Home arrow Site Administration arrow Handling User Accounts in Samba

Handling User Accounts in Samba

In this third part to a four-part series on handling authentication and authorization in Samba, you will learn about username maps, account utilities, and more. It is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Handling User Accounts in Samba
  2. Username Maps
  3. Account Utilities
  4. Synchronizing Passwords
By: O'Reilly Media
Rating: starstarstarstarstar / 4
February 21, 2008

print this article



 passdb backend = ldapsam

The third officially supported passdb module is the ldapsam backend. A complete discussion of LDAP is beyond the scope of this book. If you are interested in LDAP and directory services, a recommended resource is LDAP System Administration, by Gerald Carter (OíReilly). The remainder of this section assumes a basic level of comfort with LDAP directories and the OpenLDAP software in particular. If you are using a directory server from a different vendor, the examples should prove easy to adapt.

When you consider the ldapsam backend, the first thing to do is to become familiar with the schema. There are two auxiliary classes and one structural object class that will be encountered in relation to users and groups:


This structural object class is used to store information that is intended to be shared between Samba domain controllers in the same domain. We examine this more in Chapter 9.


This auxiliary object class represents normal user and computer accounts and is commonly used to extend a userís posixAccount entry in the directory. If a user (or computer) does not have a preexisting entry in the directory service, Samba attempts to use the account object as the structural class to instantiate a user. We havenít discussed how machine and domain trust accounts are implemented yet, but we return to this subject in Chapter 9.


This auxiliary object class contains the attributes necessary for Sambaís group mapping functionality and is designed to use the posixGroup class as its structural basis.* Group mapping is covered later in this chapter.

All the necessary attributes and object classes are defined in an OpenLDAP 2.x compatible schema file named samba.schema located in the examples/LDAP directory of the Samba source distribution. In this same location are schema files for other directory services as well, although these may not be up to date. Make sure that you include or import the appropriate schema file into your LDAP serverís configuration. Be aware that Sambaís OpenLDAP schema file requires you include the nis.schema, inetorgperson.schema, and cosine.schema files first.

Remember that the LanMan ( sambaLMPassword ) and NT ( sambaNTPassword ) password hashes stored in the sambaSamAccount object are plain-text equivalents and should never be made readable to users. Access control rules should restrict these attributes to administrative users only, such as Sambaís ldap admin dn distinguished name (discussed a few paragraphs ahead). The following ACLs in OpenLDAPís slapd.conf file protect the passwords from normal users but allow them to be read and modified by Samba:

  ## protect the samba password hashes
  access to attr=sambaNTPassword,sambaLMPasswor d
    by cn=smbadmin,ou=people,dc=example,dc=com write
    by * none

For performance reasons, the directory service should support fast equality searches on the uid , cn , sambaSID , gidNumber , uidNumber , and displayName attributes. Newer Samba releases (beginning with 3.0.23) also use a substring matching rule on the sambaSID attribute. To effect this performance enhancement, add the following indexes (or their equivalents) to the serverís database section, if any are missing.

  ## Samba's index settings for OpenLDAP's slapd.conf
index   uid,cn,displayName,memberUid   eq
  index   uidNumber,gidNumber            eq
  index   sambaSID                       eq,

Finally, it may be necessary to restart your directory server and/or rerun indexing tools to get it to recognize the changes.

Begin configuring smb.conf by setting up the connection parameters, starting with the LDAP serverís URI in the passdb backend value.

      passdb backend = ldapsam:ldap://localhost/

By default, all LDAP requests are sent to the directory in an unencrypted form. Unless the master LDAP server and Samba are running on the same machine, it is highly recommended that you take steps to secure the LDAP traffic from eavesdrop ping. Even when an LDAP replica is running locally on the Samba host, any referrals going back to the master LDAP server must still be encrypted.

Use the ldaps:// URI in the passdb backend option if you wish to connect using LDAP over SSL. However, using StartTLS is the recommended method for configuring data privacy when communicating with an LDAP directory. In this case, the ldap:// URI suffices. To enable StartTLS support, add the following setting to the [global] section:

  ldap ssl = start_tls

It is possible to include multiple LDAP URIs in a single-quoted string for purposes of fault tolerance or load balancing. If there are two servers, ldap1 and ldap2, which are replicas of the directory, we can configure Samba to use one in case the other is unavailable. The list of servers is passed on to the underlying LDAP client libraries, which handle the actual network connection details and any failover behavior. The ldap ssl parameter is included here to reiterate the need to secure all communication with the directory service; its value, however, specifies the use of StartTLS instead of SSL:

  passdb backend = ldapsam:"ldap://ldap1/ ldap://ldap2/ "
  ldap_ssl = start_tls

Samba treats LDAP as another storage facility for users and groups. Thus all of the userís attributes are retrieved from the directory when a SMB/CIFS connection request must be authenticated. When configuring the directory service access con trol settings, we restricted the password hashes to be readable only by Samba itself when using its ldap admin dn distinguished name to bind to the server:

  ldap admin dn = cn=smbadmin,ou=people,dc=example,dc=com

The password associated with this privileged DN is stored in clear text separately in secrets.tdb. The smbpasswd command can store these credentials interactively ( -W option) or on a command line ( -w option). Here we have chosen to enter it interactively so that the password will not be displayed in the output of ps:

  root# smbpasswd -W
Setting stored password for "cn=smbadmin,ou=people,dc=example,dc=com"
in secrets.tdb
  New SMB password: <enter password>
  Retype new SMB password:
<re-enter password>

The final bit of information that Samba requires for ldapsam is the set of base suffixes used to query and store users and groups. The top-level suffix is specified by the ldap suffix option. This DN should be the parent of the other smb.conf search suffixes, which are specified by the following options:

ldap user suffix
   The search base for locating and storing user

ldap machine suffix
   The search base for locating and storing computer
   and domain trust accounts

ldap group suffix
   The search base for locating and storing group
   mapping entries

ldap idmap suffix
   The search base for mapping winbinddís SIDs to the
   Samba hostís uid/gid entries; additional information
   on winbindd is provided in Chapter 10

The ldap suffix should be specified first in smb.conf and should be a full DN. The remaining search suffixes should be defined relative to the ldap suffix value. In order to support a directory name space such as the directory information tree (DIT) shown in Figure 5-2, we would add the following parameters to Sambaís configuration:

ldap suffix         = dc=example,dc=com
ldap user suffix    = ou=people
ldap machine suffix = ou=people
ldap group suffix   = ou=group
ldap idmap suffix   = ou=idmap

It is possible to define different machine and user suffixes. If you do so, the serverís LDAP NSS module must search both bases when querying for a posixAccount . As one of the Samba developers has said, ďMachines are people too.Ē The nss_ldap library from PADL software (http://www.padl.com) supports this by enabling the

Figure 5-2.  Samba's DIT

libraryís RFC2307bis extensions (pass the --enable-rfc2307bis option to the nss_ldap configure script when compiling) and then defining multiple nss_base_passwd directives in its configuration file (usually /etc/ldap.conf). The complete details of PADLís nss_ldap configuration is beyond the scope of this discussion. For more information, please refer to PADLís web site and the documentation included with its software.

To finish off the section, Table 5-10 lists the LDAP-related parameters supported in smb.conf. Samba and LDAP integration are revisited in Chapters 9 and 10.

Table 5-10. LDAP-related parameters

Parameter Value Description Default Scope
ldap admin dn DN The user DN entry with administrative access to read and modify all Samba attributes and entries in the directory."" Global
ldap replication sleepinteger (in milliseconds)The period to delay queries to an LDAP replica after updating the master directory server. 1000 Global
ldap ssl off Transport layer encryption settings when not using LDAPS in the ldapsam server URI. off Global
ldap suffix DN The parent search suffix that establishes the base suffix for LDAP queries."" Global
ldap group suffix DN The suffix relative to the ldap suffix that stores group mapping information."" Global
ldap idmap suffix DN The suffix relative to the ldap suffix that stores winbinddís identity mapping information. "" Global
ldap machine DN The suffix relative to the ldap suffix that stores computer and domain trust account suffix information"" Global
ldap user suffix DN The suffix relative to the ldap suffix that stores user account information."" Global
ldap timeout integer (in seconds)The maximum time in seconds to wait for a response to an LDAP query.15 Global

>>> More Site Administration Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: