Wednesday, October 1, 2008

Samba 3 user authentication against OpenLDAP server

Samba 3 daemon is running on the same host as the LDAP server (openldap 2.4) and only the following settings related to LDAP are added into /etc/samba/smb.conf:

passdb backend = ldapsam:ldap://
#Specifies the base for all ldap suffixes and for storing the sambaDomain object
ldap suffix = dc=examples,dc=com

ldap ssl = off
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap delete dn = no
ldap admin dn = cn=manager,dc=examples,dc=com
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'

Then run testparm to make sure the smb.conf file is OK. New Samba users can be added to the LDAP directory by running the command "pdbedit -a -u username" if username exists in the system (e.g. /etc/passwd). Otherwise run "useradd username" first.

At the LDAP server, there's an entry sambaDomainName=XXX,dc=examples,dc=com created by pdbedit. Note XXX must be the netbios name of the Samba server. It has an attribute sambaSID=S-YYY which is required. The Samba user entry created by pdbedit has the following attributes:

objectClass: sambaSamAccount
sambaAcctFlags: [U ]
sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sambaNTPassword: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
sambaPwdLastSet: 1222817828

Note the sambaPwdLastSet attritube is required for the windows client to authenticate properly. Otherwise net use would report the following error:

System error 1907 has occurred.
The user's password must be changed before logging on the first time.

If the pwdInHistory attribute of the Password policy under cn=default,ou=password policies is set and a user is trying to change his password to one stored in history in windows, he'll receive an error message like the following:
Your password must be at least x characters; cannot repeat any of your previous x passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name. Please type a different password. Type a password which meets these requirements in both text boxes.

The required attributes can be easily added to all the user account entries with the perl module Net::LDAP

No comments: