[Samba] Samba 4.19 and OpenLDAP

Shannon Price pricesw at auburn.edu
Tue May 6 15:39:34 UTC 2025 


Hello all,

We have been working on the idmap_rfc2307 solution for this.  Packet traces on the Samba server and the LDAP server don't show any communication between Samba and the LDAP server at any point. (Configuration below). Samba logs are set at 10 and the error message is consistent:

../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername])

>>>  smb.conf  <<<

[global]
        # workgroup and naming
        workgroup = UNIV
        server string = Samba Server Version %v

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 10
        max log size = 51200

        client max protocol = SMB3

        security = ads
        password server = KERBEROS.univ.edu
        client signing = yes
        ## client use spnego = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend = tdb
        idmap config * : range   = 20000001-20001000

        idmap config AUBURN : backend = rfc2307
        idmap config AUBURN.EDU:range = 200-20000000
        idmap config AUBURN : ldap_server = stand-alone
        idmap config AUBURN : ldap_url = ldap://ldaptest.subdom.univ.edu/
        idmap config AUBURN : ldap_search_base = dc=univ,dc=edu
        idmap config AUBURN : realm = univ.edu
        idmap config AUBURN : ldap_user_dn = cn=readonly,ou=system,dc=univ,dc=edu


--
Shannon Price
Auburn University

-----Original Message-----
From: Shannon Price
Sent: Saturday, May 3, 2025 8:56 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: RE: [Samba] Samba 4.19 and OpenLDAP


Thank you for your prompt response, Rowland.

The idmap_rfc2307 isn't working (yet) for me.  I'm working down that path now, however I do need the homedir parameter from RFC 2307.

../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername])

I have considered setting up a Samba AD domain and replicating users/groups (and homedir?).  I can do this as long as authentication come from the university domain (UNIV.EDU), which I think is possible.  Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba servers join to that DC?  I don't think I can establish trust between my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so I can replicate the information I need.  My (3,000) windows clients are already join the university domain.  Would they need to change domains as well to access my Samba file shares without a trust?  Maybe a one-way trust where I trust them, but they don't need to trust me?

Which advantages would I gain (in our situation) from 4.21 or 4.22?  We've also maintained Debian systems for many years.  We can shift testing to Debian if that moves us forward.

--
Shannon



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Saturday, May 3, 2025 3:29 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAP

On Fri, 2 May 2025 21:40:38 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:

>
>
> We do not run our campus Active Directory, but our Linux clients
> authenticate against it. There are several different Unix-based
> environments on campus, so we cannot use the RFC2307 fields from AD
> anyway since the answers would not be the same for each group. We have
> a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an
> OpenLDAP server.  Authentication is against our AD domain, but SSSD
> pulls the RFC 2307 fields from OpenLDAP.

Non of the above has anything really to do with Samba.

>
> Samba servers are also NFS servers so we need consistent UID/Group
> mappings in the whole environment.  NFS is working well with this
> environment.

Again, NFS has nothing to do with Samba.

>
> Can Samba (version 4.19.4) pull RFC2307 from OpenLDAP

Well yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber & gidNumber attributes (see 'man idmap_2307'), to get the majority of the rfc2307 attributes, you would have to use the idmap_ad backend and that obviously only works against an AD DC.

> (or ask SSSD
> for the answer)?

While you can get Samba to use redhats idmap_sss backend, this will only get you mappings between AD SIDs and Unix uid/gid, so you might just as well use the winbind idmap_rid backend.

>
> Currently:
> security=ads
> In the Samba wiki documentation, several of the idmap links are empty
> (or removed?) idmap ldap and nss specifically.  Is this deprecated?

Both of those backends are still available, but the first is an allocating backend and the second requires 'local' users (which Samba can provide) so there doesn't seem much point in using sssd.

>
> Any advice is welcome.

Have you considered setting up Samba AD domains for each environment and syncing users/groups from your main AD to these, or use trusts ?

Whatever problems you are having with sssd and your main AD, you are likely to have similar problems with winbind and your main AD, are you aware that winbind came first and the initial sssd code was based on winbind ?

You might also be better off using Debian, this will get you Samba
4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL from the Samba point of view.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list