[Samba] Samba 4.19 and OpenLDAP

Rowland Penny rpenny at samba.org
Sat May 3 14:27:49 UTC 2025 

On Sat, 3 May 2025 13:56:25 +0000
Shannon Price <pricesw at auburn.edu> wrote:

> 
> Thank you for your prompt response, Rowland.
> 
> The idmap_rfc2307 isn't working (yet) for me.  I'm working down that
> path now, however I do need the homedir parameter from RFC 2307.

As far as I am aware, only the idmap_ad config backend can obtain the
homedir and that only works with AD.

> 
> ../../source3/auth/auth_util.c:1946(check_account) check_account:
> Failed to convert SID
> S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
> (dom_user[UNIV\someusername])

Does the user 'someusername' have a uidNumber attribute containing a
number inside range set in smb.conf ?

> 
> I have considered setting up a Samba AD domain and replicating
> users/groups (and homedir?).  I can do this as long as authentication
> come from the university domain (UNIV.EDU), which I think is
> possible. 

Then that isn't going to work, authentication must come from the DCs in
the domain, though you can get trusts to work.

> Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba
> servers join to that DC?  I don't think I can establish trust between
> my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so
> I can replicate the information I need.  My (3,000) windows clients
> are already join the university domain.  Would they need to change
> domains as well to access my Samba file shares without a trust?
> Maybe a one-way trust where I trust them, but they don't need to
> trust me?

I think you really need to read up on AD and Samba AD, one difference
is that Samba does not (yet) do child domains.

> 
> Which advantages would I gain (in our situation) from 4.21 or 4.22?
> We've also maintained Debian systems for many years.  We can shift
> testing to Debian if that moves us forward.

Samba is a rapidly moving target, one of the benefits of using a Samba
supported version is that you can get to functional level 2016. 
Like all software, Samba has bugs and these only get fixed in Samba
supported versions (4.20.x, 4.21.x and 4.22.x at present), you have to
rely on the distros backporting any fixes to their versions, this
doesn't usually happen for minor fixes. 

One of the problems with using Samba with ldap is that normally
requires using the samba schema and that requires SMBv1 and that is no
longer recommended.

Rowland

More information about the samba mailing list