[Samba] Samba 4.19 and OpenLDAPs

Shannon Price pricesw at auburn.edu
Wed May 14 20:24:05 UTC 2025 


I had a side suggestion from a list member whether nslcd was a possibility, using winbind for the authentication and nslcd to get the rfc2307 attributes.  This was essentially my approach since nslcd and SSSD are performing the same role - connecting to an LDAP server for RFC2307.  I have SSSD working with RHEL.  RHEL has dropped NSLCD packages in favor of SSSD, but they are still available in Ubuntu, so there could be a path with Ubuntu serving Samba instead.

The Samba option "security = ads" and the net join establishes the authentication with AD, but I haven't been able to get the idmap to fall back to LDAP (except the klunky id_map = script that I mention below.  It seems like the ADS setting causes the idmap settings (e.g. idmap_ldap) to be ignored.

--
Shannon Price
Auburn University

-----Original Message-----
From: Shannon Price
Sent: Monday, May 12, 2025 4:42 PM
To: samba at lists.samba.org
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs



I have this working using "idmap_script" for the idmapping (homegrown script).  I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on the backend for group membership and posix attributes (homedir mostly).  My nsswitch.conf looks like this:


passwd:     sss files systemd
group:      sss files systemd

ID mapping is done very simply (my script is VERY short and for now uses a flat file for username-SID-UID user mapping).  Group memberships come from OpenLDAP.  It all looks very simple and clean.  Samba still tries to enumerate all of my group mappings.  It pulls all of my groups from Active Directory (which have no meaning in my Linux/Samba environment).  This means that my idmap script gets called over and over when I initially connect.  I had hoped that "winbind enum groups" would suppress this behavior, but it doesn't.

Winbind is running.  This is my smb.conf for reference:

[global]
        # workgroup and naming
        workgroup = UNIV

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 2
        max log size = 51200

        # authentication
        client max protocol = SMB3
        security = ads
        client signing = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend  = script
        idmap config * : range = 200-20000000
        idmap config * : script = /etc/samba/idmap.sh

        winbind enum groups = no

--
Shannon



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs


If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right?  (e.g. an AD domain)?  The password would also need to come from Samba?

I saw an older posting from you about "idmap_script"  is that still a valid backend?  The man page exists, but I don't want to go down more deprecated rabbit holes.

--
Shannon

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs

On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:

>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below.  I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).

Samba cannot do that.

>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server?  ("well there wouldn't be")

You have 'security = ads' , if you use this, Samba must be a domain member in an ADS realm, it requires Kerberos and Samba must be joined to the realm using 'net'.

To use idmap_rfc2307, you need to use 'security = user' and probably also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).

Different backends use different code paths in Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list