[Samba] Samba 4.19 and OpenLDAP

Rowland Penny rpenny at samba.org
Sat May 3 08:28:48 UTC 2025 

On Fri, 2 May 2025 21:40:38 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:

> 
> 
> We do not run our campus Active Directory, but our Linux clients
> authenticate against it. There are several different Unix-based
> environments on campus, so we cannot use the RFC2307 fields from AD
> anyway since the answers would not be the same for each group. We
> have a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD
> and an OpenLDAP server.  Authentication is against our AD domain, but
> SSSD pulls the RFC 2307 fields from OpenLDAP.

Non of the above has anything really to do with Samba.

> 
> Samba servers are also NFS servers so we need consistent UID/Group
> mappings in the whole environment.  NFS is working well with this
> environment.

Again, NFS has nothing to do with Samba.

> 
> Can Samba (version 4.19.4) pull RFC2307 from OpenLDAP 

Well yes, by using the idmap_rfc2307 idmap backend, but only the
uidNumber & gidNumber attributes (see 'man idmap_2307'), to get the
majority of the rfc2307 attributes, you would have to use the idmap_ad
backend and that obviously only works against an AD DC.

> (or ask SSSD
> for the answer)?

While you can get Samba to use redhats idmap_sss backend, this will
only get you mappings between AD SIDs and Unix uid/gid, so you might
just as well use the winbind idmap_rid backend.

> 
> Currently:
> security=ads
> In the Samba wiki documentation, several of the idmap links are empty
> (or removed?) idmap ldap and nss specifically.  Is this deprecated?

Both of those backends are still available, but the first is an
allocating backend and the second requires 'local' users (which Samba
can provide) so there doesn't seem much point in using sssd.
 
> 
> Any advice is welcome.

Have you considered setting up Samba AD domains for each environment
and syncing users/groups from your main AD to these, or use trusts ?
 
Whatever problems you are having with sssd and your main AD, you are
likely to have similar problems with winbind and your main AD, are you
aware that winbind came first and the initial sssd code was based on
winbind ?

You might also be better off using Debian, this will get you Samba
4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL
from the Samba point of view.

Rowland

More information about the samba mailing list