How to test samba LDAP parameters with openldap tools, eg ldapsearch?

Wed Apr 12 13:04:05 UTC 2023

On ke, 12 huhti 2023, Andrew Walker via samba-technical wrote:
> On Wed, Apr 12, 2023 at 7:51 AM Rowland Penny via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> >
> >
> > On 12/04/2023 13:37, Jan Andersen wrote:
> > > Hi Rowland,
> > >
> > > I noticed something odd about the logs: it seems smbd generates one both
> > > for the workstation's name and one for its IP address - I didn't attach
> > > the latter, so here it is. It seems to have more detail.
> > >
> > > Jan
> > >
> > > On 12/04/2023 12:06, Rowland Penny via samba-technical wrote:
> > >>
> > >>
> > >> On 12/04/2023 11:39, Jan Andersen wrote:
> > >>> Hi Rowland,
> > >>>
> > >>> Thank you for replying. I wiped the existing logs, changed the smbd
> > >>> service to include '-d 10' and restarted, so I would have logs
> > >>> without too much noise - please find them attached along with smb.conf
> > >>>
> > >>>
> > >>
> > >> You appear to be running Samba as a standalone server with an ldap
> > >> backend, are you aware that such a setup is two parameters away from
> > >> being a PDC ? If you comment out 'server role = standalone server' and
> > >> add 'domain logons = yes', it becomes a PDC and a PDC (from 4.8.0)
> > >> requires winbind to be running.
> > >>
> > >> Rowland
> > >>
> > >>
> >
> > Before Samba 4.8.0 , smbd could directly connect to the domain
> > controller, from 4.8.0 smbd now needs to go via winbind.
> > Now I know that you are not strictly running a PDC, but what you are
> > running is the next thing to it, so I presume that you need to run
> > winbind, you do not need to configure anything, just run winbind.
> >
> > Whatever happens, you should be aware that Samba is working to remove
> > SMBv1 and things like PDC's with it.
> >
> > One thing I did notice from that last log, you are not using SMBv1, try
> > adding these lines to the smb.conf:
> >
> > server min protocol = NT1
> > client min protocol = NT1
> >
> > Rowland
> >
> 
> It's probably also worth noting that doing this requires your LDAP
> schema to contain all the fields you need to generate a valid passbd
> entry for users. Do note that using this schema requires storing an
> MD4 of your users passwords _and_ having those accessible to the file
> server (hence discussion of this being a de-facto PDC). My general
> feeling is that this goes beyond my risk tolerance for a production /
> business environment.

Correct. Unless you know how to run PDC, it is better to have Samba AD
set up for that. We keep and use LDAP-based backend in FreeIPA but that
disabled MD4 passwords for users and forces use of Kerberos
authentication instead, making it close to Active Directory use from
Samba as a domain member perspective.

-- 
/ Alexander Bokovoy