[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights

Marc Muehlfeld samba at marc-muehlfeld.de
Fri Jun 21 10:40:16 MDT 2013

Hello Marcus,

Am 21.06.2013 17:27, schrieb Marcus Mundt:
> Environtment:
> - LDAP-Master-Server with all the information needed
> - mostly Windows XP and Windows 7 Clients
> They should auto mount network drives after login (user, pass and rights from LDAP-Master)
> Here is what I want to achieve:
> A LDAP-Master-Server should be the basis for all users, passwords,
 > groups, rights, rights to execute Programs, mails and mounting
 > network drives. We are looking for a "single sign on" solution
 > based on the LDAP-Master-Server. Our Mail-Server and some other
 > services rely on the LDAP-Master. Now Samba should work as ADS
 > using the Information stored on the LDAP-Master. Meaning
 > getting users, passwords, groups, rights, drives etc. from
 > LDAP. Is that even possible? Any ideas?

This is all possible with samba 4 and AD. Setup an DC according to the 
HowTo, do a classicupgrade and then hook up all your services to AD.

I did this in production last september (170 users, 230 workstations, 
and around 25 services getting information from LDAP or authenticating 
against). After some weeks of building a testing environment with 
everything, I did the final switch on a weekend (1.5 days for changing 
and adapting everything). And it's running absolutely great.

> My quick guesses of possible solutions:
> - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master
>      - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD
>      - I don't know if I get this one...

The "beyond samba" page is from me. Just let me know, what's unclear. 
Then I will extend the HowTo and improve the descriptions.

The openLDAP proxy is a good way if you have in your internal network 
your ADC and don't want to have a "real" DC in your DMZ for mailserver, 
etc. too. An additional DC would bring you many open ports you mostly 
don't need, etc. That's why I use an openLDAP proxy for that (just one 
service with one open port: 389/tcp).

You have to use the configuration from the HowTo. Then openLDAP doesn't 
use a own database. All requests are forwarded to the DC(s). The 
openLDAP server you can use as usual (I only use it read-only. I don't 
require write-access in LDAP in the DMZ). Also you can use openLDAP ACLs 
to restrict access to attributes, like before, etc. And of course, you 
can authenticate against it (also mentioned on the wiki page).

But the openLDAP proxy doesn't mean, that it's only a proxy. You can 
have different tree of your LDAP pointing to a local database, too. Then 
you can store additional information in LDAP, byside the AD backend.

> - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync?

I wouldn't do that. Much workaround stuff, directory ACLs won't be 
synced, etc.

> Questions:
> - What about using "smbd + nmbd" instead of "samba"? What
 >   are the drawbacks and what functionalities would we sacrifice?

You need the samba binary, because it provides the AD stuff. If you plan 
to keep your NT4-style domain, then you can just upgrade. Samba 4 
doesn't mean "AD only" and "build-in LDAP only". AD is just "an 
additionally feature" of version 4. But AD requires the internal LDAP.

> - Is using samba 3 + LDAP backend a possible solution? We really
 >   waited for Samba 4 and are now a bit overwhelmed by
 >   the numerous innovations. But we would like to use the most
 >   current software.

It depents what you plan to have. If you are happy, you can stay at the 
NT4-style domain together with your openLDAP backend. But then you miss 
all the great improvements of AD (group policies, to manage your 
clients, easy multi-DC environments, etc.). But as already said: Samba 4 
with openLDAP is still possible - but not when you want to have an AD.


More information about the samba mailing list