Samba4 LDAP Integration

Pierre Filippone pierre.filippone at
Thu Oct 28 10:38:10 GMT 2004

>> Hi,
>> we use Samba 3 as domain controllers for a Citrix server farm and in 
>> near future we are planning to use these DCs also for the rest of our 
>> network. 
>> Although it works very well, in the forseeable future we will be 
>> to offer some sort of AD emulation, unless we get rid of Windows OSes 
>> our desktops, which I don't see at the moment. Longhorn will probably 
>> support non-AD DCs any more.
>Personally, I would be surprised.  NT4 is still out there...
>But your point is valid, and that is why we are working so hard on

I bet MS is working hard on introducing AD to all companies that 
succesfully denied to upgrade until now. Usually dropping backward 
compatibility is a good argument to increase the upgrade pressure... 

>> The question that arises for us is, how difficult the migration from 
>> 3 to Samba 4 will be, especially regarding the LDAP backend. At the 
>> we have a perfect integration of all samba related attributes in our 
>> existing user entries. Simply add samba attributes and go. 
>> Will it stay like this in Samba4, meaning that we can keep our existing 

>> structure in openldap, at least regarding users and groups, and samba4 
>> will present some kind of translated LDAP view to MS clients ? 
>> Or are you planning to put AD entries directly into openldap, which 
>> the integration of our existing entries difficult or impossible.
>> Has there already been made a decision or is it too early to ask this 
>> question ?
>This is a very good time to start looking into this area.  Currently,
>the Samba4 modal assumes either that OpenLDAP contains support for all
>the AD attributes, or that you use Samba4's ldb local storage in a TDB.
>Clearly, this just will not work for your site, and many others.  What I
>think we need to do is write another LDB backend, that understands more
>about the semantic mapping, and provides a proxy service.

>From my point of view as an Openldap and Samba administrator it would be 
great if I could use our existing user, machine and group entries for 
samba4, because we use those entries for a lot of different non-MS 
services. And until now it was never necessary for us, to hold redundant 
data under a different LDAP branch. Most of the user information I see in 
AD I already have in our ldapserver, of course under a different 
structural object class and as different attributes. 
If I understood you correctly, with semantic mapping and proxy server you 
meant a proxy LDAP server which translates those attributes I already have 
to those needed by an AD client. Sounds great, but also sounds like a lot 
of work for you. Maybe use an extended samba 3 schema in a kerberised 
openldap for users, groups and machines, and place all other AD only 
entries in different branches in openldap using Microsoft schemas ? Hmm... 
I have no idea, if this could work and if it is not simply much to 

The XAD approach seems much simpler and why not simply use a dedicated 
openldap and synchronize data using some scripts and use our existig 
openldap as metadirectory ? While writing this, I start liking that idea 
because it keeps things simpler and clearer. 

I do not envy you about making that decision. 
By the way, Samba 2 + 3 do a great job at our site.

Pierre Filippone

More information about the samba-technical mailing list