[SoftNAS KB]: Samba LDAP Configuration

Sept 20, 2021

Symptoms

To configure your SoftNAS Instance as an LDAP Client, allowing you to integrate LDAP Users, you can do so via the UI by navigating to and expanding Identity and Access Control, under Settings, in the Storage Administration pane. For those familiar with command line configuration, and/or pre-existing configurations they wish to apply quickly, LDAP client configurations can be added through Samba.

Purpose

This article walks the client through LDAP Client configuration via SAMBA.

Resolution

Samba LDAP schema

The following steps must be performed on the LDAP server:

Create conversion file schema_convert.conf somewhere with content(make sure the paths exist):

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema

Create a temporary directory labeled /tmp/ldap_schemas and run conversion with said directory as the target:

slaptest -f schema_convert.conf -F /tmp/ldap_schemas

Delete the following entries from the end of the file /tmp/ldap_schemas/cn=config/cn=schema/cn={12}samba.ldif (Values may be different):

structuralObjectClass: olcSchemaConfig

entryUUID: 87d6a1f0-fafd-1034-8589-c5fa9a8202ed

creatorsName: cn=config

createTimestamp: 20150929135547Z

entryCSN: 20150929135547.659326Z#000000#000#000000

modifiersName: cn=config

modifyTimestamp: 20150929135547Z

Edit /tmp/ldap_schemas/cn=config/cn=schema/cn={12}samba.ldif

Replace lines below:

dn: cn={12}samba
objectClass: olcSchemaConfig

cn: {12}samba

With these lines
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba

Apply the new LDAP schema:

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ldap_schemas/cn\=config/cn\=schema/cn\=\{12\}samba.ldif

SoftNAS host configuration

The following steps must be performed on the SoftNAS host:

In /etc/nslcd.conf replace these parameters with the actual values of your LDAP server:

# uri of LDAP server

uri ldap://ldap.example.com:389/

# search base

base dc=example,dc=com

# dn for search request if LDAP server doesn't allow anonymous search

binddn cn=proxyuser,dc=example,dc=com

# password for search dn

bindpw secret

In /etc/nsswitch.conf add ldap at the end of passwd, group and shadow options. It should look like this:

passwd: compat winbind ldap

group: compat winbind ldap

shadow: compat ldap

Samba configuration

The following steps must be performed on the SoftNAS host:

Replace the [global] section with the below data in /etc/samba/smb.conf and replace passdb backend, ldap suufix, ldap, user suffix, ldap group suffix, ldap admin dn with their respective actual values (ldap admin dn should have rights to edit users dn's):

[global]

security = user

passdb backend = ldapsam:ldap://ldap.example.com:389/

ldap suffix = dc=example,dc=com

ldap user suffix = ou=users

ldap group suffix = ou=groups

ldap admin dn = cn=Manager,dc=example,dc=com

ldap ssl = no

ldap passwd sync = yes

ldap delete dn = no

Save password for cn=Manager,dc=example,dc=com in Samba

root@softnas# smbpasswd -W

Restart Samba:

root@softnas# /etc/init.d/sernet-samba-smbd restart

root@softnas# /etc/init.d/sernet-samba-nmbd restart

Now you can enable LDAP users to be used by samba:

root@softnas# smbpasswd -a username

Additional Information

CIFS/SAMBA configuration via the UI can be found here:

SoftNAS Reference Guide: Configuring CIFS Shares