Creating samba shares

The samba server is THE fileserver solution for linux. It can server linux clients as well as windows or mac clients and provides host, user or group based access control. In this post I’ll describe how I setup up a samba server using accounts stored in my ldap replica.
Note that this howto is referring to debian wheezy.

1. Prepare LDAP

If not already done include the samba.schema into your LDAP. I’ve already done this befor so here is just a short description.
If you use LDAP with cn=config like me, you will have to convert the samba.schema to a .ldif before you add it using

ldapadd -D cn=admin,cn=config -W -f samba.schema.ldif

A longer description you can find for example in the ubuntu dos
It might be a good idea to index some of the fields from the samba schema. Use

ldapvi -h ldap://localhost -D cn=admin,cn=config -b cn=config -W

to edit cn=config and insert the following in the appropriate section:

  index         uid,uidNumber,gidNumber,memberUid       eq
  index         cn,mail,surname,givenname               eq,subinitial
  index         sambaSID                                eq
  index         sambaPrimaryGroupSID                    eq
  index         sambaDomainName                         eq

Then give users access to their samba passwords by changing the line

  access to attribute=userPassword


access to attrs=userPassword,sambaNTPassword,sambaLMPassword

Now the LDAP server is prepared.

2. Install necessary software

aptitude install smbfs samba smbldap-tools

This will pull in some dependencies. Just install them.

3. Configure samba

The configuration is done in /etc/samba/smb.conf. Make sure the following line is set (in section “Authentication”):

   security = user

It will probably be commented out.
Then change

  passdb backend = tdbsam guest


  passdb backend = ldapsam:ldap://

using IP or URI of your LDAP server.
Add configuration directives for passdb and smbldap-tools:

  obey pam restrictions = no
  ldap admin dn = cn=admin,dc=example,dc=com
  ldap suffix = dc=example, dc=com
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=computers
  ldap idmap suffix = ou=people
  ; Don't use samba's internal LDAP password sync
  ldap passwd sync = No
  ; Use an external program to sync the LDAP password
  unix password sync = Yes
  passwd program = /usr/sbin/smbldap-passwd -u %u
  passwd chat = *New*password* %nn *Retype*new*password* %nn *all*authentication*tokens*updated*

Make sure to comment out or delete other settings for passwd program and passwd chat. If using a local (or local network) LDAP server you can disable SSl by

  ldap ssl = off

In the section “Share Definitions” define your shares like this:

   comment = Music Share
   path = /data/music
   writeable = yes
   valid users = @users
   guest ok = no

This will create a share music using the directory /data/music whre users in the group users will be able to write to and guest will have no access.

Now restart samba

/etc/init.d/samba restart

and tell samba the admin password for ldap


4.Configure smbldap-tools

First copy the files smbldap.conf and smbldap_bind.conf from /usr/share/doc/slmldap-tools/examples/ to /etc/smbldap/tools:

 zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > 
  cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf 

Get the SID by

net getlocalsid

and edit smbldap.conf. Watch out for the SID and LDAP settings. Insert dn and password of your ldap admin into smbldap_bind.conf. Then fix file permissions:

chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf

Now is’t time to populate your LDAP with the necessary data. If your LDAP already contains data, the script will not overwrite them. Though it still is a good idea to have a backup…


Now you can add users to your LDAP or fix the entries of already existing users. Eg this will set the samba password for user dummy:

smbpasswd -a dummy


5. Testing

On a (linux) client try

smblient //sambaserver.yourdomein/share youruser

to check for errors before using a file browser to connect to a share.
[Edit 01.05.2014] Make sure the group “users” exists and users can login authenticating against LDAP.

6. References

2 thoughts on “Creating samba shares

  1. mac Reply

    Hi Jan,

    My ldap server is on windows server 2008 with LDAP URL: ldap:// and samba server is on ubuntu machine with hostname XYZ I read lot of articles to authenticate samba share with ldap but stuck in it, please tell me appropriate solution.

    • Jan Post authorReply

      I have no clue how LDAP works on windows. You are probably using a Microsoft ActiveDirectory server.

      First I would check if user login on the ubuntu box is working (using pam-ldapd). Once you go that working revisit your samba settings.

Leave a Reply

Your email address will not be published. Required fields are marked *