a -P -m username
The -a option adds the Samba attributes, and the -P option calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user. Finally, -m creates a local home directory. Test with the getent command:
getent passwd username
If you don't get a response, then your libnss-ldap configuration is incorrect.
• To remove a user:
sudo smbldap-userdel username
In the above command, use the -r option to remove the user's home directory.
• To add a group:
sudo smbldap-groupadd -a groupname
As for smbldap-useradd, the -a adds the Samba attributes.
• To make an existing user a member of a group:
sudo smbldap-groupmod -m username groupname
The -m option can add more than one user at a time by listing them in comma-separated format.
• To remove a user from a group:
sudo smbldap-groupmod -x username groupname
• To add a Samba machine account:
sudo smbldap-useradd -t 0 -w username
Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script parameter in /etc/samba/smb.conf was changed to use smbldap-useradd.
There are utilities in the smbldap-tools package that were not covered here. Here is a complete list:
smbldap-groupadd37 smbldap-groupdel38 smbldap-groupmod39 smbldap-groupshow40 smbldap-passwd41 smbldap-populate42 smbldap-useradd43 smbldap-userdel44 smbldap-userinfo45 smbldap-userlist46 smbldap-usermod47 smbldap-usershow48