[Samba] AD authentication with separate LDAP authorization

Kris Lou klou at themusiclink.net
Tue Jun 11 19:30:43 UTC 2019


Shooting in the dark, but:

 idmap config * : ldap_user_dn = uid=samba,ou=agents,dc=mydomain,dc=com


Is this correct?  And do you have credentials stored to access the LDAP
directory?

Kris Lou
klou at themusiclink.net


On Tue, Jun 11, 2019 at 10:40 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 11/06/2019 17:48, Ryan via samba wrote:
> > Hi all,
> >
> > SHORT VERSION
> > How can I configure Samba 4.8.0 serving users on Windows 7 clients to
> > authenticate using their domain login credentials (winbindd and Active
> > Directory) but be authorized (i.e. perform user/group lookup) against
> > a separate OpenLDAP server?
> >
> > This was easy in previous versions of Samba with the fallback
> > mechanism (
> https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP).
> > It seems to be more complicated once winbind must be involved.
> >
> > LONG VERSION
> > It seems like SSSD, and people bringing it up, isn't very popular on
> > the lists.
> Its not that it isn't popular, it is that Samba cannot support it
> because Samba does not produce it. If you want to  use sssd, then you
> can, but Samba cannot give you support with any problems you may have.
> > Despite its mention below, I am happy with a solution that
> > involves it or not, and I can work out how to modify it after I get
> > something working via any other method.
> >
> > We have a CentOS 7 machine that needs to share files with Windows 7
> > machines in an Active Directory domain (that I do not control) for
> > users in the EXAMPLE.COM domain but perform user/group lookup against
> > a separate OpenLDAP server (that I do control) at ldap.mydomain.com.
> > With current versions of CentOS 7, as of Samba 4.8.0, the winbindd
> > fallback is no longer available and winbindd is required.
> >
> > So we do the following:
> >
> > - open firewall port 445 (but for testing, systemctl stop firewalld)
> > - set SELinux Booleans for sharing home directories (but for testing,
> > setenforce 0)
> > - add trust for the certificate authority that certified
> > ldap.mydomain.com (tested and LDAP lookups are functional on the
> > system)
> > - install packages samba, samba-client, samba-winbind,
> > samba-winbind-clients, and samba-winbind-krb5-locator
> > - net ads join -U 'user' (the domain allows non-admin creation of
> > machine accounts; net ads testjoin returns 'Join is OK')
> > - authconfig --enablesssd --enablesssdauth --disablemkhomedir --update
> As you can join the machine to your AD domain, have you considered the
> winbind 'rid' backend ?
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list