[Samba] Samba 4.19 and OpenLDAP

Morgan, Andrew J morgan at oregonstate.edu
Sat May 3 18:18:15 UTC 2025 

Hi Shannon,

I don't understand why you want Samba (winbind) to get posix attributes, such as homedir.

At my university, our research groups run their own OpenLDAP servers for their Unix systems.  They create a "local" LDAP entry in their OpenLDAP server and use a plugin to proxy the auth to our central LDAP server.  We plan to migrate this proxy auth to our campus AD service in the future.  This allows them to set the posix attributes locally for their own environment (mainly homedir, I imagine) and to improve the lookup performance compared to AD.

I don't know if any of them run Samba, but it wouldn't surprise me.  Still, I don't understand how Samba itself would use various posix attributes.  Maybe you are using the special "[homes]" share?

This is an intresting discussion!

Thanks,
Andy
________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org>
Sent: Saturday, May 3, 2025 7:27 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAP

[This email originated from outside of OSU. Use caution with links and attachments.]

On Sat, 3 May 2025 13:56:25 +0000
Shannon Price <pricesw at auburn.edu> wrote:

>
> Thank you for your prompt response, Rowland.
>
> The idmap_rfc2307 isn't working (yet) for me.  I'm working down that
> path now, however I do need the homedir parameter from RFC 2307.

As far as I am aware, only the idmap_ad config backend can obtain the
homedir and that only works with AD.

>
> ../../source3/auth/auth_util.c:1946(check_account) check_account:
> Failed to convert SID
> S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
> (dom_user[UNIV\someusername])

Does the user 'someusername' have a uidNumber attribute containing a
number inside range set in smb.conf ?

>
> I have considered setting up a Samba AD domain and replicating
> users/groups (and homedir?).  I can do this as long as authentication
> come from the university domain (UNIV.EDU), which I think is
> possible.

Then that isn't going to work, authentication must come from the DCs in
the domain, though you can get trusts to work.

> Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba
> servers join to that DC?  I don't think I can establish trust between
> my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so
> I can replicate the information I need.  My (3,000) windows clients
> are already join the university domain.  Would they need to change
> domains as well to access my Samba file shares without a trust?
> Maybe a one-way trust where I trust them, but they don't need to
> trust me?

I think you really need to read up on AD and Samba AD, one difference
is that Samba does not (yet) do child domains.

>
> Which advantages would I gain (in our situation) from 4.21 or 4.22?
> We've also maintained Debian systems for many years.  We can shift
> testing to Debian if that moves us forward.

Samba is a rapidly moving target, one of the benefits of using a Samba
supported version is that you can get to functional level 2016.
Like all software, Samba has bugs and these only get fixed in Samba
supported versions (4.20.x, 4.21.x and 4.22.x at present), you have to
rely on the distros backporting any fixes to their versions, this
doesn't usually happen for minor fixes.

One of the problems with using Samba with ldap is that normally
requires using the samba schema and that requires SMBv1 and that is no
longer recommended.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C6d2d938ea85a4a4764b008dd8a4ec6f4%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638818793145941694%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=nfBRI8Xy0oeDFzp2XfunPj7XvB9HkHT33MQpZm6aCEw%3D&reserved=0<https://lists.samba.org/mailman/options/samba>

More information about the samba mailing list