[Samba] Samba 4.19 and OpenLDAPs

Morgan, Andrew J morgan at oregonstate.edu
Thu May 15 16:14:24 UTC 2025 

Hi Shannon,

Our LDAP server is Oracle DSEE (yeah, we need to migrate to something new), but Samba's AD auth happens against AD, of course (security=ads).

This server is our user home directories server, so it runs NFS and Samba for file sharing.  We don't let end-users SSH into this server.

Let me know if you have any other questions...

Thanks,
Andy


________________________________
From: Shannon Price <pricesw at auburn.edu>
Sent: Wednesday, May 14, 2025 2:52 PM
To: Morgan, Andrew J <morgan at oregonstate.edu>; samba at lists.samba.org <samba at lists.samba.org>
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs


[This email originated from outside of OSU. Use caution with links and attachments.]



Is all of your authentication vs an actual Active Directory server, separate from the LDAP server?  Also, what type of LDAP server (OpenLDAP?  FreeIPA?  Other?) and is the LDAP server also Debian?



--

Shannon



From: Morgan, Andrew J <morgan at oregonstate.edu>
Sent: Wednesday, May 14, 2025 4:40 PM
To: Shannon Price <pricesw at auburn.edu>; samba at lists.samba.org
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs



I'm using the libnss-ldapd, libpam-ldapd, and nslcd packages.  These replaced the old nss-ldap and pam-ldap software from a long time ago.



Andy



________________________________

From: Shannon Price <pricesw at auburn.edu<mailto:pricesw at auburn.edu>>
Sent: Wednesday, May 14, 2025 2:34 PM
To: Morgan, Andrew J <morgan at oregonstate.edu<mailto:morgan at oregonstate.edu>>; samba at lists.samba.org<mailto:samba at lists.samba.org> <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs



[This email originated from outside of OSU. Use caution with links and attachments.]



Thanks for your response, Andrew.  I haven’t had success with the NSS idmap (yet).  My Samba server is using SSSD for passwd and group:



passwd:     sss files systemd

group:      sss files system



This works on the local system and for NFS mappings, but Samba won’t pick up the initial userid.  Which packages are you using to provide LDAP in your nsswitch.conf?



Failed to convert SID S-1-5-21-2286752186-3697686403-#######-##### to a UID (dom_user[AUBURN\myusername])



--
Shannon



From: Morgan, Andrew J <morgan at oregonstate.edu<mailto:morgan at oregonstate.edu>>
Sent: Wednesday, May 14, 2025 4:22 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org>; Shannon Price <pricesw at auburn.edu<mailto:pricesw at auburn.edu>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs



Shannon,



We run Samba similar to what you describe.  Here are excerpts from our smb.conf:



[global]

        security = ads

        allow trusted domains = no

        idmap config * : backend = tdb

        idmap config * : range = 1000000-1999999

        idmap config ONID : backend = nss

        idmap config ONID : range = 1000-999999  # our users in LDAP have uidnumbers in this range





/etc/nsswitch.conf has:

passwd:         compat ldap systemd
group:          compat ldap systemd



In this case, we use a non-AD LDAP server to provide those Posix attributes to the Debian linux system, but I don't see why you couldn't use AD if the correct attributes are available there.



Let me know if you have any questions.



Thanks,

Andy





________________________________

From: samba <samba-bounces at lists.samba.org<mailto:samba-bounces at lists.samba.org>> on behalf of Shannon Price via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Sent: Wednesday, May 14, 2025 1:24 PM
To: samba at lists.samba.org<mailto:samba at lists.samba.org> <samba at lists.samba.org<mailto:samba at lists.samba.org>>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs



[This email originated from outside of OSU. Use caution with links and attachments.]

I had a side suggestion from a list member whether nslcd was a possibility, using winbind for the authentication and nslcd to get the rfc2307 attributes.  This was essentially my approach since nslcd and SSSD are performing the same role - connecting to an LDAP server for RFC2307.  I have SSSD working with RHEL.  RHEL has dropped NSLCD packages in favor of SSSD, but they are still available in Ubuntu, so there could be a path with Ubuntu serving Samba instead.

The Samba option "security = ads" and the net join establishes the authentication with AD, but I haven't been able to get the idmap to fall back to LDAP (except the klunky id_map = script that I mention below.  It seems like the ADS setting causes the idmap settings (e.g. idmap_ldap) to be ignored.

--
Shannon Price
Auburn University

-----Original Message-----
From: Shannon Price
Sent: Monday, May 12, 2025 4:42 PM

To: samba at lists.samba.org<mailto:samba at lists.samba.org>

Subject: RE: [Samba] Samba 4.19 and OpenLDAPs



I have this working using "idmap_script" for the idmapping (homegrown script).  I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on the backend for group membership and posix attributes (homedir mostly).  My nsswitch.conf looks like this:


passwd:     sss files systemd
group:      sss files systemd

ID mapping is done very simply (my script is VERY short and for now uses a flat file for username-SID-UID user mapping).  Group memberships come from OpenLDAP.  It all looks very simple and clean.  Samba still tries to enumerate all of my group mappings.  It pulls all of my groups from Active Directory (which have no meaning in my Linux/Samba environment).  This means that my idmap script gets called over and over when I initially connect.  I had hoped that "winbind enum groups" would suppress this behavior, but it doesn't.

Winbind is running.  This is my smb.conf for reference:

[global]
        # workgroup and naming
        workgroup = UNIV

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 2
        max log size = 51200

        # authentication
        client max protocol = SMB3
        security = ads
        client signing = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend  = script
        idmap config * : range = 200-20000000
        idmap config * : script = /etc/samba/idmap.sh

        winbind enum groups = no

--
Shannon

More information about the samba mailing list