Samba et LDAP

This section covers the integration of Samba with LDAP. The Samba server's role will be that of a "standalone" server and the LDAP directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba requires in order to function (in any of its 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory that can accept authentication requests. See Serveur OpenLDAP for details on fulfilling this requirement. Once this section is completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.

This guide will assume that the LDAP and Samba services are running on the same server and therefore use SASL EXTERNAL authentication whenever changing something under cn=config. If that is not your scenario, you will have to run those ldap commands on the LDAP server.

Installation de logiciels

There are two packages needed when integrating Samba with LDAP: samba and smbldap-tools.

Le paquet smbldap-tools n'est pas nécessaire à proprement parler, mais si vous n'avez pas d'autre moyen de gérer les diverses entités Samba (utilisateurs, groupes, ordinateurs) dans le contexte LDAP, alors, vous devriez installer le paquet smbldap-tools.

Maintenant, installez ces paquets :

sudo apt install samba smbldap-tools

Configuration LDAP

Nous allons maintenant configurer le serveur LDAP afin qu'il puisse accueillir les données de Samba. Nous allons effectuer trois tâches dans cette section :

Importez un schéma
Indexez des entrées
Ajouter des objets

Schéma Samba

In order for OpenLDAP to be used as a backend for Samba, logically, the DIT will need to use attributes that can properly describe Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let's do this now.

Pour avoir plus d'informations sur les schémas et leur installation, voir Modification de la base de données de configuration slapd.

The schema is found in the now-installed samba package and is already in the ldif format. We can import it with one simple command:
```
zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | sudo ldapadd -Q -Y EXTERNAL -H ldapi:///
```

Pour interroger et voir ce nouveau schéma :

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'

Indices Samba

Maintenant que slapd connaît les attributs Samba, nous pouvons définir quelques indices basés sur ces attributs. L'indexation des entrées est un moyen d'améliorer les performances lorsqu'un client effectue une recherche filtrée dans le DIT.

Créez le fichier samba_indices.ldif avec le contenu suivant :

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq

Avec l'utilitaire ldapmodify, charger les nouveaux indices :

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

Si tout s'est bien passé, vous devriez voir les nouveaux indices en utilisant ldapsearch :

sudo ldapsearch -Q -LLL -Y EXTERNAL -H \
ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex

Ajout d'objets LDAP à Samba

Next, configure the smbldap-tools package to match your environment. The package comes with a configuration helper script called smbldap-config. Before running it, though, you should decide on two important configuration settings in /etc/samba/smb.conf:

netbios name: how this server will be known. The default value is derived from the server's hostname, but truncated at 15 characters.
workgroup: the workgroup name for this server, or, if you later decide to make it a domain controller, this will be the domain.

It's important to make these choices now because smbldap-config will use them to generate the config that will be later stored in the LDAP directory. If you run smbldap-config now and later change these values in /etc/samba/smb.conf there will be an inconsistency.

Once you are happy with netbios name and workgroup, proceed to generat the smbldap-tools configuration by running the configuration script which will ask you some questions:

sudo smbldap-config

Some of the more important ones:

workgroup name: has to match what you will configure in /etc/samba/smb.conf later on.
ldap suffix: has to match the ldap suffix you chose when you configured the LDAP server.
other ldap suffixes: they are all relative to ldap suffix above. For example, for ldap user suffix you should use ou=People.
ldap master bind dn and bind password: use the rootDN credentials.

Le script smbldap-populate va ensuite ajouter les objets LDAP nécessaires pour Samba. C'est une bonne idée que de commencer par sauvegarder votre DIT avec slapcat :

sudo slapcat -l backup.ldif

Once you have a backup proceed to populate your directory. It will ask you for a password for the "domain root" user, which is also the "root" user stored in LDAP:

sudo smbldap-populate -g 10000 -u 10000 -r 10000

The -g, -u and -r parameters tell smbldap-tools where to start the numeric uid and gid allocation for the LDAP users. You should pick a range start that does not overlap with your local /etc/passwd users.

You can create a LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the '-e' switch. Alternatively, you can take the LDIF file and import its data per usual.

Votre répertoire LDAP a maintenant les informations nécessaires pour authentifier les utilisateurs Samba.

Configuration de Samba

There are multiple ways to configure Samba. For details on some common configurations see Samba. To configure Samba to use LDAP, edit its configuration file /etc/samba/smb.conf commenting out the default passdb backend parameter and adding some ldap-related ones. Make sure to use the same values you used when running smbldap-populate:

#  passdb backend = tdbsam
   workgroup = EXAMPLE

# LDAP Settings
   passdb backend = ldapsam:ldap://hostname
   ldap suffix = dc=example,dc=com
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap
   ldap admin dn = cn=admin,dc=example,dc=com
   # or off if TLS/SSL is not configured
   ldap ssl = start tls
   ldap passwd sync = yes

Modifiez les valeurs pour correspondre à votre environnement.

The smb.conf as shipped by the package is quite long and has many configuration examples. An easy way to visualize it without any comments is to run testparm -s.

Maintenant, informez Samba à propos du mot de passe de l'utilisateur rootDN (celui défini lors de l'installation du paquet slapd) :

sudo smbpasswd -W

As a final step to have your LDAP users be able to connect to samba and authenticate, we need these users to also show up in the system as "unix" users. One way to do this is to use libnss-ldap. Detailed instructions can be found in the Authentification LDAP section, but we only need the NSS part.

Install libnss-ldap
```
sudo apt install libnss-ldap
```
There is no need to use the LDAP rootDN login credentials, so you can skip that step.

Configure the LDAP profile for NSS:

sudo auth-client-config -t nss -p lac_ldap

Restart the Samba services:

sudo systemctl restart smbd.service nmbd.service

To quickly test the setup, see if getent can list the Samba groups:

getent group

...
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:

If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra Samba specific attributes. The smbpasswd utility can do this for you:

sudo smbpasswd -a identifiant

You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable. Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using ldapsam:trusted and ldapsam:editposix, not covered in this guide).

Pour gérer les utilisateurs, les groupes et les comptes machine, utilisez les utilitaires fournis par le paquet smbldap-tools. Voici quelques exemples :

To add a new user with a home directory:
```
sudo smbldap-useradd -a -P -m username
```
The -a option adds the Samba attributes, and the -P option calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user. Finally, -m creates a local home directory. Test with the getent command:
```
getent passwd username
```
If you don't get a response, then your libnss-ldap configuration is incorrect.
Pour supprimer un utilisateur :
```
sudo smbldap-userdel identifiant
```
Dans la commande ci-dessus, utilisez l'option -r pour supprimer le répertoire personnel de l'utilisateur.
Pour ajouter un groupe :
```
sudo smbldap-groupadd -a nom_de_groupe
```
Comme pour smbldap-useradd, l'option -a ajoute les attributs Samba.
Pour faire qu'un utilisateur existant devienne membre d'un groupe :
```
sudo smbldap-groupmod -m identifiant nom_de_groupe
```
L'option -m permet d'ajouter plusieurs utilisateurs à la fois en les listant dans un format séparé par des virgules.

Pour supprimer un utilisateur d'un groupe :

sudo smbldap-groupmod -x identifiant nom_de_groupe

Pour ajouter un compte machine Samba :
```
sudo smbldap-useradd -t 0 -w nom_machine
```
Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script parameter in /etc/samba/smb.conf was changed to use smbldap-useradd.

Il y a des utilitaires dans le paquet smbldap-tools qui n'ont pas été abordés ici. En voici la liste complète :

smbldap-groupadd
smbldap-groupdel
smbldap-groupmod
smbldap-groupshow
smbldap-passwd
smbldap-populate
smbldap-useradd
smbldap-userdel
smbldap-userinfo
smbldap-userlist
smbldap-usermod
smbldap-usershow

Ressources

Pour plus d'informations sur l'installation et la configuration de Samba, voir la section Samba de ce guide du serveur Ubuntu.
There are multiple places where LDAP and Samba is documented in the upstream Samba HOWTO Collection.
Concernant ce qui précède, voir en particulier la section passdb.
Bien que daté de 2007, le HOWTO Linux Samba-OpenLDAP contient de précieuses notes .
La page principale de la documentation communautaire Samba Ubuntu a une pléthore de liens vers des articles qui peuvent s'avérer utiles .

Précédent Suivant

Guides Ubuntu