[Samba] External Authentication

Vex Mage dosmage at gmail.com
Fri Apr 12 18:04:58 UTC 2019

I apologize but that is what I meant by black box. The Samba3 server is our
server. It connects to the LDAP that is out of my control and extends the
users' entries to the Windows desktops.

If it's easier to visualize we're getting LDAP as a service from the
central campus IT department. It is then on us to provide services our
school needs to our students, faculty and staff. They have no concern about
Samba3 or Samba4. We're just using their LDAP server.

Samba4 can't use this LDAP service in AD and I understand the complexities
of the extensions AD has put on to its LDAP however; without the ability to
auto discover users and groups it's a management burden for me to implement
some form of continuous sync to massage data from the central campus LDAP
to Samba4. I can contrive methods and fortunately Marco has given me a
great lead but it still seems overly complex.

This is why I was looking into auto discovery / auto creation of users and
groups via an external authentication request. At least then the users
would exist if they successfully authenticated. Obviously that's not a
completely reasonable solution either.

Another contrived solution I've been mulling around is using the meta
backend in OpenLDAP and creating a combined view of Samba4 with central
campus LDAP. The issue here is that I don't yet know whether OpenLDAP would
be able to query Samba4, stitch together the output of the LDAP servers,
let alone configure Samba4 to use it instead of directly connecting to its

The final solution I can figure is to setup Windows desktops joined Samba4
with a trust to FreeIPA and a replication mechanism between FreeIPA and
campus LDAP. At my previous employer I have already got Windows to
authenticate through to FreeIPA but that still leaves me with the FreeIPA
to LDAP conundrum.

On Fri, Apr 12, 2019 at 10:18 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Fri, 12 Apr 2019 09:51:44 -0700
> Vex Mage <dosmage at gmail.com> wrote:
> > Even if I am still thinking in the past it doesn't invalidate the
> > problem I came here to get guidance on. Instead I just get talked
> > down to by some or others don't even read the situation I'm trying to
> > solve.
> >
> > I don't need it to work like it used to in the NT4 sense. I don't
> > need to use NT4 protocols. I'm just in need of not having Samba4
> > write in all of its documentation that forklift replacing your
> > central authentication server is the only way to move forward. Wasn't
> > the design goal to make it compatible in a Unix environment in the
> > first place?
> >
> > How am I holding back Samba? I have a central LDAP server I have no
> > control over
> That is the first time you have said that, I thought you had total
> control over the entire system.
> You need to bring to the attention of whoever does have control over
> the ldap Samba3 server, that it is insecure and unsupported and if they
> don't do something about it and they get hit by malware, it will be
> their fault.
> >but yet Samba4 requires me to replace it.
> No it doesn't, you can use Samba4 just like you use Samba3, but it
> might stop working at any time because Windows changes something.
> >I can see how
> > most of Samba's niche markets can do that but we can't.
> >
> > AD is absolutely fine. Most of the other schools on our campus have
> > moved away from Samba to Windows AD or decided to drop authentication
> > altogether because it was easier to do so. Honestly, I don't think
> > you're not listening.
> If you want a secure system, you have to use secure software, this
> generally means recent software.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list