[Notification] We're upgrading the JumpCloud Support Center the week of September 16th.

Support Center

Enabling Samba Support with JumpCloud LDAP

Enabling Samba support allows for LDAP users to authenticate to endpoints that require Samba attributes within the LDAP directory. This article explains the JumpCloud configuration. Configuration of the endpoint authenticating to JumpCloud varies and may require vendor documentation to complete. An example smb.conf file is available and attached in the footer of this document.

To apply a Samba Configuration, read and understand the following KBs: Compatibility:
  • Samba Server version 3 & 4
  • Samba 4 LDAP schema
 
Security Risks:
  • Samba Servers are inherently less secure than other technologies JumpCloud integrates with because it uses plain text equivalent password hashing for authentication. See more about Samba password hashing at samba.org.
  • In order for JumpCloud LDAP to authenticate users to a Samba server, we must store the NT password hash in the LDAP directory, this is contained in the sambaNTPassword attribute.
Risk Mitigation:
  • ACLs are in place to restrict access to the sambaNTPassword attribute. Only the Samba Service account is able to access this field when binding/searching the LDAP tree. Use a strong password for the Samba Service account.
  • Samba attributes are enabled at the group level. Users that don't belong to a Samba enabled group will not get Samba attributes. Don't enable Samba group membership for users that don't need to access a Samba resource.
  • StartTLS or SSL is required to return all Samba attributes. If you attempt to bind to LDAP in cleartext, JumpCloud will NOT return the sambaNTPassword in the results.

Configuring Samba Authentication

The Samba authentication configuration is found under the Directories object > JumpCloud LDAP > Details tab.


 
WORKGROUP The default value of 'WORKGROUP' should be changed to match the value defined for the workgroup in the Samba server configuration. Samba servers as a primary or member domain controller are not supported.
SID The default value is automatically generated. In certain cases this may need to match the SID of your Samba Server.*
Samba Service Account This account will be granted access to the sambaNTPassword attribute and should be used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory. Only one user may be defined as the Samba Service Account per Organization. It's recommended to create an account specifically for the Samba Service configuration. Non Samba LDAP resources should be configured with a separate, standard LDAP Bind DN user.
Samba Service Account DN The DN for the Samba Service account is the same as the regular Bind DN as discussed in Using JumpCloud’s LDAP-as-a-Service and is the typical syntax used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory
 
*
Get SAMBA SID as root on the Samba server
$ net getlocalsid

Enable Samba Authentication

Once Samba Authentication is configured for LDAP, it must be explicitly enabled on a per group basis. In certain applications, a Linux (posixGroup) group must be created for group presentation to function properly with the Samba server. Refer to your vendor's documentation to confirm if this is needed.



In order for Samba to be enabled for the group, you must confirm a security warning regarding the new Samba Attributes. The group will also be bound to LDAP if it has not already been. Once acknowledged, save the User group. All users can be filtered on the sambaSamAccount objectClass. See the bottom for a schema example.

Ongoing LDAP Management

For ongoing management and 'at a glance' results to find who has access to LDAP and Samba, you can see and manage Samba access from the User Group tab of the LDAP directory.



On the Users tab, access to LDAP and LDAP Bind DN status can be toggled on a per user basis.



Schema Example
 
# jvoigt, Users, 58ed0b640a775e3a595a33db, jumpcloud.com
dn: uid=jvoigt,ou=Users,o=58ed0b640a775e3a595a33db,dc=jumpcloud,dc=com
givenName: Jens
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: jumpcloudUser
objectClass: sambaSamAccount
loginShell: /bin/bash
homeDirectory: /home/jvoigt
mail: jvoigt@yourdomain.local
sambaPrimaryGroupSID: S-1-2-21-1491929956-0175594634-1499083739-11265
uid: jvoigt
uidNumber: 5132
sambaAcctFlags: [U]
sambaDomainName: WORKGROUP
sambaSID: S-1-2-21-1491929956-0175594634-1499083739-11264
gidNumber: 5132
sambaPwdLastSet: -1
sn: Voigt
sambaNTPassword: A2B8AD99D0F0B2EA1775EFA1403C08C8
cn: Jens Voigt
memberOf: cn=LDAP Fileserver,ou=Users,o=58ed0b640a775e3a595a33db,dc=jumpcloud,
 dc=com
Attachments
 

Last Updated: Apr 18, 2019 09:20AM MDT

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete