[Samba] Samba Config from LDAP / with CTDB

Andrew Bartlett abartlet at samba.org
Mon May 16 08:40:10 UTC 2022

On Wed, 2022-05-11 at 11:18 +0200, Tobias Hachmer via samba wrote:
> Hello,
> Am 4/13/22 um 12:15 schrieb Tobias Hachmer via samba:
> > Am 4/12/22 um 15:43 schrieb Ralph Boehme via samba:
> > > On 4/12/22 11:20, Tobias Hachmer via samba wrote:
> > > > I'm quite new to Samba, especially advanced stuff. We have a
> > > > single 
> > > > standalone Samba server with user auth against (Open)LDAP
> > > > (passdb 
> > > > backend) and organizing all shares within the smb.conf.
> > > 
> > > the LDAP passdb backend has pretty much fallen out of favor and
> > > only 
> > > very few are still using this kind of setup. Therefor I highly 
> > > recommend looking into joining the fileservers to AD, possibly
> > > Samba 4 
> > > AD with password replication to an LDAP server.
> What are the reasons not to use LDAP passdb backend on a standalone
> server?
> As mentioned before we want to avoid setting up a fully samba 4 AD
> just 
> for file service purpose. We have up and running a OpenLDAP 
> Infrastructure since years.

So, as others have mentioned the risk here is that the parts you want
to use, while not being actively removed yet, were built in support of
things that are going away, or are not actually part of Samba.

For example, it is actually FreeIPA that is the primary consumer of the
LDAP password backend (pdb_ldap) as it uses some of the same parts.  

The ability to run a single server against an LDAP backend happened
almost entirely by accident, and while used by some, it certainly would
be a rare configuration.  In fact where I do see this I suggest running
the file servers as un-announced NT4-style/classic DCs, because at
least that allows more than one fileserver. 

Which brings us to the point that inside the Samba codebase, that it is
the NT4 DC that justified this feature, and this will go away at some
point, so best to stop trying to be a unicorn and run an AD DC.  At
least then someone will be able to assist when you need help. 

I personally think that if FreeIPA stopped needing the NT4 DC / LDAP
backend components, we might lower the boom fairly fast on this, just
so we are not spread out too thin.  Or worse, we don't notice until a
release that it is busted as the LDAP backend is untested.


Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list