Standalone SAMBA server with LDAP authentication

The goal is to create standalone file server with samba, but with LDAP authentication. In my environment is very old NT domain controler and I don’t want to join this domain with my new fileserver.

In this post I assume that there is LDAP server allrady installed nad working properly, configured nss/pam LDAP authentication and getent passwd returns list of LDAP accounts, configured samba standalone server with security user, workgroup matched NT domain and netbios name set to FILESERVER. Only LDAP authentication is needed.

passdb backend = ldapsam:ldap://ldap.domain.ltd/	
ldap delete dn = no
ldap ssl = off
ldap suffix = dc=domain,dc=ltd
ldap admin dn = cn=admin,dc=domain,dc=ltd
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

After that samba server have to know the ldap admin password:

$ sudo smbpasswd -w secret

But magic is that the samba server needs his local SID to be the same as domain SID. Without this samba will log someting like that:

[2013/09/04 13:33:42.502708,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain sid(S-1-5-21-[some SID]-513) does not match the domain
  sid(S-1-5-21-[domain SID]) for [user_name](S-1-5-21-[domain SID]-8508)
[2013/09/04 13:33:42.502793,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/09/04 13:33:42.502893,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
[2013/09/04 13:33:42.502985,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [user_name] -> [user_name] FAILED
  with error NT_STATUS_UNSUCCESSFUL
[2013/09/04 13:33:42.503124,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL

This can be changed in LDAP, by creating ldif file with some modifications, and deploying them.

dn: sambaDomainName=FILESERVER,dc=domain,dc=ltd
changetype: modify
replace: sambaSID
sambaSID: S-1-5-21-[DOMAIN SID]
$ sudo ldapmodify -D "cn=admin,dc=domain,dc=ltd" -w secret -f file.ldif

And finally nscd and samba restart is needed.

$ sudo /etc/init.d/nscd restart
$ sudo /etc/init.d/samba restart

After that You should authorized with user and password from LDAP tree.

% smbclient //fileserver.domain.ltd/share -U user_name
Enter user_name's password: 
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.6.6]
smb: \>