[Samba] stand-alone server with ldap-auth without AD
Angel Bosch Mora
abosch at imasmallorca.net
Fri Mar 25 09:45:48 UTC 2022
> @All
> Thank you very much for your comments! :)
>
>
> Maybe I have to set-up a samba AD DC ...
> Is it possible to "import" data from an openldap-proxy?
>
let me jump here.
LDAP-SAMBA sincronization has always been a big topic since forever.
there's no "clean" way to do it, even when on NT4 mode (some internal work is done for nt hashes).
I've been struggling with this for a long time and best advice is use a tool that replicates passwords between these two worlds, just as it was another (read unintegrated) system.
we use some custom scripts and a SSO to keep everything in sync, but if you manually change it on samba there's no way for LDAP to know it, and the same for the other way around.
UNLESS you centralize password change and propagate it to all systems. that's the job of a SSO/Identity Manager and is not trivial.
I'd really love to see some work done on the Samba side, as it's a pretty common request, but it seems that feature falls off the roadmap as Samba 4 is not trying to emulate AD but efectively become AD.
Oh, and now I see you're german, maybe you can ask people from Uninvention to make their s4 connector a generic tool, instead of tied to their product: https://www.univention.com/contact/
regards,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
More information about the samba
mailing list