Redhat Linux SAMBA (Adding Remote LDAP Authentication to a Shared Folder)

Posted on 2007-08-08
Last Modified: 2013-12-16
I have a linux redhat box with SAMBA running on it to authenticate a file share folder on the box to Windows users.  Now, I don't have much access to this machine, nor do I have any "worth a crap" linux knowledge however I need to somehow achieve the following;

-Query a remote LDAP server to authenticate
-Still keep the current share authentication settings.

Basically SAMBA is querying another domain's list of users and allowing them access to a shared folder, I have a group of people who need access to the same folder to cooperatively work with each other but the catch is their authentication server is LDAP;

password      <Password>
filter      (uupid=<username>)
base      ou=People,dc=vt,dc=edu
port      389

There could be 50 people in that directory and I need to keep the domain users and the new LDAP users authenticated to the same folder so they can all happily Map Network Drives on Windows.

Is there a way to add remote LDAP authentication to a shared folder on SAMBA?
Question by:vtois
    LVL 8

    Expert Comment

    in samba there is no possibility to do that.

    what you can do is, you can make samba use pam for authentication and then make pam authenticate against the ldap server and set the appropriate rights in the file system, which should prevent users that are not in the remote ldap dir from entering the directory.

    So in addition to samba, you'll need the pam_ldap, pam_nss modules, a valid /etc/pam.d/samba config file authenticating against local users/groups and the remote ldap server and a working nss configuration (perhaps with nscd so that authentication info is cached which speeds up file access)
    See: (for some introduction) (to get nss working)

    If you get all those things working you'll only need one more thing: a filesystem capable of ACLs. Since Samba is ACL aware the rest can then be configured using a windows machine. Or if you like to do it on *nix then you just have to give the appropriate users the rights to access the directory(ies) in question

    Author Comment

    Thank you for your response natoka, in addition to the detail;

    The Linux box appearently is configured with samba to authenticate against a Windows domain so there are no local linux users, it just gets mapped appearently.

    And the LDAP would need "Filtering" for authentication.  In otherwords only accepting directory sharing if say, the user has the blah=Admin in the LDAP query.

    Is your suggested way still possible?
    LVL 8

    Accepted Solution

    hmm, I think in the case of an windows ldap server you will have to drop the mapping and create real users on the unix box on the fly when authentication against the ldap server is successful. Of course you'll still need ACLs so to speak an ACL capable filesystem and samba (and probably some acl tools).
    The filtering per directory for some extended ldap attributes is definitely not possible with pam yet. But you can work around that in the on the fly creation of the user - just write your own script that queries the ldap server for that specific ldap attribute - and when it's set then you set the appropriate ACLs in the file system so that the unix user has access to the directories/files as desired.
    Of course the draw back in this schema is that when you want to update the ACLs to adhere to changes in the ldap directory and to changes in the rights on the share you'll have to create a cron job that does that - perhaps every five minutes or so ...

    So again there is no way to do that in samba out of the box and in pam there is also no way. All you can do is to script your own solution (or find someone that does that for you)

    Author Comment

    Thank you for your time, I decided to go with WebDav feature of Apache

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Learn about cloud computing and its benefits for small business owners.
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now