[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights

Marcus Mundt marcus.mundt at forsa.de
Mon Jun 24 02:30:21 MDT 2013

Hello Marc,

first of all thanks for the quick reply. My Samba ADC was setup quite quick following the how to, good work!

Since we are running low on time and want to stick with our LDAP server, I hope I can setup a file server for WinXP and Win7 with Samba 4 using smbd and nmbd and keep using the LDAP backend. I guess we don't really need the AD stuff for what we want to achieve, right?
I really need to know if it is possible to setup some kind of auto mount for Windows clients. They should mount all of the users drives while logging in, now this happens with some script, which is run after successfully loggin in. The whole users, groups and rights stuff shouldn't be a problem.

> I did this in production last september (170 users, 230 workstations, 
> and around 25 services getting information from LDAP or authenticating 
> against). After some weeks of building a testing environment with 
> everything, I did the final switch on a weekend (1.5 days for changing 
> and adapting everything). And it's running absolutely great.

How did you transfer the information from the (old) LDAP server to the Samba 4 ADS? Or did you separate things, like servers relying on the slapd and other systems communicating with the ADS?

>> My quick guesses of possible solutions:
>> - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master
>>      - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD
>>      - I don't know if I get this one...

> The "beyond samba" page is from me. Just let me know, what's unclear. 
> Then I will extend the HowTo and improve the descriptions.

Ok, I thought so. I guess I wished for something like an AD to openLDAP proxy :)

>> - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync?

> I wouldn't do that. Much workaround stuff, directory ACLs won't be 
> synced, etc.

Tried it and got an error. Won't do it again...

>> Questions:
>> - What about using "smbd + nmbd" instead of "samba"? What
>>   are the drawbacks and what functionalities would we sacrifice?

> You need the samba binary, because it provides the AD stuff. If you plan 
> to keep your NT4-style domain, then you can just upgrade. Samba 4 
> doesn't mean "AD only" and "build-in LDAP only". AD is just "an 
> additionally feature" of version 4. But AD requires the internal LDAP.

As mention above, I will now try using samba 4 but not the samba binary. Now switching back to smbd, nmbd and LDAP backend. Wish me luck :)

Thanks for your time and explanations!

More information about the samba mailing list