Samba Configuration

There are multiple ways to configure Samba. For details on some common configurations see Chapter 18, Samba [p. 296]. To configure Samba to use LDAP, edit its configuration file /etc/samba/smb.conf

commenting out the default passdb backend parameter and adding some ldap-related ones:

# passdb backend = tdbsam

# LDAP Settings

passdb backend = ldapsam:ldap://hostname ldap suffix = dc=example,dc=com

ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap

ldap admin dn = cn=admin,dc=example,dc=com ldap ssl = start tls

ldap passwd sync = yes ...

add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Change the values to match your environment.

Restart samba to enable the new settings:

sudo restart smbd sudo restart nmbd

Now inform Samba about the rootDN user's password (the one set during the installation of the slapd package):

sudo smbpasswd -w password

If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra attributes. The smbpasswd utility can do this as well (your host will need to be able to see (enumerate) those users via NSS; install and configure either ldapd or libnss-ldap):

sudo smbpasswd -a username

You will prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable.

To manage user, group, and machine accounts use the utilities provided by the smbldap-tools package. Here are some examples:

• To add a new user:

sudo smbldap-useradd -a -P username

The -a option adds the Samba attributes, and the -P option calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user.

• To remove a user:

sudo smbldap-userdel username

In the above command, use the -r option to remove the user's home directory.

• To add a group:

sudo smbldap-groupadd -a groupname

As for smbldap-useradd, the -a adds the Samba attributes.

• To make an existing user a member of a group:

sudo smbldap-groupmod -m username groupname

The -m option can add more than one user at a time by listing them in comma-separated format.

• To remove a user from a group:

sudo smbldap-groupmod -x username groupname

• To add a Samba machine account:

Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script parameter in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are utilities in the smbldap-tools package that were not covered here. Here is a complete list:

smbldap-groupadd³⁹

• For more information on installing and configuring Samba see Chapter 18, Samba [p. 296] of this Ubuntu Server Guide.

• There are multiple places where LDAP and Samba is documented in the upstream Samba HOWTO Collection⁵¹.

• Regarding the above, see specifically the passdb section⁵².

• Although dated (2007), the Linux Samba-OpenLDAP HOWTO⁵³ contains valuable notes.

• The main page of the Samba Ubuntu community documentation⁵⁴ has a plethora of links to articles that may prove useful.

3. Kerberos

Kerberos is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).

This section covers installation and configuration of a Kerberos server, and some example client configurations.

3.1. Overview

If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:

• Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.

• Instances: are used for service principals and special administrative principals.

• Realms: the unique realm of control provided by the Kerberos installation. Think of it as the domain or group your hosts and users belong to. Convention dictates the realm should be in uppercase. By default, ubuntu will use the DNS domain converted to uppercase (EXAMPLE.COM) as the realm.

• Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC.

• Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC.

• Ticket Granting Server: (TGS) issues service tickets to clients upon request.

• Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session.

• Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or host.

To put the pieces together, a Realm has at least one KDC, preferably more for redundancy, which contains a database of Principals. When a user principal logs into a workstation that is configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password.