How can I create SMB shares accessible from Windows/Mac/Linux clients which are hosted on a linux server (with login via LDAP)?

Question

I currently replace old NAS systems with a fileserver. I am looking for a solution to create CIFS/SMB shares on the fileserver (Debian 12) which shall be protected by a login which works via LDAP groups.

The LDAP setup consists of an OpenLDAP server which doesn't have the samba attributes and I would really like to keep it like that.

I don't care about permissions within the files on the share but only the general permission to access the share.

So my question is: How can I provide my users with CIFS/SMB shares that are protected via a LDAP group-based authentication?

The solution I came up with was a WebDAV based approach (with LDAP auth via the apache2 LDAP integration) and it worked beautifully on Linux. It didn't work on Windows very good due to its poor WebDAV implementation so I had to abort it.

If you got any other ideas than using CIFS/SMB shares, that provide shares with LDAP group-based permissions and are mountable from Windows/Linux/Mac without any issues, please tell me.

Thanks in regard.

Answer 1

Samba, the default SMBv3 file server for Linux, always uses system accounts for all access control when not in AD mode – both for share-level access (valid users = @staff) and for file-level access (Unix permissions and POSIX ACLs). If your system is set up to store POSIX accounts/groups in the LDAP server, those will be visible to Samba.

What you cannot reuse regardless of choice of software is authentication to the LDAP server. That is, you can set up Kerberos authentication for SMB if you also have a Kerberos KDC, but you will not be able to directly verify user passwords against LDAP "userPassword" as they are never actually transmitted to the SMB server. In order to accept NTLM authentication, the SMB server must know the NT hash of the password and not any other hash type, so you'll need to assign everyone a separate "SMB only" password using smbpasswd -a.

So if your goal is to have a single password database, you'll need to set up a Kerberos KDC, make Samba (and optionally OpenLDAP) accept Kerberos tickets, and finally make OpenLDAP validate simple bind passwords against Kerberos – not the other way around.

(You can combine both methods without any additional configuration – the same smbd can accept Kerberos tickets while still supporting NTLM for old clients.)

This applies equally to SMBv3 as it does to the obsolete CIFS/SMBv1.