[Samba] AD authentication with separate LDAP authorization
rlichtenwalter at gmail.com
Wed Jun 12 03:22:56 UTC 2019
> Shooting in the dark, but:
> idmap config * : ldap_user_dn = uid=samba,ou=agents,dc=mydomain,dc=com
> Is this correct? And do you have credentials stored to access the LDAP
Yes and yes. The credentials and authentication process to the LDAP server
are working correctly as verified positively by the log files.
> Kris Lou
> klou at themusiclink.net
> On Tue, Jun 11, 2019 at 10:40 AM Rowland penny via samba <
> samba at lists.samba.org> wrote:
> > On 11/06/2019 17:48, Ryan via samba wrote:
> > > Hi all,
> > >
> > > SHORT VERSION
> > > How can I configure Samba 4.8.0 serving users on Windows 7 clients to
> > > authenticate using their domain login credentials (winbindd and Active
> > > Directory) but be authorized (i.e. perform user/group lookup) against
> > > a separate OpenLDAP server?
> > >
> > > This was easy in previous versions of Samba with the fallback
> > > mechanism (
> > https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP).
> > > It seems to be more complicated once winbind must be involved.
> > >
> > > LONG VERSION
> > > It seems like SSSD, and people bringing it up, isn't very popular on
> > > the lists.
> > Its not that it isn't popular, it is that Samba cannot support it
> > because Samba does not produce it. If you want to use sssd, then you
> > can, but Samba cannot give you support with any problems you may have.
> > > Despite its mention below, I am happy with a solution that
> > > involves it or not, and I can work out how to modify it after I get
> > > something working via any other method.
> > >
> > > We have a CentOS 7 machine that needs to share files with Windows 7
> > > machines in an Active Directory domain (that I do not control) for
> > > users in the EXAMPLE.COM domain but perform user/group lookup against
> > > a separate OpenLDAP server (that I do control) at ldap.mydomain.com.
> > > With current versions of CentOS 7, as of Samba 4.8.0, the winbindd
> > > fallback is no longer available and winbindd is required.
> > >
> > > So we do the following:
> > >
> > > - open firewall port 445 (but for testing, systemctl stop firewalld)
> > > - set SELinux Booleans for sharing home directories (but for testing,
> > > setenforce 0)
> > > - add trust for the certificate authority that certified
> > > ldap.mydomain.com (tested and LDAP lookups are functional on the
> > > system)
> > > - install packages samba, samba-client, samba-winbind,
> > > samba-winbind-clients, and samba-winbind-krb5-locator
> > > - net ads join -U 'user' (the domain allows non-admin creation of
> > > machine accounts; net ads testjoin returns 'Join is OK')
> > > - authconfig --enablesssd --enablesssdauth --disablemkhomedir --update
> > As you can join the machine to your AD domain, have you considered the
> > winbind 'rid' backend ?
I am not aware of it or how it can help to solve this problem. Is there any
resource you can point to online that detail how to use this "rid" backend
to do split authentication and authorization with an AD server and a
separate LDAP server? I will look into it myself, of course, but I have a
sad 16 hours sunk into trying to make this work with our CentOS 7 upgrade
and would appreciate any pointers.
> > Rowland
More information about the samba