[Samba] samba4 as authorisation service + openldap users mapping on FreeBSD

Wed Feb 3 22:31:13 UTC 2016

Hello list,

I have a complicated use case of samba4 server and specific need and 
just want to know, if there is a possibility to solve my problem at all. 
So, there is a FreeBSD host with installed openldap and samba4.

openldap configured such a way, that any, who has an account on our 
corporate server can connect to the host if there is a permission in 
ldap. It utilizes PAM and creates home directories automatically, 
moreover it doesn't use passwords -- only ssh keys.

On the other hand, there is a corporate AD infrastructure to which I 
join my samba4 server, smb4.conf following:

[global]
         username map = /usr/local/etc/user.map
         security = domain
         password server = corporate-domain-controller.ru
         netbios name = dev.samba
         workgroup = WORKGROUP
         log file = /var/log/samba4/log.%m
         max log size = 500
         log level = 5
[n.ilyushkin]
         comment = Public Folder
         path = /home/n.ilyushkin
         public = no
         writable = yes
         read only = no
         create mask = 0644
         directory mask = 0755
[nilyushkin]
         comment = Public Folder
         path = /home/nilyushkin
         public = no
         writable = yes
         read only = no
         create mask = 0644
         directory mask = 0755

and this settings basically works -- I can log on through n.ilyushkin 
account (which is an AD account) using smbclient. Also I have a 
nilyushkin FreeBSD account which supplied by openldap.

My need is to somehow give every user like me on this host access to its 
home directory. As far as I understand, there at least must be (a) an 
entry in smb.conf, (b) an entry in AD to authenticate user on host and 
because of differentiation of AD and openldap accounts (c) global 
setting "username map" in smb.conf, leading to file like one I use in 
this situation:

!nilyushkin = WORKGROUP\n.ilyushkin

This settings doesn't give expected results:

smbclient //localhost/nilyushkin -U n.ilyushkin
Enter n.ilyushkin's password:
session setup failed: NT_STATUS_LOGON_FAILURE

And if there is no "username map" settings smbclient works normally.

Also I create local "nobody" user and add issue "smbpasswd -a nobody" 
command and mapping works as expected: I login as n.ilyushkin (AD user) 
and access to files as nobody user (of course with "!nobody = 
WORKGROUP\n.ilyushkin" line in "username map" file).

And so my question is following: as far as accounts in openldap and AD 
infrastructure is different (such as nilyushkin is openldap  and 
n.ilyushkin is AD) is it possible to map account name in AD, which samba 
uses to authorise smbclient, to account from openldap? In other words, I 
just want to use AD as authentication service and UNIX-related 
credentials (user, group, shell, ssh keys) from openldap to access UNIX 
home directory. Yes, I understand, that this solution requires supply of 
mapping, but this decision looks good considering the fact that there 
will be not many users to map.

I tried to change settings in nsswitch to something like this:

...
group: files cache ldap winbind
passwd: files cache ldap winbind
...

But it doesn't take an effect. I assume pam.d settings can help, but at 
this point I just want to stop experimenting and ask you whether my task 
is feasibleat all? I understand, that this case involves aspects that 
are not samba related -- still, I expect maybe a direction to dig in.

Thank you.

-- 
Nikita Ilyushkin