[Samba] MacOS and Linux file sharing: full AD or simple server?
Rowland Penny
rpenny at samba.org
Mon Nov 25 16:45:35 UTC 2024
On Mon, 25 Nov 2024 17:06:18 +0100
Valentijn Sessink via samba <samba at lists.samba.org> wrote:
> Hi list,
>
> Question: what are pros and cons for the following setups:
> - current setup: using OpenLDAP for users, Samba for file sharing
> - Using Samba for both (do I *need* it to be an AD? Or is it possible
> to just use the LDAP infrastructure without the AD stuff?)
> - Using a passwd/shadow infrastructure and just use Samba for file
> sharing.
>
> Background:
> I'm currently running Samba (4.15.13) with a separate LDAP daemon
> (OpenLDAP) for a small network that consists of MacOS and Linux
> clients. The setup has been running, with several upgrades, since
> about 2007 or so, hence the separate Samba/OpenLDAP setup. There are
> about 15 active users. (It's OpenLDAP running on the same server,
> hence the "daemon" terminology - it's not a separate server machine).
>
> An excerpt from my current smb.conf file:
> workgroup = customername
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=admin,dc=office,dc=customername,dc=nl
> ldap ssl = off
> ldap suffix = dc=office,dc=customername,dc=nl
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> unix extensions = yes
> security = user
> ldap password sync = yes
>
> Now I'm planning to upgrade the network and services.
>
> As there won't be any Windows machines, all the AD funny stuff (group
> policies and whatnot) is superfluous.
>
> However, I do need a user database.
>
> Now I'm not sure how to proceed. Should I just migrate OpenLDAP and
> its DB, migrate Samba too, and call it a day? Or is there any
> advantage to start using the AD backend of Samba to store the LDAP
> stuff? The disadvantage I'm seeing is that AD is primarily a
> Microsoft thing and I don't have any of the MS tooling (adding users
> etc etc) without a Microsoft OS.
>
> I could also stop using OpenLDAP and just setup local users. Would
> work, too.
>
> As a side note: I *do* have some weird problems where smbstatus will
> show "auth in progress" and freeze, once in a while (see mailing list
> message 2021-12-29 13:50), to which a few users mentioned that
> running a separate OpenLDAP was rather uncommon... :-/ - although I'm
> afraid my setup will still be rather uncommon after switching to a
> full AD without any windows machines connecting to it.
>
> Best regards,
>
> Valentijn
>
Your major problem is that the old NT4-style domains (which is what you
appear to be running) rely on SMBv1 and this is now turned off by
default because it is very insecure. there was a recent report that the
latest Windows 11 has broken Netbios again, not sure when or if they
will fix it, but this doesn't seem to be relevant to you.
Eventually SMBv1 will be removed, in fact you can already build Samba
without it, so you shouldn't rely on anything that needs SMBv1.
I think your best plan would be to upgrade your existing setup to AD,
you don't need to use GPOs and your setup is probably more common than
you think, my only Windows machines are VMs to test things, everything
else is Linux.
You could probably upgrade your existing setup to AD, but for such a
small group of users, you are probably better off starting with a new
AD domain, this way you can leave all the old ways behind (such as
possibly having the same local users and domain users, IDs starting at
1000, etc). The one thing I always say, forget most of what you have
learnt about NT4-style domains, AD is different and better.
I now await your questions :-)
Rowland
More information about the samba
mailing list