Classnotes | LDAP01 | RecentChanges | Preferences Provided Samba for your platform has been compiled with LDAP support enabled, you can simply add LDAP information into Samba's main smb.conf file (generally located in /etc/samba or /etc/smb).
Let's take a look at an example smb.conf file which includes LDAP related items:
# smb.conf for LDAP-enabled Samba server
[global]
netbios = ODYADMIN
workgroup = ODYINC
security = user
encrypt passwords = yes
# LDAPsam-related passwords
ldap admin dn = "cn=admin,dc=odyssey,dc=com"
ldap server = ldap.odyssey.com
ldap ssl = start_tls
ldap port = 389
ldap suffix = "ou=people,dc=odyssey,dc=com"
# Default LDAP filter if not defined
ldap filter = "(&(uid=%U)(objectClass=sambaAccount))"
# Simple share
[files]
path = /export/files
read only = no
Table 8-3 on page 167 tells what each of these ldap related fields mean. Take a look at them now.
Samba must obtain the Windows password hashes from the directory in order to authenticate a user using encrypted passwords. Due to their security-sensitive nature, the hashes should never be retrievable by an anonymous user. To bind to the host specified by the ldap server parameter, Samba requires a valid ldap admin dc value and a password. The clear-text password is not stored in Samba's configuration file (smb.conf is often world-readable). Rather the password is stored in the secrets.tdb file located in /usr/local/samba or /etc/samba. The password is still stored in clear text, but the permissions assigned to this file should restrict read and write access to the superuser account.
Samba's smbpasswd utility is normaly used to perform duites such as manipulating user entries in the password file, joining a Samba server to a Windows domain, and changing passwords for users. But we can use it to store the admin dn password by executing:
# smbpasswd -w secret
If the smbpasswd command does not support the -w option, either LDAPsam support was not properly enabled when compiling Samba, or a non-LDAP-enabled version of the tool exists in your $PATH.
Currently, the Samba server uses a simple bind when contacting the directroy server to retrieve user information.
To store sambaAccount entries in your directory, LDAP must support the appropriate schema. Locate this schema now, and place it in your includes in slapd.conf.
In addition to the schema changes, you must add a new access control rule to prevent normal users from retrieving LanMan?/NT password hashes from the directory. So, add the following ACLs to your slapd.conf file:
access to attrs=userPassword
by self write
by * auth
# Dont let users snoop Win32 passwords
access to attrs=lmPassword,ntPassword
by dn="cn=admin,dc=odyssey,dc=com" write
by * none
# Allow Samba admin to add new entries and modify
access to dn.subtree="ou=people,dc=odyssey,dc=com"
by dn="cd=admin,dc=odyssey,dc=com" write
by * read
access to dn.subtree="ou=people,dc=odyssey,dc=com"
by * read
Note that on page 170 of the book they explain how to create a specific admin user just for Samba. This is actually the recommended way to do things, as it will be more secure, but for these class we are taking liberties.
