[Samba] "passwd program" in samba4

Tomasz D. td at il.pw.edu.pl
Tue May 21 04:59:12 MDT 2013

Hello Marc,

On 5/17/13 4:50 PM, Marc Muehlfeld wrote:
> Hello Tomasz,
> Am 17.05.2013 15:30, schrieb Tomasz D.:
>> We encounter the same problem. For over 10 years we've been using Samba
>> (2,
>> then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly
>> working
>> LDAP environment with replication, well tuned, with many additional
>> attributes and with a lot of non-samba related services (email, mailing
>> list, address book, user specific data). For all that time we had
>> comfortable situation, that the users had to remeber just one password.
>> And now, if I understand the situation correctly, there is no way to keep
>> the password synchronized between Samba4 and external LDAP. I don't need
>> to
>> authenticate samba against external LDAP, but I want to somehow trigger
>> password change in LDAP in case of  changing it in Windows, and
>> vice-versa.
>> And I really think that migration of our well known and fully functional
>> LDAP system, which is the core of our environment, is not the best and
>> proper way. 
> I don't know your environment, so maybe the following doesn't fit for your
> situation.
> Before I moved our production to Samba4 last autumn, we had about 25
> services (postfix, cyrus, apache, addressbooks, etc.) hooked up to our
> openLDAP backend for authentication and as source for information. But for
> all I found great ways to have everything in sambas AD (ldap). And the
> good thing is: I can administrate now everything in ADUC with just one
> tool.
> For the additional attributes (phone, mail, what ever) I wrote a small
> script, that transfers them to AD.
> And for your DMZ (mailserver, etc.) you don't need to have a replicated
> Samba-DC with all it's services. I use an openLDAP proxy for that.
> Most of my experiences and how to set them up, I wrote down here:
> http://wiki.samba.org/index.php/Samba4/beyond
> If you post some information about your environment, maybe there are good
> other ways to bring all your services up to Samba 4.

In my environment (~5000 accounts, over 500 client devices) only relatively
small part (lets say, 20%) relays on Samba. But all authentication issues
relays on LDAP. As I wrote before, we have perfectly working, tuned and well
known dedicated LDAP server, which can be even switched to commercially
supported solution (Red Hat Directory Server). It is developed for years,
scalable, stable as rock, etc. I have tons of scripts that do various LDAP
tasks, I have commercial tools to managing it. Now, migrating
business-critical service to a new product (Samba Internal LDAP), which was
created, so to say, as a side effect (correct me if I'm wrong) and which is
still under development (e.g.: user-defined schemas are still experimental,
as Samba FAQ says) doesn't sounds for me like a good idea.

I'm sure that Samba AD works perfectly for all operations related to SMB/AD
and I'm not agains that. I've read why developers choose that way and I
totally agrees with that. I don't want to push all the Windows attributes in
external LDAP. But also I'd like to let the external LDAP the rest of
authentication/authorisation issues (not related to Windows Auth). In such
scenario, the possibility to synchronise passwords is very important.
Otherwise we are going backwards.

best regards,

View this message in context: http://samba.2283325.n4.nabble.com/passwd-program-in-samba4-tp4647906p4648535.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list