Linux – Creating Samba shares across multiple servers from a single LDAP server

ldaplinuxsamba

We have a Fedora Directory Server running LDAP, where a few hundred users exist. We need a way we can create samba shares depending on projects and limit access to these shares across multiple Linux servers.

Here we have 15-20 servers each running different versions of CentOS. Idea is to create folders depending on groups where read/write access is limited to just that group or a subset of users of the specific group.

How do we authenticate users and create Samba Shares in another server in the same subnet. Users use Windows Professional, and they should be accessing a specific samba share to backup files for specific servers.

I need to create a single form, where the admin can create a folder by choosing the server, and assign users accordingly. Ideas welcome on how to go about this.

Best Answer

There should be no problem at all. I have using the following config in production environment

[global]

    workgroup = SYSADM
    server string = File server
    netbios name = FS1
    security = domain

    load printers = no
    show add printer wizard = no
    printcap name = /dev/null
    disable spoolss = yes

    encrypt passwords = yes

    winbind enum groups = yes
    winbind enum users = yes

    idmap backend = ldap:"ldap://pdc.example.net/"
    ldap idmap suffix = ou=idmap

    idmap uid = 1000-500000
    idmap gid = 1000-500000

    idmap config SYSADM : backend  = nss
    idmap config SYSADM : range = 1000-500000

    ldapsam:trusted = yes
    ldapsam:editposix = yes

    ldap suffix = dc=example,dc=net
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers

    ldap admin dn = "uid=ldap_reader,ou=users,dc=example,dc=net"

    enable privileges = yes

    os level = 3
    local master = no
    domain master = no
    preferred master = no
    domain logons = no

    client ntlmv2 auth = yes
    client plaintext auth = no

    lanman auth = no
    lm announce = no

    display charset = utf8
    unix charset = utf8
    dos charset = cp866

    log level  = 3
    host msdfs  = no

[Department1]
    comment = Department1
    path = /samba/department1/
    public=yes
    guest ok = no
    write list = user1, @"SYSADM\department1"
    valid users = @"SYSADM\department1"
    browseable = yes
    force create mode = 0770
    create mode = 0770
    force directory mode = 0770
    directory mode = 0770
    vfs objects = full_audit
    full_audit:prefix = [Department1]:%u|%I
    full_audit:success = write rmdir rename mkdir unlink open read pread write pwrite
    full_audit:failure = none
    full_audit:facility = LOCAL1
    full_audit:priority = ALERT

Related Solutions

Linux – Provide Samba access based on LDAP info

I believe it will be necessary to at least have a domain admin on the LDAP server come over to type their password at least one time to accomplish what you want and join Samba to the domain.

Given that, the steps should be relatively simple. Taken from the Samba Wiki, set the following in your samba config:

* passdb backend = ldapsam:ldap://<your-hostname>
* ldap suffix = 
* ldap admin dn

Then run smbpasswd -w to let samba know the password for the admin dn.

There is also a nice writeup here.

Samba – Joining Samba to Active Directory with local user authentication

You can do this fairly easily. You need to preform all the steps for configuring users to authenticate to linux via AD (KRB config, joining the domain), up to bot NOT including the PAM changes. Then you just set SAMBA to use winbind as the authentication source. Here is an old copy of an smb.conf I've used to achieve this same effect:

#======================= Global Settings =====================================

[global]

# Domain Authntication Settings
        workgroup = <my domain>
        server string = <Sever String>
        security = ads
        passdb backend = tdbsam
        realm = <mydomain.com>
        client use spnego = yes
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <my server name>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups


#============================ Share Definitions ==============================


[share]
comment = <share comment>
path = /srv/smb/share
guest ok = yes
valid users = "DOMAIN+testUser"
read only = yes

Also, if you are using Ubuntu there is a bug in the version that was in the 10.04LTS up to a few months ago that just completely broke this setup (nobody can auth) - grab a version from the SAMBA site if this is the case

Best Answer

Related Solutions

Linux – Provide Samba access based on LDAP info

Samba – Joining Samba to Active Directory with local user authentication

Related Topic