[Samba] Samba 4.19 and OpenLDAPs
Shannon Price
pricesw at auburn.edu
Wed May 14 21:34:12 UTC 2025
Thanks for your response, Andrew. I haven't had success with the NSS idmap (yet). My Samba server is using SSSD for passwd and group:
passwd: sss files systemd
group: sss files system
This works on the local system and for NFS mappings, but Samba won't pick up the initial userid. Which packages are you using to provide LDAP in your nsswitch.conf?
Failed to convert SID S-1-5-21-2286752186-3697686403-#######-##### to a UID (dom_user[AUBURN\myusername])
--
Shannon
From: Morgan, Andrew J <morgan at oregonstate.edu>
Sent: Wednesday, May 14, 2025 4:22 PM
To: samba at lists.samba.org; Shannon Price <pricesw at auburn.edu>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
Shannon,
We run Samba similar to what you describe. Here are excerpts from our smb.conf:
[global]
security = ads
allow trusted domains = no
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config ONID : backend = nss
idmap config ONID : range = 1000-999999 # our users in LDAP have uidnumbers in this range
/etc/nsswitch.conf has:
passwd: compat ldap systemd
group: compat ldap systemd
In this case, we use a non-AD LDAP server to provide those Posix attributes to the Debian linux system, but I don't see why you couldn't use AD if the correct attributes are available there.
Let me know if you have any questions.
Thanks,
Andy
________________________________
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Shannon Price via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Sent: Wednesday, May 14, 2025 1:24 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org> <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
[This email originated from outside of OSU. Use caution with links and attachments.]
I had a side suggestion from a list member whether nslcd was a possibility, using winbind for the authentication and nslcd to get the rfc2307 attributes. This was essentially my approach since nslcd and SSSD are performing the same role - connecting to an LDAP server for RFC2307. I have SSSD working with RHEL. RHEL has dropped NSLCD packages in favor of SSSD, but they are still available in Ubuntu, so there could be a path with Ubuntu serving Samba instead.
The Samba option "security = ads" and the net join establishes the authentication with AD, but I haven't been able to get the idmap to fall back to LDAP (except the klunky id_map = script that I mention below. It seems like the ADS setting causes the idmap settings (e.g. idmap_ldap) to be ignored.
--
Shannon Price
Auburn University
-----Original Message-----
From: Shannon Price
Sent: Monday, May 12, 2025 4:42 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs
I have this working using "idmap_script" for the idmapping (homegrown script). I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on the backend for group membership and posix attributes (homedir mostly). My nsswitch.conf looks like this:
passwd: sss files systemd
group: sss files systemd
ID mapping is done very simply (my script is VERY short and for now uses a flat file for username-SID-UID user mapping). Group memberships come from OpenLDAP. It all looks very simple and clean. Samba still tries to enumerate all of my group mappings. It pulls all of my groups from Active Directory (which have no meaning in my Linux/Samba environment). This means that my idmap script gets called over and over when I initially connect. I had hoped that "winbind enum groups" would suppress this behavior, but it doesn't.
Winbind is running. This is my smb.conf for reference:
[global]
# workgroup and naming
workgroup = UNIV
# server settings
interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
bind interfaces only = yes
deadtime = 15
strict locking = no
lock directory = /var/spool/locks/samba
# logging
log file = /var/log/samba/log.smbd
log level = 2
max log size = 51200
# authentication
client max protocol = SMB3
security = ads
client signing = yes
kerberos method = secrets and keytab
realm = UNIV.EDU
idmap config * : backend = script
idmap config * : range = 200-20000000
idmap config * : script = /etc/samba/idmap.sh
winbind enum groups = no
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Shannon Price via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba?
I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more deprecated rabbit holes.
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Rowland Penny via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org<mailto:rpenny at samba.org>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:
>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below. I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).
Samba cannot do that.
>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server? ("well there wouldn't be")
You have 'security = ads' , if you use this, Samba must be a domain member in an ADS realm, it requires Kerberos and Samba must be joined to the realm using 'net'.
To use idmap_rfc2307, you need to use 'security = user' and probably also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).
Different backends use different code paths in Samba.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094228127%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=havN%2BRrXMQanxxFMHUxQpVT1Ok2FQiBjcwqV2UKxaCQ%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094277216%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=dGy%2BQIVHDT8Xh5LNahc%2BbvJxvTJNDnG4urK4UTcEwyU%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094315529%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=B23Krj5EZ1eD69wR2JKQT1%2BB%2Bt4yjt4R7XwSfvTWeRk%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
________________________________
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Shannon Price via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Sent: Wednesday, May 14, 2025 1:24 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org> <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
[This email originated from outside of OSU. Use caution with links and attachments.]
I had a side suggestion from a list member whether nslcd was a possibility, using winbind for the authentication and nslcd to get the rfc2307 attributes. This was essentially my approach since nslcd and SSSD are performing the same role - connecting to an LDAP server for RFC2307. I have SSSD working with RHEL. RHEL has dropped NSLCD packages in favor of SSSD, but they are still available in Ubuntu, so there could be a path with Ubuntu serving Samba instead.
The Samba option "security = ads" and the net join establishes the authentication with AD, but I haven't been able to get the idmap to fall back to LDAP (except the klunky id_map = script that I mention below. It seems like the ADS setting causes the idmap settings (e.g. idmap_ldap) to be ignored.
--
Shannon Price
Auburn University
-----Original Message-----
From: Shannon Price
Sent: Monday, May 12, 2025 4:42 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs
I have this working using "idmap_script" for the idmapping (homegrown script). I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on the backend for group membership and posix attributes (homedir mostly). My nsswitch.conf looks like this:
passwd: sss files systemd
group: sss files systemd
ID mapping is done very simply (my script is VERY short and for now uses a flat file for username-SID-UID user mapping). Group memberships come from OpenLDAP. It all looks very simple and clean. Samba still tries to enumerate all of my group mappings. It pulls all of my groups from Active Directory (which have no meaning in my Linux/Samba environment). This means that my idmap script gets called over and over when I initially connect. I had hoped that "winbind enum groups" would suppress this behavior, but it doesn't.
Winbind is running. This is my smb.conf for reference:
[global]
# workgroup and naming
workgroup = UNIV
# server settings
interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
bind interfaces only = yes
deadtime = 15
strict locking = no
lock directory = /var/spool/locks/samba
# logging
log file = /var/log/samba/log.smbd
log level = 2
max log size = 51200
# authentication
client max protocol = SMB3
security = ads
client signing = yes
kerberos method = secrets and keytab
realm = UNIV.EDU
idmap config * : backend = script
idmap config * : range = 200-20000000
idmap config * : script = /etc/samba/idmap.sh
winbind enum groups = no
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Shannon Price via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba?
I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more deprecated rabbit holes.
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Rowland Penny via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org<mailto:rpenny at samba.org>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:
>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below. I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).
Samba cannot do that.
>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server? ("well there wouldn't be")
You have 'security = ads' , if you use this, Samba must be a domain member in an ADS realm, it requires Kerberos and Samba must be joined to the realm using 'net'.
To use idmap_rfc2307, you need to use 'security = user' and probably also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).
Different backends use different code paths in Samba.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094228127%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=havN%2BRrXMQanxxFMHUxQpVT1Ok2FQiBjcwqV2UKxaCQ%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094277216%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=dGy%2BQIVHDT8Xh5LNahc%2BbvJxvTJNDnG4urK4UTcEwyU%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C02%7Cmorgan%40oregonstate.edu%7C8e3290d6385e49ccda6c08dd93256741%7Cce6d05e13c5e4d6287a84c4a2713c113%7C0%7C0%7C638828511094315529%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=B23Krj5EZ1eD69wR2JKQT1%2BB%2Bt4yjt4R7XwSfvTWeRk%3D&reserved=0<https://lists.samba.org/mailman/options/samba>
More information about the samba
mailing list