Enabling Samba support allows LDAP users to authenticate to endpoints that require Samba attributes within the LDAP directory. This article explains the JumpCloud configuration. Configuration of the endpoint authenticating to JumpCloud varies and may require vendor documentation to complete.
To apply a Samba configuration, read and understand the following articles:
Compatibility:
- Samba Server version 3 & 4
- Samba 4 LDAP schema
Security Risks:
- Samba Servers are inherently less secure than other technologies JumpCloud integrates with because it uses plain text equivalent password hashing for authentication. See more about Samba password hashing at samba.org.
- In order for JumpCloud LDAP to authenticate users to a Samba server, we must store the NT password hash in the LDAP directory, this is contained in the sambaNTPasswordattribute.
Risk Mitigation:
- ACLs are in place to restrict access to the sambaNTPassword attribute. Only the Samba Service account is able to access this field when binding/searching the LDAP tree. Use a strong password for the Samba Service account.
- Samba attributes are enabled at the group level. Users that don't belong to a Samba enabled group will not get Samba attributes. Don't enable Samba group membership for users that don't need to access a Samba resource.
- StartTLS or SSL is required to return all Samba attributes. If you attempt to bind to LDAP in cleartext, JumpCloud will NOT return the sambaNTPassword in the results.
Creating a Samba Service Account
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > Users.
- Click ( + ) and create a user manually.
- Under User Information, set the required attributes username and email address.
- Expand User Security Settings and Permissions and check Enable as LDAP Bind DN.
Configuring Samba Authentication
You can configure Samba authentication where you configure JumpCloud LDAP.
- WORKGROUP: The default value of WORKGROUP should be changed to match the value defined for the workgroup in the Samba server configuration. Samba servers as a primary or member domain controller are not supported.
- SID: The default value is automatically generated. In certain cases, this may need to match the SID of your Samba Server. Get Samba SID as root on the Samba server: $ net getlocalsid
- Samba Service Account: This account will be granted access to the sambaNTPassword attribute and should be used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory. Only one user may be defined as the Samba Service Account per Organization.
It's recommended to create an account specifically for the Samba Service configuration. Non-Samba LDAP resources should be configured with a separate, standard LDAP Bind DN user.
- Samba Service Account DN: The DN for the Samba Service account is the same as the regular Bind DN as discussed in Use Cloud LDAP and is the typical syntax used in the Samba server LDAP configuration for binding/searching the JumpCloud LDAP directory.
Enabling Samba Authentication
Once Samba Authentication is configured for LDAP, it must be explicitly enabled on a per-group basis. In certain applications, a Linux (posixGroup) group must be created for group presentation to function properly with the Samba server. Refer to your vendor's documentation to confirm if this is needed.
For Samba to be enabled for the group, you must confirm a security warning regarding the new Samba Attributes. The group will also be bound to LDAP if it has not already been. Once acknowledged, save the User group. All users can be filtered on the sambaSamAccount objectClass. See below for a schema example.
Ongoing LDAP Management
For ongoing management and at-a-glance results to find who has access to LDAP and Samba, you can see and manage Samba access from the User Group tab of the LDAP directory.
On the Users tab, access to LDAP and LDAP Bind DN status can be toggled on a per-user basis.
Schema Example
# jvoigt, Users, 58ed0b640a775e3a595a33db, jumpcloud.com 
dn: uid=jvoigt,ou=Users,o=58ed0b640a775e3a595a33db,dc=jumpcloud,dc=com 
givenName: Jens 
objectClass: top 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
objectClass: shadowAccount 
objectClass: posixAccount 
objectClass: jumpcloudUser 
objectClass: sambaSamAccount 
loginShell: /bin/bash 
homeDirectory: /home/jvoigt 
mail: [email protected] 
sambaPrimaryGroupSID: S-1-2-21-1491929956-0175594634-1499083739-11265 
uid: jvoigt 
uidNumber: 5132 
sambaAcctFlags: [U] 
sambaDomainName: WORKGROUP 
sambaSID: S-1-2-21-1491929956-0175594634-1499083739-11264 
gidNumber: 5132 
sambaPwdLastSet: -1 
sn: Voigt 
sambaNTPassword: A2B8AD99D0F0B2EA1775EFA1403C08C8 
cn: Jens Voigt 
memberOf: cn=LDAP Fileserver,ou=Users,o=58ed0b640a775e3a595a33db,dc=jumpcloud, dc=com

 
                 
                     
             Subscribe to Help Center RSS Feed
Subscribe to Help Center RSS Feed
 In this Article
In this Article Learn More
Learn More