[Samba] samba4 & ldap?

Matthieu Patou mat at samba.org
Fri Nov 18 15:48:06 MST 2011

On 18/11/2011 18:43, Cybionet wrote:
> Greeting Adam,
> Just to be sure, because this post is interesting for those who build 
> solution with Samba/OpenLDAP (like me who use it since 2004),
> 1. Samba4 don't support LDAP backend, but have is own LDAPv3 server? 
> (ref.: http://wiki.samba.org/index.php/Samba4/FAQ)
Yes, initially we thought it could be possible to have an external LDAP 
server and use it, but it turns out not to be so simple because of the 
schema needed for the Active Directory and also to support some 
functionality of AD (Directory replication for instance).

Making Samba4 use OpenLDAP is not impossible but even if it was working 
it won't be what users expect as most people thinks that it should/could 
be possible do say "hey Samba4 here is my LDAP server with my current 
data, please install whatever you need and then let's start the AD", 
whereas for the moment it's more like using OpenLDAP as backend storage 
for the AD database.
> 2. It's possble to use Samba4 like a Domain Controller without any 
> Windows Server.
Yes, I've been running a small site in production with only 1 Samba 4 
domain controller for more than 3 years now, lately I added a second 
Samba 4 server for the failover.
> 3. And if yes, will it be possible to extend the schema like with 
> OpenLDAP or AD? By example if I want to use it with other service like 
> mail server.
Yes, it's possible but for the moment the schema needs to be very 
complete, some schema objects need some attributes that we should 
generate and that we don't generate for the moment. The lack of those 
attributes lead to a schema corruption.

There is a couple of solutions for this, see 
http://samba.2283325.n4.nabble.com/Extending-samba4-schema-td3510357.html for 
more info.
> in short, will it be possible to continue using our solution, with the 
> incorporated Samb4 LDAP server and without any LDAP backend?
Normally it should, depending on the complexity of the schema it might 
be non trivial to do it, just try if you have problems we can help you 
to solve the problems you encounter.

> Thank
> Robert
>   Adam Tauno Williams a écrit :
>> On Thu, 2011-11-17 at 12:34 -0600, John Heim wrote:
>>> I am confused... Using an ldap server as a backend for samba4 is not
>>> recommended?
>> Not only not recommended, it will not work and is not supported.
>>> We are primarily a linux shop. We have an ldap database we use
>>> for authentication. I can't use that anymore if I switch to samba4?
>> Nope.
>> Active Directory provides an LDAP service (DSA) but Active Directory is
>> not LDAP.  It has very specific provisioning, security, and schema
>> rules.

Matthieu Patou
Samba Team

More information about the samba mailing list