August 18, 2010

747 words 4 mins read

Samba and LDAP DO NOT MIX

Recently I was tasked with helping a company implement a centralized authentication system, and they wanted to go all open source. This isn’t unreasonable in my book, though it is a little unusual. Of course the words “Open Source Authentication” directly translates to LDAP, the only question is which LDAP software you’re going to use. There are a number of options including OpenLDAP (slapd), Fedora Directory Server (389), OpenDS, Apache Directory Server, and a handful of smaller projects. On top of the LDAP directory they wanted me to add a number of services including email and file sharing. This is the story of how Samba sucks…

We started off by researching and trying the LDAP providers. After some investigation and testing of OpenLDAP, we settled on OpenDS. I didn’t like OpenLDAP (though it is something of the “standard”), because it is just such a pain in the ass to administrate. Everything is command like and in LDAP-ese, which is probably ok if you’re a regular LDAPer, but I’m not and neither was the local IT department. OpenDS, while Java based (and I dislike Java on principal), was quite nice. You can click the 1-button “web start” and have it install and do everything automagically. I’ll (probably) cover it in more detail in a later post.

So now we have OpenDS 2.2 setup and running well with the prospect email system. Next on the list of “critical” services was Samba, which is what they were already using and Samba claims to be LDAP compatible. Since we were running Ubuntu 10.04, I simply apt-get installed Samba 3.4 series and the necessary LDAP tools. This is where things started to go poorly.

I won’t bore you with all the debug details, but I ended up spending probably 4 full days worth of time trying to get Samba working against LDAP properly. I’ll admit that it could have been slightly faster, as I’m not terribly experienced with LDAP and had to learn some of it on the go. That being said, I’m used to open source, and the requisite learning on the go. From the best I can tell, Samba 3.4 makes a number of small changes which are basically undocumented and is designed to talk to OpenLDAP (slapd) only. One of the “small” changes in Samba I noticed was that the smb.conf option of “valid users =” is now simply “users =”, and doesn’t notify you of it’s deprecation. It simply ignores “valid users =” as an unknown option. Fan-freakin-tastic.

In the end, I could not manage to get Samba to talk to OpenLDAP using SSL or StartTLS. I did eventually get Samba to authenticate using my LDAP accounts, but that required a LOT of special objectClasses and extra miscellaneous information in the LDAP directory. I don’t mind having to have extra information in LDAP, as that is what it is good for, but having its own style for group user lists, userids and password borders on asinine. I know it is a throw back to it’s original building, but UPDATE THE CODE PEOPLE.

In the end, Samba was abandoned because it flatly ignored my groups. Once you authenticated to Samba with an LDAP valid username and password, you had access to every share. I tried my damnedest to make shares in Samba that I couldn’t access. I set up special groups, I used groups that didn’t exist… everything I could think of and nothing worked. There is a point of diminishing returns and I had hit it. In the end, with a mostly Linux/Mac user environment, there is no reason to use Samba.

I found a better option, WebDAV. I configured Apache 2.2, with mod_dav and mod_authnz_ldap. In an hour and a half, I had it up, providing access to files from multiple “shares” AND authenticating properly to OpenDS’s LDAP (over SSL mind you) with full support of my existing groups. Want to know how many changes I had to make to my base LDAP schema (sans Samba junk) to get this working? None. Not a single change at all. Kick ass.

So to summarize: Samba is old and outdated. It shouldn’t be used to share files unless absolutely necessary. While supposedly supporting LDAP in general, it doesn’t work. Most of the Samba/LDAP configuration is centered around acting as a PDC (Editor’s note: Primary Domain Controller) and very little covering simply sharing files. Lastly, it’s documentation (the official Samba website) is old and broken, literally 404’ing in many cases.