samba with openldap provisioning

Andrew Bartlett abartlet at samba.org
Thu Aug 1 17:22:27 MDT 2013 

On Thu, 2013-08-01 at 18:10 +0200, Marc Muehlfeld wrote:
> Hello,
> 
> Am 01.08.2013 11:53, schrieb Nadezhda Ivanova:
> > I've been trying to provision samba to use openldap backend, but have been
> > unsuccessful so far, and as there are no error messages, I am not sure if I
> > am doing something wrong or it is a bug introduced after development was
> > discontinued. The howto has been removed from the wiki. I have a working
> > installation of OpenLDAP - installed but not running (running or not, it
> > seems to make no difference). I was unable to find if some special openldap
> > configuration was needed, so I only have one database configured for my
> > domain.
> >
> > This is my command line:
> >
> > /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --realm=
> > nadya.com --domain=testdomain --host-name=drizzit --host-ip=127.0.0.1
> > --adminpass=Secret123 --root=root --server-role="domain controller"
> > --ldapadminpass=secret --ldap-backend-type=openldap -d 7
> 
> If you want to setup an Samba AD DC, you must use the build in LDAP 
> server and can't use any external. See
> 
> https://wiki.samba.org/index.php/FAQ#Is_it_planned_to_support_openLDAP_as_backend_again.3F
> 
> But the internal LDAP has many advantages (automatically replication 
> with every addition DC, easy ACL management, etc.). And here I store 
> also many aditional information in the Samba AD. Everything I had in my 
> openLDAP before (when I run the old NT4 style domain) could be 
> transfered to LDAP (for the most additional stuff you have to write a 
> short script by yourself) and find a good place there.
> 
> Is there any special reason why you want an openLDAP backend and can't 
> use the Samba AD (LDAP)?

G'Day Marc,

Nadya is the exception that proves the rule above.  Mere mortals are
requested to just follow the FAQ, but Nadya a member of the Samba Team
and is working to re-enable this support, in the hope that with
persistence and the backing of other talented folks like Howard Chu,
that it can be made to work.  

The evidence for her skill is that she is almost single-handedly
responsible for the NT ACL support in our AD DC, and I am confident that
supported well she will succeed in this challenge too. 

(If successful it will still be the AD schema and semantics, but might
well scale much better than Samba can). 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba-technical mailing list