FreeBSD authentication against Samba 4 LDAP

After years of only needing central auth for Unix-like systems, I need to integrate Windows clients into my auth mix. Rather than munging my current OpenLDAP directory to contain Windows information, I elected to migrate to Samba 4. Samba 4 can act as a Windows domain controller and also exposes an LDAP interface for Unix clients.

I assume that you’ve read the FreeBSD and Samba documentation on LDAP auth. This article is meant as a bridge between the two information sets.

Most of the tutorials out there cover using LDAP and Kerberos with Samba. Kerberos requires that all hosts be in a single domain. My employer manages hosts within a variety of domains and business units, so Kerberos is a no-go. I need to use pure LDAP authentication.

I configured my samba4 domain and ensured that Windows clients could join the domain and that the general Microsoft-esque features worked, such as failover to a backup domain controller. Once it appeared that everything worked, I set up a couple of OpenLDAP proxies exactly by the Samba documentation. (My domain controllers are in private address space, and I’m not willing to expose them to the larger network.)

Then I created an account for services to bind with to perform basic queries. My binding account is called unixstuff. It’s not a member of any AD groups.

Then I can configure OpenLDAP on the client. Install the various LDAP utilities as in the FreeBSD documentation.

Configure the OpenLDAP tools to query your directory first. I use a private CA, so I set assorted TLS options.

BASE dc=internal,dc=mwlucas,dc=org
URI ldap://snarky.mwlucas.org
ssl start tls
tls_cacert /usr/local/etc/ssl/mwlucas.crt

At this point I should be able to use ldapsearch on the Samba directory.

# ldapsearch -WxD "cn=unixstuff,cn=users,dc=internal,dc=mwlucas,dc=org"
Enter LDAP Password:
...

If you enter the correct password, the directory should spill its guts.

Once that works, we can configure LDAP authentication in /usr/local/etc/ldap.conf.

host snarky.mwlucas.org
base dc=internal,dc=mwlucas,dc=org
ldap_version 3
binddn cn=unixstuff,cn=users,dc=internal,dc=mwlucas,dc=org
bindpw WhyHardCodePasswords

pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute member
pam_lookup_policy yes
nss_base_passwd cn=users,dc=internal,dc=mwlucas,dc=org
nss_base_group cn=users,dc=internal,dc=mwlucas,dc=org
pam_groupdn cn=sysadmins,cn=users,dc=internal,dc=mwlucas,dc=org

# Services for UNIX 3.5 mappings
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid msSFU30Name
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword msSFU30Password
nss_map_objectclass posixGroup Group
pam_filter objectclass=User
pam_password ad

With this set, and LDAP activated in /etc/nsswitch.conf, I can now “getent passwd” and “getent group” and get responses from the directory.

That still leaves PAM. I’m no PAM expert, but I’ve hacked together something that permits LDAP access, and falls back to the local password file when the LDAP servers are unavailable. Here’s my /etc/pam.d/system:


auth sufficient /usr/local/lib/pam_ldap.so
auth required pam_unix.so no_warn try_first_pass nullok

account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so
account required pam_unix.so

session required /usr/local/lib/pam_ldap.so
session required pam_lastlog.so no_fail

password required pam_unix.so no_warn try_first_pass

This gets you basic access. Realistically, though, users want a home directory. Install pam_mkhomedir and enable it on a per-service basis.

auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn try_first_pass

account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user

session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so

password required pam_unix.so no_warn try_first_pass

With this set, users in the “sysadmins” group in AD have shell access to the servers. So far, this works well. But if you’re a Samba, LDAP, or PAM expert and see a problem, please let me know in the comments.

One Reply to “FreeBSD authentication against Samba 4 LDAP”

Comments are closed.