The goal is to create standalone file server with samba, but with LDAP authentication. In my environment is very old NT domain controler and I don’t want to join this domain with my new fileserver.
In this post I assume that there is LDAP server allrady installed nad working properly, configured nss/pam LDAP authentication and getent passwd returns list of LDAP accounts, configured samba standalone server with security user, workgroup matched NT domain and netbios name set to FILESERVER. Only LDAP authentication is needed.
passdb backend = ldapsam:ldap://ldap.domain.ltd/ ldap delete dn = no ldap ssl = off ldap suffix = dc=domain,dc=ltd ldap admin dn = cn=admin,dc=domain,dc=ltd ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups
After that samba server have to know the ldap admin password:
$ sudo smbpasswd -w secret
But magic is that the samba server needs his local SID to be the same as domain SID. Without this samba will log someting like that:
[2013/09/04 13:33:42.502708, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-[some SID]-513) does not match the domain sid(S-1-5-21-[domain SID]) for [user_name](S-1-5-21-[domain SID]-8508) [2013/09/04 13:33:42.502793, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/09/04 13:33:42.502893, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/09/04 13:33:42.502985, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [user_name] -> [user_name] FAILED with error NT_STATUS_UNSUCCESSFUL [2013/09/04 13:33:42.503124, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
This can be changed in LDAP, by creating ldif file with some modifications, and deploying them.
dn: sambaDomainName=FILESERVER,dc=domain,dc=ltd changetype: modify replace: sambaSID sambaSID: S-1-5-21-[DOMAIN SID]
$ sudo ldapmodify -D "cn=admin,dc=domain,dc=ltd" -w secret -f file.ldif
And finally nscd and samba restart is needed.
$ sudo /etc/init.d/nscd restart $ sudo /etc/init.d/samba restart
After that You should authorized with user and password from LDAP tree.
% smbclient //fileserver.domain.ltd/share -U user_name Enter user_name's password: Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.6.6] smb: \>