[Samba] Samba 4.x binding to an LDAP Server as a standalone server.

Andrew Bartlett abartlet at samba.org
Tue Jun 3 02:42:44 MDT 2014

On Mon, 2014-06-02 at 18:44 +0200, Harry Jede wrote:
> On 18:28:35 wrote steve:
> > On Mon, 2014-06-02 at 18:11 +0200, Harry Jede wrote:
> > > Hi Danilo,
> > > 
> > > > Not supported ?  Really ?
> > > 
> > > Like you, i am a samba user not a samba developer. And yes, you
> > > will not find a description in the current samba wiki nor in the
> > > quite old "Samba 3 Howtos" how to setup a standalone samba server
> > > with ldap as passwd backend.
> > 
> > Not in samba no, but openSUSE have been doing it for years:
> > http://digiplan.eu.org/ldap-samba-howto-v4.html
> Yes, and his smba3 is compiled by redhat? (Samba Version 3.6.9-151.el6)
> Currently we know that he is using openldap at debian. So if he sets 
> loglevel to 256 we may see which filters are used by samba and what the 
> ldap server finds.
> One will see that samba stops the evaluation if username is equal 
> groupname. A nice exercise. Sure, I have only verified this with 
> packages from sernet and debian/ubuntu. Maybe different behavior on 
> suse, redhat, aix and others.

The 'samba-tool domain classicupgrade' script will indeed halt if the
username is equal to a group name.  Other aspects of the classic DC (and
the use of that code in the standalone server case, as suggested here)
does appear to accidentally work, which is why we had to impose such a
strict test during classicupgrade.

A lot of dubious things are permitted by that code, as it generally was
written to be tolerent (the AD code is written to be strict). 

For example, only recent (and I don't know how recent) Samba versions
refused to operate on accounts with mis-matching SIDs.  This is likewise
often discovered only during upgrades.

The only way I can see a series of independent file servers correctly
sharing a LDAP backend is if they actually believe themselves to be
domain controllers (even if not used that way), as that is the supported
way to share a passdb backend. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list