[Samba] MacOS and Linux file sharing: full AD or simple server?

Hoefle, Marco (Avnet Silica) Marco.Hoefle at avnet.eu
Tue Nov 26 09:18:48 UTC 2024


Hi Valentijn,
I think it is easiest to run a Samba Domain Controller.
You have the user management and the LDAP server integrated.

The steps are not that complex due to the provisioning feature:
samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN} --realm=${UDOMAIN} --server-role=dc --dns-backend="${DNS_BACKEND}" --adminpass="${ADMIN_PASS}" --host-ip=$HOST_IP

This creates you the domain controller smb.conf which you can adapt and the database is created too.
Afterwards you can add users and groups.

But this is my personal taste.

Best regards,
Marco




________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Valentijn Sessink via samba <samba at lists.samba.org>
Sent: Monday, November 25, 2024 5:06 PM
To: Samba <samba at lists.samba.org>
Subject: [External][Samba] MacOS and Linux file sharing: full AD or simple server?
 
Hi list,

Question: what are pros and cons for the following setups:
- current setup: using OpenLDAP for users, Samba for file sharing
- Using Samba for both (do I *need* it to be an AD? Or is it possible to
just use the LDAP infrastructure without the AD stuff?)
- Using a passwd/shadow infrastructure and just use Samba for file sharing.

Background:
I'm currently running Samba (4.15.13) with a separate LDAP daemon
(OpenLDAP) for a small network that consists of MacOS and Linux clients.
The setup has been running, with several upgrades, since about 2007 or
so, hence the separate Samba/OpenLDAP setup. There are about 15 active
users. (It's OpenLDAP running on the same server, hence the "daemon"
terminology - it's not a separate server machine).

An excerpt from my current smb.conf file:
   workgroup = customername
   passdb backend  = ldapsam:ldap://127.0.0.1/
   ldap admin dn   = cn=admin,dc=office,dc=customername,dc=nl
   ldap ssl        = off
   ldap suffix     = dc=office,dc=customername,dc=nl
   ldap user suffix        = ou=Users
   ldap group suffix       = ou=Groups
   ldap machine suffix     = ou=Computers
   unix extensions = yes
   security = user
   ldap password sync = yes

Now I'm planning to upgrade the network and services.

As there won't be any Windows machines, all the AD funny stuff (group
policies and whatnot) is superfluous.

However, I do need a user database.

Now I'm not sure how to proceed. Should I just migrate OpenLDAP and its
DB, migrate Samba too, and call it a day? Or is there any advantage to
start using the AD backend of Samba to store the LDAP stuff? The
disadvantage I'm seeing is that AD is primarily a Microsoft thing and I
don't have any of the MS tooling (adding users etc etc) without a
Microsoft OS.

I could also stop using OpenLDAP and just setup local users. Would work,
too.

As a side note: I *do* have some weird problems where smbstatus will
show "auth in progress" and freeze, once in a while (see mailing list
message 2021-12-29 13:50), to which a few users mentioned that running a
separate OpenLDAP was rather uncommon... :-/ - although I'm afraid my
setup will still be rather uncommon after switching to a full AD without
any windows machines connecting to it.

Best regards,

Valentijn

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. 
Please read our privacy statement including an information notice and data protection policy for detailed information on our website.



More information about the samba mailing list