Detailed explanation of samba + OPENldap to build a file sharing server

Here I use samba (file sharing service) v4.9.1 + OPENldap (backend database software) v2.4.44 + smbldap-tools (backend database management software) v0.9.11 + CentOS7. If there is a difference, there may be a partial problem.

Note:

The function of samba is not only file sharing, but it can also act as a Windows domain member or even a Windows domain controller. Don't ever think that samba is just a file sharing service.
Since we use the file sharing function of samba, which is directly related to file permissions, the users used in samba must be searchable in Linux. Because OPENldap is used as the backend database of samba, we also need to configure Linux to query the user information in OPENldap, that is, we need to configure NSS. Regarding the NSS configuration, you need to complete the NSS configuration after smbldap-tools initializes the ldap database. Please note! ! !
Samba uses PAM as an authentication module and uses its own authentication program. When compiling in CentOS, it is configured to use its own authentication program, so the configuration of PAM can be omitted.
If you want to configure users in OPENldap to log in to the system, you can refer to this article: "Configure Linux to use LDAP user authentication". The configuration in it is different from the configuration in this article, so please pay attention! ! !

Initial configuration

The yum repository and network configuration are omitted.

yum -y install samba openldap-servers openldap-clients smbldap-tools nss-pam-ldapd

Configure OPENldap service

Here we only perform simple service configuration. The database configuration will be configured using smbldap-tools. If you don't know OPENldap, you can read this article: "OPENLDAP service construction and post-management"

Here, clear all OPENldap configurations and reconfigure them.

# Back up the file first, in case it cannot be restored mkdir /root/back
tar -Jcvf /root/back/slapd.config-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /etc/openldap/slapd.d/
tar -Jcvf /root/back/slapd.data-`date '+(%Y.%m.%d_%H:%M:%S)'`.tar.xz /var/lib/ldap/
# Then delete the configuration file rm -rf /etc/openldap/slapd.d/*
rm -rf /var/lib/ldap/*
# Copy a samba schema file cp /usr/share/doc/samba-4.9.1/LDAP/samba.ldif /etc/openldap/schema/

I copied the configuration file here from /usr/share/openldap-servers/slapd.ldif and modified it to look like the following. The main changes are baseDN (suffix), OPENLDAPTLS, olcRootPW (the password is generated by slappasswd, the password in this article is: 123456) and include

# file: /tmp/slapd.ldif

dn:cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/samba.ldif

dn:olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase:frontend

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase:config
olcAccess: to * 
 by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by * none

dn:olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * 
 by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read 
 by dn.base="cn=Manager,dc=black,dc=com" read 
 by * none

dn:olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=black,dc=com
olcRootDN: cn=Manager,dc=black,dc=com
olcRootPW: {SSHA}l1vBI/HOMKLEiQZgcm3Co+hFQI68rH1Q
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub，uid

Generate server configuration files based on configuration

slapadd -F "/etc/openldap/slapd.d/" -b "cn=config" -l /tmp/slapd.ldif
# Note that the file owner is still root, so you need to change it back to openldap
chown -R ldap:ldap /etc/openldap/slapd.d/*
# Then start the service systemctl start slapd

_#################### 100.00% eta none elapsed none fast!
Closing DB...

Note: Only the service configuration part of OPENldap is configured here, and the database of OPENldap is not configured. I would like to emphasize the following again.

Configure samba

Here we just want to test the use of samba and OPENldap, so we won't make any complicated file sharing configurations. We will only share one user's home directory for testing.

# file: /etc/samba/smb.conf

[global]
 workgroup = MYGROUP #Specify the shared group name.
 server string = Samba Server Version %v
 log file = /var/log/samba/log # Log security = user # Specify the security level as User
 passdb backend = ldapsam:ldap://127.0.0.1 # Specify the backend database of passdb to use ldapsam
 ldap suffix = dc=black,dc=com # Specify the suffix of ldap
 ldap user suffix = ou=People #Specify the user's suffix segment ou=People. This will be combined with the previous suffix.
 ldap group suffix = ou=Group # Same as above, specifies the user group.
 ldap admin dn = cn=Manager,dc=black,dc=com # Specify the administrator user used to query the ldap service ldap ssl = no # Specify not to use SSL encryption.
 load printers = no #Specifies not to load shared printers.
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
 create mask = 0600
 directory mask = 700

smbpasswd -w 123456 # Store the user password used to connect to the LDAP service! ! ! This is very important, otherwise the smb service cannot be started.

Start samba service

systemctl start nmb
systemctl start smb

smbldap-tools Configuration

Here we use smbldap-tools to quickly complete the data information required by the samba service, and use smblda-tools to manage user segments. However, one disadvantage of smbldap-tools is that it does not care whether your local users have the same UID or GID. There may be conflicts, so please be aware of this.

smbldap will read some information from /etc/samba/smb.conf, so you need to configure samba first and then configure the smbldap-tools service.

smbldap-config # Configure the configuration of smbldap-tools. Here, smbldap-conifg is used for simple configuration.

The following configuration process is omitted here, and the default is fine if you don’t know.

smbldap-populate # Initialize the configuration of the OPENldap database.

Create another user here for later testing.

smbldap-useradd -a -m User1 # Add user User2
# -a: Specifies that the added user type is Windows, so that samba can recognize the user.
# -m: Specifies to create the user's home directory.
smbldap-passwd User1 #Change the user's password

The password modification process for this user is omitted here.

In this way, the database initialization of OPENldap is completed, and you can now query the content in OPENldap. As shown in the figure below, this is the content created by smbldap-populate . The following figure shows Apache Directory Studio. If you are interested, you can study "Easy Use of Apache Directory Studio"

In the figure we can see users with UID = root and nobody. I don’t want these special users to log in to the server, so in the following configuration, I will filter out these two users through filter.

NSS Configuration

The NSS configuration here mainly needs to be configured. NSS forwards LDAP requests to nslcd, and nslcd queries the user information in OPENldap.

First, configure NSS. Just add ldap authentication to the passwd and group sections.

# file: /etc/nsswitch.conf

passwd: files ldap
shadow: files
group: files ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus

Then configure nslcd. Note that nslcd runs as a daemon and needs to be restarted after configuration.

# file:/etc/nslcd.conf

uid-nslcd
gid ldap
uri ldap://127.0.0.1/ # ldap URL address base dc=black,dc=com # base dn path binddn cn=Manager,dc=black,dc=com # Specify the connected user bindpw 123456 # Specify the password ssl no # Specify not to use SSL encrypted connection.
filter passwd (&(objectClass=posixAccount)(uidNumber>=1000)) # Write the filter rules for passwd.
filter group (&(objectClass=posixGroup)(gidNumber>=500)) # Same as above, group is written
Copy
chmod 600 /etc/nslcd.conf # Configuration file permissions are very important, otherwise the service cannot be started.
systemctl start nslcd # Start the nslcd service.

We test whether the following NSS configuration is available

getent passwd User1

User1:*:1001:513:System User:/var/smb/User1:/bin/bash

As can be seen above, the NSS and OPENldap services we configured have taken effect. Now let's continue to configure samba to make it available.

Samba permission configuration

If you look carefully, you will find that I store the user's home directory location in /var/smb , mainly to avoid confusion with the users in the system. And in this way, samba can be isolated through SELinux to prohibit access to resources under the /home path. Please see the following operations for details.

# The user's home directory has been created above through the smbldap-useradd command.
# Now you can directly configure SELinux.
semanage fcontext -a -t samba_share_t '/var/smb(/.*)?' # Modify the default type of the /var/smb path. Here I use the type used by samba sharing. SELinux allows access to this type by default. # If you want samba to access /home, you should enable the bool value samba_enable_home_dirs.
# But here I am using the samba_share_t type, so there is no need to enable any bool value, so that samba can only access /var/smb and other files required by samba.
restorecon -R /var/smb/ # Then we reset the SELinux type under the /var/smb directory.
Copy
# Here we can test samba smbclient -L //127.0.0.1/ -U User1

Here we can see that User1 can already log in and query the shared directory.

Then we log in directly here and upload some files to do some tests:

OK, then such a samba file sharing is completed.

Summarize

The above is a detailed explanation of how to build a file sharing server using samba + OPENldap. I hope it will be helpful to you. If you have any questions, please leave me a message and I will reply to you in time!

You may also be interested in: