[Samba] Define a rootDN for ldap queries in Samba 4 AD

Sami Chibani sami.chibani at educagri.fr
Tue Dec 5 13:27:27 UTC 2017 

Hi Samba Team and users,


My question could seem very simple and possibly answer is also simple 
(if it's the case i'm sorry by advance), but i've found almost no doc 
about this topic in the wiki.


I'm currently running Samba 4 AD in a test environment, preparing for 
production. Everything is working quite fine, but i'm struggling about 
some configuration;

How (and where) to define a rootDN in order to  specify which account 
has the right to make ldap queries against Samba 4 AD ldap database 
(with ldapsearch), whether in read or write access.


On a Samba PDC install running OpenLDAP backend, it was possible to 
define this in slapd.conf by lines like that:

access to *
     by dn="uid=ldapadmin,ou=users,dc=domain,dc=lan" write

or

rootdn        "uid=ldapadmin,ou=users,dc=domain,dc=lan"


Now that ldap is internal to Samba, i'm wondering where to put these 
options...

Right now, i can make successful ldap queries with ldapsearch (both ssl 
and tls) like that:

ldapsearch -H ldaps://srv-samba.domain.lan:636 -LLL -x -D "DOMAIN\user" 
-W -b "CN=Users,DC=ensfea,DC=lan" "(&(objectClass=*)(sAMAccountName=*))"

or

ldapsearch -H ldap://srv-samba.domain.lan:389 -ZZ -LLL -x -D 
"cn=user,cn=users,dc=domain,dc=lan" -W -b "CN=Users,DC=domain,DC=lan" 
"(&(objectClass=*)(sAMAccountName=*))"


but i'm able to perform successfully those requests with  all users (i 
can put any of the users, even non admin ones, in -D field) of my ldap 
database, which is a bad/unwanted situation.


My smb.conf:

[global]
         netbios name = SRV-SAMBA
         realm = DOMAIN.LAN
         workgroup = DOMAIN
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         interfaces = lo,ens192
         bind interfaces only = yes

         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem

[netlogon]
         path = /var/lib/samba/sysvol/domain.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No



Cheers, Sam

More information about the samba mailing list