Configure Samba Support to use Cloud LDAP

Enabling Samba support allows LDAP users to authenticate to endpoints that require Samba attributes within the LDAP directory. This article explains the JumpCloud configuration. Configuration of the endpoint authenticating to JumpCloud varies and may require vendor documentation to complete. 

To apply a Samba configuration, read and understand the following articles:

• Use Cloud LDAP
• Create an LDAP Group

Compatibility:

• Samba Server version 3 & 4
• Samba 4 LDAP schema

Security Risks:

• Samba Servers are inherently less secure than other technologies JumpCloud integrates with because it uses plain text equivalent password hashing for authentication. See more about Samba password hashing at samba.org.
• In order for JumpCloud LDAP to authenticate users to a Samba server, we must store the NT password hash in the LDAP directory, this is contained in the sambaNTPassword attribute.

Risk Mitigation:

• ACLs are in place to restrict access to the sambaNTPassword attribute. Only the Samba Service account is able to access this field when binding/searching the LDAP tree. Use a strong password for the Samba Service account.
• Samba attributes are enabled at the group level. Users that don’t belong to a Samba enabled group will not get Samba attributes. Don’t enable Samba group membership for users that don’t need to access a Samba resource.
• StartTLS or SSL is required to return all Samba attributes. If you attempt to bind to LDAP in cleartext, JumpCloud will NOT return the sambaNTPassword in the results.

Creating a Samba Service Account

1. On the Admin Portal, go to User Administration > Users.
2. Click + and create a user manually.
3. Under User Information, set the required attributes username and email address.
4. Expand User Security Settings and Permissions and check Enable as LDAP Bind DN.

Configuring Samba Authentication

You can configure Samba authentication where you configure JumpCloud LDAP.

• WORKGROUP: The default value of WORKGROUP should be changed to match the value defined for the workgroup in the Samba server configuration. Samba servers as a primary or member domain controller are not supported.
• SID: The default value is automatically generated. In certain cases, this may need to match the SID of your Samba Server. Get Samba SID as root on the Samba server: $ net getlocalsid
• Samba Service Account: This account will be granted access to the sambaNTPassword attribute and should be used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory. Only one user may be defined as the Samba Service Account per Organization.

• Samba Service Account DN: The DN for the Samba Service account is the same as the regular Bind DN as discussed in Use Cloud LDAP and is the typical syntax used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory.

Enabling Samba Authentication

Once Samba Authentication is configured for LDAP, it must be explicitly enabled on a per-group basis. In certain applications, a Linux (posixGroup) group must be created for group presentation to function properly with the Samba server. Refer to your vendor's documentation to confirm if this is needed.

For Samba to be enabled for the group, you must confirm a security warning regarding the new Samba Attributes. The group will also be bound to LDAP if it has not already been. Once acknowledged, save the User group. All users can be filtered on the sambaSamAccount objectClass. See below for a schema example.

Ongoing LDAP Management

For ongoing management and at-a-glance results to find who has access to LDAP and Samba, you can see and manage Samba access from the User Group tab of the LDAP directory.

On the Users tab, access to LDAP and LDAP Bind DN status can be toggled on a per-user basis.

Schema Example