[Samba] Status of LDAPS port 636 with Winbind idmap backend ad in 2024?

Mon Apr 15 08:02:51 UTC 2024

Dear Samba community,

We run two Samba server in a CTDB cluster in a small group withing a bigger company.
We use Winbind to authenicate and authorize against a company-wide active directory
(using `security = ads` and `idmap config OURDOMAIN : backend = ad`, resp., among others).
So, if I understand this correctly authentication is done via Kerberos and authorization via LDAP.
Unfortunately (but understandably), our central IT department recently disable standard LDAP (port 389) in favour of LDAPS (port 636).
Since then, I can only authentica user (e.g. `wbinfo -u` and `wbinfo -a someuser` work).
But not further authorize them (e.g. `wbinfo -g`, `wbinfo --user-info someuser`, `wbinfo -S somesid` or `id someuser` fail or give no output).
Consequently, users can not mount their samba shares anymore.
And so far I have not been able to make Winbind working correctly again.

According to several older discussions and documentation LDAPS with port 636 is not supported for the ad idmap backend, e.g.:
https://lists.samba.org/archive/samba/2011-July/163473.html
https://docs.citrix.com/de-de/linux-virtual-delivery-agent/current-release/configure/administration/others/ldaps.html#winbind
https://community.spiceworks.com/t/sssd-and-winbind-to-use-ssl-port-636-as-ms-doing-away-with-389/748554/5
https://access.redhat.com/solutions/157603

Is this still the case?
I can't seem to find recent documentation or discussions which state otherwise.
(e.g. no mention of LDAPS/TSL/SSL in the AD config page: https://wiki.samba.org/index.php/Idmap_config_ad)

I played around with parameters such as  `ldap ssl = start tls` and `client ldap sasl wrapping = seal` (instead of deprecated `ldap ssl ads = yes`).
But if I understand correctly, these parameters are limited to Start TLS on port 389.

I deployed certificates correctly on the system (`/usr/bin/update-ca-trust`),
as I can confirm independently from Sambe/Winbind with ldapsearch, e.g.:
`ldapsearch -x -H ldaps://controller.domain.com:636 -D "someuser at ourdomain.com" -W -b "dc=ourdomain,dc=com" "(cn=*somename*)"`

There are parameters to activate LDAPS on a Samba server which acts as an AD DC:
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Then there should be also parameters for a Samba+Winbind server acting a client of this AD, no?

As alternatives, I also tried ldap and rid idmap backend (configs below).
But neither resulted in working authorization (i.e. were able to provide group memberships).
I don't understand if the ldap  backend is actually supposed to also work with an AD LDAP or just with a Samba-provided LDAP.
And I would assume that rid is no proper replacement for ad anyway, since I wouldn't be able to re-produce the same GIDs as provided by the AD.

I also tried different cache cleanings in between, without any change. 

So, are there any (new) parameters I'm missing here that make Winbind / idmap backend ad work with LDAPS (port 636) work.
Are there any (other) workarounds which should work? Did I make obvious mistakes with my workaround?
I'm also considering using SSSD instead of Winbind,
but I think I remember reading that it is also not really supported/recommanded with Sambe).

ADs disabling standard LDAP (port 389) in favour of LDAPS (port 636) seems to become more and more common.
Hence, that there is so few information/documentation for Samba/Winbind about seems odd to me.

Any help to make this working again is appreciated.
Thank you very much in advance,

Best Wishes,
Mathias

ldap backend config:
```
idmap config OURDOMAIN : backend = ldap
idmap config OURDOMAIN : read only = yes
idmap config OURDOMAIN : ldap_url = ldaps://controller.ourdomain.com:636
idmap config OURDOMAIN : ldap_user_dn = someuserdn
idmap config OURDOMAIN : ldap_base_dn = somebasedn
idmap config OURDOMAIN : range = 100000 - 199999
ldap ssl = off
```

Plus:
```
net idmap set secret ourdomain <secret>
```