[Samba] stand-alone server with ldap-auth without AD
lists at zxt10d.de
lists at zxt10d.de
Fri Mar 25 07:06:26 UTC 2022
@All
Thank you very much for your comments! :)
Maybe I have to set-up a samba AD DC ...
Is it possible to "import" data from an openldap-proxy?
Cheers,
Torsten
Am 23.03.22 um 21:39 schrieb Andrew Bartlett via samba:
> On Wed, 2022-03-23 at 17:02 +0000, Rowland Penny via samba wrote:
>> On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba wrote:
>>> You need to have an account on the LDAP server that samba can use
>>> to
>>> read user information including the Windows password field.
>>> Then
>>> you need to configure smb.conf with the server name, the search
>>> path,
>>> the ldap name and password.
>>>
>>> I think what is going to be a problem is that the "NT4" Windows
>>> password
>>> requires a separate password field than the regular LDAP password,
>>> and
>>> keeping the 2 in sync will be a challenge. The client machines
>>> will
>>> be sending a hash of the user password to the server (rather than
>>> "plaintext" password over TLS.) In fact the schema on the
>>> LDAP
>>> server may need to be extended.
>>
>> If a new NT4-style machine is being set up, you should be aware that
>> they rely on SMBv1 and this is going away. You could end up within a
>> year or two having to upgrade again or use an older version of Samba.
>
> Even for the standalone server case, using LDAP as a passdb backend for
> a single fileserver and keeping things in sync with the smbk5pwd
> overlay or Samba's ldap password sync, just be aware that this relies
> on the pdb_ldap backend.
>
> The historical purpose for pdb_ldap was the NT4 DC, and while we
> haven't any particular plans to remove this (we know folks use it even
> when not doing an NT4 domain) just be aware that with less use there is
> even less ongoing maintenance. pdb_ldap is also not tested in
> selftest.
>
> Andrew Bartlett
>
More information about the samba
mailing list