---
myst:
html_meta:
description: Legacy guide for integrating Samba NT4 mode with OpenLDAP backend for centralized authentication and account management.
---
(openldap-backend-legacy)=
# OpenLDAP backend (legacy)
```{note}
This section is flagged as *legacy* because nowadays, Samba 4 is best integrated with its own LDAP server in Active Directory mode. Integrating Samba with LDAP as described here covers the NT4 mode, which has been deprecated for many years.
```
This section covers the integration of Samba with LDAP. The Samba server's role will be that of a "standalone" server and the LDAP directory will provide the authentication layer in addition to containing the user, group, and machine account information that Samba requires in order to function (in any of its 3 possible roles). The pre-requisite is an OpenLDAP server configured with a directory that can accept authentication requests. See {ref}`Install LDAP ` and {ref}`LDAP with Transport Layer Security ` for details on fulfilling this requirement. Once those steps are completed, you will need to decide what specifically you want Samba to do for you and then configure it accordingly.
This guide will assume that the LDAP and Samba services are running on the same server and therefore use SASL EXTERNAL authentication whenever changing something under *cn=config*. If that is not your scenario, you will have to run those LDAP commands on the LDAP server.
## Install the software
There are two packages needed when integrating Samba with LDAP: `samba` and `smbldap-tools`.
Strictly speaking, the `smbldap-tools` package isn't needed, but unless you have some other way to manage the various Samba entities (users, groups, computers) in an LDAP context then you should install it.
Install these packages now:
```bash
sudo apt install samba smbldap-tools
```
## Configure LDAP
We will now configure the LDAP server so that it can accommodate Samba data. We will perform three tasks in this section:
- Import a schema
- Index some entries
- Add objects
### Samba schema
In order for OpenLDAP to be used as a backend for Samba, the DIT will need to use attributes that can properly describe Samba data. Such attributes can be obtained by introducing a Samba LDAP schema. Let's do this now.
The schema is found in the now-installed samba package and is already in the LDIF format. We can import it with one simple command:
```bash
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/samba/examples/LDAP/samba.ldif
```
To query and view this new schema:
```bash
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
```
### Samba indices
Now that `slapd` knows about the Samba attributes, we can set up some indices based on them. Indexing entries is a way to improve performance when a client performs a filtered search on the DIT.
Create the file `samba_indices.ldif` with the following contents:
```text
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid,cn eq,sub
olcDbIndex: memberUid eq,sub
olcDbIndex: member,uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub,eq
```
Using the `ldapmodify` utility load the new indices:
```bash
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
```
If all went well you should see the new indices when using `ldapsearch`:
```bash
sudo ldapsearch -Q -LLL -Y EXTERNAL -H \
ldapi:/// -b cn=config olcDatabase={1}mdb olcDbIndex
```
### Adding Samba LDAP objects
Next, configure the `smbldap-tools` package to match your environment. The package comes with a configuration helper script called `smbldap-config`. Before running it, though, you should decide on two important configuration settings in `/etc/samba/smb.conf`:
- **`netbios name`**
How this server will be known. The default value is derived from the server's {term}`hostname`, but truncated at 15 characters.
- **`workgroup`**
The `workgroup` name for this server, or, if you later decide to make it a domain controller, this will be the domain.
It's important to make these choices now because `smbldap-config` will use them to generate the config that will be later stored in the LDAP directory. If you run `smbldap-config` now and later change these values in `/etc/samba/smb.conf` there will be an inconsistency.
Once you are happy with `netbios name` and `workgroup`, proceed to generate the `smbldap-tools` configuration by running the configuration script which will ask you some questions:
```bash
sudo smbldap-config
```
Some of the more important ones:
- **`workgroup name`**
Has to match what you will configure in `/etc/samba/smb.conf` later on.
- **`ldap suffix`**
Has to match the LDAP suffix you chose when you configured the LDAP server.
- **`other ldap suffixes`**
They are all relative to `ldap suffix` above. For example, for `ldap user suffix` you should use `ou=People`, and for computer/machines, use `ou=Computers`.
- **`ldap master bind dn`** and **`bind password`**
Use the Root {term}`DN` credentials.
The `smbldap-populate` script will then add the LDAP objects required for Samba. It will ask you for a password for the "domain root" user, which is also the "root" user stored in LDAP:
```bash
sudo smbldap-populate -g 10000 -u 10000 -r 10000
```
The `-g`, `-u` and `-r` parameters tell `smbldap-tools` where to start the numeric `uid` and {term}`gid` allocation for the LDAP users. You should pick a range start that does not overlap with your local `/etc/passwd` users.
You can create a LDIF file containing the new Samba objects by executing `sudo smbldap-populate -e samba.ldif`. This allows you to look over the changes making sure everything is correct. If it is, rerun the script without the `'-e'` switch. Alternatively, you can take the LDIF file and import its data as per usual.
Your LDAP directory now has the necessary information to authenticate Samba users.
## Samba configuration
To configure Samba to use LDAP, edit its configuration file `/etc/samba/smb.conf` commenting out the default `passdb backend` parameter and adding some LDAP-related ones. Make sure to use the same values you used when running `smbldap-populate`:
```text
# passdb backend = tdbsam
workgroup = EXAMPLE
# LDAP Settings
passdb backend = ldapsam:ldap://ldap01.example.com
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
ldap ssl = start tls
ldap passwd sync = yes
```
Change the values to match your environment.
```{note}
The `smb.conf` as shipped by the package is quite long and has many configuration examples. An easy way to visualize it without any comments is to run `testparm -s`.
```
Now inform Samba about the Root DN user's password (the one set during the installation of the `slapd` package):
```bash
sudo smbpasswd -W
```
As a final step to have your LDAP users be able to connect to Samba and authenticate, we need these users to also show up in the system as "Unix" users. Use SSSD for that as detailed in {ref}`Network User Authentication with SSSD `.
Install `sssd-ldap`:
```bash
sudo apt install sssd-ldap
```
Configure `/etc/sssd/sssd.conf`:
```bash
[sssd]
config_file_version = 2
domains = example.com
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap01.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com
```
Adjust permissions and start the service:
```bash
sudo chmod 0600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
sudo systemctl start sssd
```
Restart the Samba services:
```bash
sudo systemctl restart smbd.service nmbd.service
```
To quickly test the setup, see if `getent` can list the Samba groups:
```bash
$ getent group Replicators
Replicators:*:552:
```
```{note}
The names are case sensitive!
```
If you have existing LDAP users that you want to include in your new LDAP-backed Samba they will, of course, also need to be given some of the extra Samba specific attributes. The `smbpasswd` utility can do this for you:
```bash
sudo smbpasswd -a username
```
You will be prompted to enter a password. It will be considered as the new password for that user. Making it the same as before is reasonable. Note that this command cannot be used to create a new user from scratch in LDAP (unless you are using `ldapsam:trusted` and `ldapsam:editposix`, which are not covered in this guide).
To manage user, group, and machine accounts use the utilities provided by the `smbldap-tools` package. Here are some examples:
- To add a new user with a home directory:
```bash
sudo smbldap-useradd -a -P -m username
```
The `-a` option adds the Samba attributes, and the `-P` option calls the `smbldap-passwd` utility after the user is created allowing you to enter a password for the user. Finally, `-m` creates a local home directory. Test with the `getent` command:
```bash
getent passwd username
```
- To remove a user:
```bash
sudo smbldap-userdel username
```
In the above command, use the `-r` option to remove the user's home directory.
- To add a group:
```bash
sudo smbldap-groupadd -a groupname
```
As for `smbldap-useradd`, the `-a` adds the Samba attributes.
- To make an existing user a member of a group:
```bash
sudo smbldap-groupmod -m username groupname
```
The `-m` option can add more than one user at a time by listing them in comma-separated format.
- To remove a user from a group:
```bash
sudo smbldap-groupmod -x username groupname
```
- To add a Samba machine account:
```bash
sudo smbldap-useradd -t 0 -w username
```
Replace `username` with the name of the workstation. The `-t 0` option creates the machine account without a delay, while the `-w` option specifies the user as a machine account.
## Further reading
- [Upstream Samba documentation collection](https://www.samba.org/samba/docs/)
- [Upstream Samba wiki](https://wiki.samba.org/index.php/Main_Page)