[Samba] Samba 4.19 and OpenLDAPs

Shannon Price pricesw at auburn.edu
Tue May 6 16:31:29 UTC 2025 

Sorry - my redaction was incomplete/incorrect in the smb.conf message.  Corrected, redacted smb.conf below.  I need to authenticate against AD, which does work, but idmap vs LDAP server (OpenLDAP).

Why wouldn't I see traffic between the Samba server and the LDAP server?  ("well there wouldn't be")


>>>  smb.conf  <<<

[global]
        # workgroup and naming
        workgroup = UNIV
        server string = Samba Server Version %v

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 10
        max log size = 51200

        client max protocol = SMB3

        security = ads
        password server = KERBEROS.univ.edu
        client signing = yes
        ## client use spnego = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend = tdb
        idmap config * : range   = 20000001-20001000

        idmap config UNIV : backend = rfc2307
        idmap config UNIV : range = 200-20000000
        idmap config UNIV : ldap_server = stand-alone
        idmap config UNIV : ldap_url = ldap://ldaptest.subdom.univ.edu/
        idmap config UNIV : ldap_search_base = dc=univ,dc=edu
        idmap config UNIV : realm = univ.edu
        idmap config UNIV : ldap_user_dn = cn=readonly,ou=system,dc=univ,dc=edu


--
Shannon Price
Auburn University



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Tuesday, May 6, 2025 11:14 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs

On Tue, 6 May 2025 15:39:34 +0000
Shannon Price <pricesw at auburn.edu> wrote:

>
>
> Hello all,
>
> We have been working on the idmap_rfc2307 solution for this.  Packet
> traces on the Samba server and the LDAP server don't show any
> communication between Samba and the LDAP server at any point.
> (Configuration below).

Well there wouldn't be.

> Samba logs are set at 10 and the error message is consistent:
>
> ../../source3/auth/auth_util.c:1946(check_account) check_account:
> Failed to convert SID
> S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
> (dom_user[UNIV\someusername])
>
> >>>  smb.conf  <<<
>
> [global]
>         # workgroup and naming
>         workgroup = UNIV
>         server string = Samba Server Version %v
>
>         # server settings
>         interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
>         bind interfaces only = yes
>         deadtime = 15
>         strict locking = no
>         lock directory = /var/spool/locks/samba
>
>         # logging
>         log file = /var/log/samba/log.smbd
>         log level = 10
>         max log size = 51200
>
>         client max protocol = SMB3
>
>         security = ads

Your smb.conf would be good to here, provided you were connecting to active directory.

>         password server = KERBEROS.univ.edu

While you technically can set the 'password server' parameter, you should leave it up to Samba to find the best AD DC to use.

>         client signing = yes
>         ## client use spnego = yes
>         kerberos method = secrets and keytab
>         realm = UNIV.EDU
>
>         idmap config * : backend = tdb
>         idmap config * : range   = 20000001-20001000
>
>         idmap config AUBURN : backend = rfc2307
>         idmap config AUBURN.EDU:range = 200-20000000
>         idmap config AUBURN : ldap_server = stand-alone
>         idmap config AUBURN : ldap_url =
> ldap://ldaptest.subdom.univ.edu/ idmap config AUBURN :
> ldap_search_base = dc=univ,dc=edu idmap config AUBURN : realm =
> univ.edu idmap config AUBURN : ldap_user_dn =
> cn=readonly,ou=system,dc=univ,dc=edu

Here is where it really falls apart, your workgroup is 'UNIV', but you are using 'AUBURN' (and AUBURN.EDU) in the 'idmap config' lines.
Because you have 'security = ads', the backend for 'AUBURN' (which should be 'UNIV') should be 'ad' and the rest of the 'idmap config'
lines have nothing to do with 'ad' backend (see 'man idmap_ad' for available parameters) and to use them you would have to use 'security = user' and SMBv1.

I did say that idmap_ad only works with Active Directory.

Rowland
PS: Please do not 'CC' me, it breaks my mail flow.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list