[Samba] samba 4 authenticate with samba 3 ldap schema

Havany havany at asalluhi.fr
Thu Jun 19 06:38:43 UTC 2025 

Hi Andrea,

One solution is tu use LSC (https://lsc-project.org/) to synchronize 
your OpenLDAP with the samba 4 LDAP backend.
Here's what we do at work. Our OpenLDAP protocol is the standard for our 
users and groups; Samba 4 is used only on our Windows machines. For 
password management, which is the only element that can't be 
synchronized with LSC, we use SSP 
(https://github.com/ltb-project/self-service-password) with a prehook or 
posthook script.
LSC also allows you to transform OpenLDAP fields via JavaScript.



Havany

Le 18/06/2025 à 21:44, Rowland Penny via samba a écrit :
> On Wed, 18 Jun 2025 20:49:31 +0200
> Andrea Zagli <azagli at libero.it> wrote:
> 
>> Rowland Penny via samba <samba at lists.samba.org> writes:
>>
>>> On Wed, 18 Jun 2025 15:39:43 +0200
>>> Andrea Zagli via samba <samba at lists.samba.org> wrote:
>>>
>>>>
>>>> Hi
>>>>
>>>> as the object: i have a samba 4 standalone server and i want to
>>>> authenticate it using the openldap created for the samba 3 domain
>>>> controller
>>>>
>>>> is it possible?
>>>>
>>>
>>> Yes, it is still possible to set up Samba as an NT4-style PDC, but I
>>> suggest you do not, that requires NetBIOS which requires SMBv1 and
>>> that isn't secure. I suggest you investigate setting up a Samba AD
>>> domain instead.
>>>
>>> Rowland
>>
>>
>> sorry, i think i explained myself badly
>>
>> i don't want to have a samba 4 PDC NT4 (and neither an AD domain)
> 
> What you are describing, while it might not be a PDC, is nearly the
> same thing and as such, is subject to the same problems. You will
> need to use SMBv1
> 
>>
>> but i already have a samba 3 pdc nt4 with openldap as passdb backend
>>
>> then i have a new samba 4 standalone server (not in domain), to simply
>> share some directory, and i want to use the same openldap as passdb
>> backend to authenticate users
> 
> Then join your standalone server to your NT4-style domain.
> 
>>
>> i set the same options in smb.conf but when i try to login i get the
>> error invalid sid
> 
> Well you would, even a standalone server has a SID.
> 
>>
>> maybe samba 4 requires an ldap schema no more compatible with the one
>> required by samba 3?
> 
> No, a Samba 4 NT4-style domain (or anything like it) uses the same
> schema as a Samba 3 NT4-style domain
> 
> NT4-style domains are yesterdays methods (Microsoft stopped supporting
> them over 20 years ago), I really urge you to upgrade to AD.
> 
> Rowland
>

More information about the samba mailing list