Hello, I've done a lot of reading and searching however; I could use some guidance. I just started working for a school in which there are a few Windows labs as a Linux systems administrator. Our workstation sysadmins have asked me to look into a Samba issue for them, Windows 10 systems have to have SMB1 turned on to authenticate against the existing Samba3 server. This work around hasn't been acceptable due to privacy and security concerns. The campus has a black box LDAP server for which we use to authenticate users. The Samba3 server is currently using this LDAP to authenticate users. I've spun up a Samba4 server and set it up as an active directory domain controller and I can definitely see that this is a very robust system and is working well however; I don't see a management solution to synchronization between the campus LDAP server and Samba4 AD/DC. One approach I was thinking was leveraging "password server" and point the directive to the Samba3 NT4 domain and turn on the auto creation of accounts. Groups would still need to be managed by hand. The issue is that the Samba4 server seems to not be honouring the password server directive. Indeed I cannot find any directed traffic from Samba4 to Samba3 during an authentication attempt with the directive. I can also think of a convoluted LDAP diff of both systems to shore up the Samba4 LDAP with the campus LDAP however; this script would have to run periodically and I'm currently not aware whether Samba4 can read the blackbox LDAP password encryption type. I'm looking for the most straightforward way for Windows desktop authentication of users and groups. I cannot seem to be all in for Samba4's AD and I can't seem to be all in for campus LDAP (by way of Samba3's NT4 LDAP back end). Any advice would be very welcome! Thank you for reading my conundrum!
On Thu, 11 Apr 2019 10:54:13 -0700 Vex Mage via samba <samba at lists.samba.org> wrote:> Hello, I've done a lot of reading and searching however; I could use > some guidance. I just started working for a school in which there are > a few Windows labs as a Linux systems administrator. Our workstation > sysadmins have asked me to look into a Samba issue for them, Windows > 10 systems have to have SMB1 turned on to authenticate against the > existing Samba3 server. This work around hasn't been acceptable due > to privacy and security concerns. The campus has a black box LDAP > server for which we use to authenticate users. The Samba3 server is > currently using this LDAP to authenticate users.That is your problem right there, Samba 3 is EOL, dead, finito> > I've spun up a Samba4 server and set it up as an active directory > domain controller and I can definitely see that this is a very robust > system and is working well however; I don't see a management solution > to synchronization between the campus LDAP server and Samba4 AD/DC.There isn't one, AD is supposed to replace your NT4 domain> > One approach I was thinking was leveraging "password server" and > point the directive to the Samba3 NT4 domain and turn on the auto > creation of accounts. Groups would still need to be managed by hand. > The issue is that the Samba4 server seems to not be honouring the > password server directive. Indeed I cannot find any directed traffic > from Samba4 to Samba3 during an authentication attempt with the > directive.See the answer above, plus there is a very big hole in your proposed set up, if your clients see the AD DC, they will not contact the NT4 PDC again.> > I can also think of a convoluted LDAP diff of both systems to shore > up the Samba4 LDAP with the campus LDAP however; this script would > have to run periodically and I'm currently not aware whether Samba4 > can read the blackbox LDAP password encryption type.I have heard of some convoluted ways of doing things, but yours just might be the strangest ;-)> > I'm looking for the most straightforward way for Windows desktop > authentication of users and groups. I cannot seem to be all in for > Samba4's AD and I can't seem to be all in for campus LDAP (by way of > Samba3's NT4 LDAP back end).First and foremost, you need to turn off your Samba 3 machine (yes, I know you wont like this), it is insecure. You will be better off classicupgrading your PDC to an AD domain, see here: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) Rowland
On Thu, Apr 11, 2019 at 11:32 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 11 Apr 2019 10:54:13 -0700 > Vex Mage via samba <samba at lists.samba.org> wrote: > > > Hello, I've done a lot of reading and searching however; I could use > > some guidance. I just started working for a school in which there are > > a few Windows labs as a Linux systems administrator. Our workstation > > sysadmins have asked me to look into a Samba issue for them, Windows > > 10 systems have to have SMB1 turned on to authenticate against the > > existing Samba3 server. This work around hasn't been acceptable due > > to privacy and security concerns. The campus has a black box LDAP > > server for which we use to authenticate users. The Samba3 server is > > currently using this LDAP to authenticate users. > > That is your problem right there, Samba 3 is EOL, dead, finito >Correct, that's why I'm on the case. My predecessors stopped updating it due to compatibility issues. I'm just trying to find a way forward.> > > > I've spun up a Samba4 server and set it up as an active directory > > domain controller and I can definitely see that this is a very robust > > system and is working well however; I don't see a management solution > > to synchronization between the campus LDAP server and Samba4 AD/DC. > > There isn't one, AD is supposed to replace your NT4 domain >Yea, I believe that is the point of what I'm trying to do.> > > > > One approach I was thinking was leveraging "password server" and > > point the directive to the Samba3 NT4 domain and turn on the auto > > creation of accounts. Groups would still need to be managed by hand. > > The issue is that the Samba4 server seems to not be honouring the > > password server directive. Indeed I cannot find any directed traffic > > from Samba4 to Samba3 during an authentication attempt with the > > directive. > > See the answer above, plus there is a very big hole in your proposed > set up, if your clients see the AD DC, they will not contact the NT4 > PDC again. >I'm just trying to find a way to make Samba4 be useful in some way and so far I can find no place for it, let alone any use of it.> > > > > I can also think of a convoluted LDAP diff of both systems to shore > > up the Samba4 LDAP with the campus LDAP however; this script would > > have to run periodically and I'm currently not aware whether Samba4 > > can read the blackbox LDAP password encryption type. > > I have heard of some convoluted ways of doing things, but yours just > might be the strangest ;-) >Thanks, if Samba worked like it used to perhaps one wouldn't have to think so far out of the box and we could just get things done?> > > > > I'm looking for the most straightforward way for Windows desktop > > authentication of users and groups. I cannot seem to be all in for > > Samba4's AD and I can't seem to be all in for campus LDAP (by way of > > Samba3's NT4 LDAP back end). > > First and foremost, you need to turn off your Samba 3 machine (yes, I > know you wont like this), it is insecure. You will be better off > classicupgrading your PDC to an AD domain, see here: >No, I really have no problem with that. It would be perfectly fine to upgrade if Samba4 was as flexible as Samba3. There's nothing legacy in this network except for Samba. We're being held back because of the Samba.> > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)The problem is that there is no apparent upgrade path for the old system. The corner stone of this deployment is that there's an existing centralized authentication server however; Samba4 seems wants a paradigm shift so that it becomes the princess of its own castle. It seems to me that it has become the very thing that birthed its creation, a monster that wants to strand its user base into its own proprietary system. All I trying to do is to make Windows play nice with an existing open source authentication server but all I'm hearing from the Samba project are vain, and to be quite frank very condescending tones about switching all authentication to its AD server. In my opinion the Samba project has devolved since I've last had to work with it and it has become inflexible and passé. I do not think that there will be a place for Samba if Microsoft continues to extend it's offering to open source community. I didn't want to believe my compatriots about the Samba4 issue. I feel like the terrorists have already won. I really do appreciate that you took your time to reply but everything you have said has been vapid, the mantra of a dead rhetoric. Thank you for at least trying. Have a great day.> > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Vex
Mandi! Vex Mage via samba In chel di` si favelave...> I've spun up a Samba4 server and set it up as an active directory domain > controller and I can definitely see that this is a very robust system and > is working well however; I don't see a management solution to > synchronization between the campus LDAP server and Samba4 AD/DC.You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server and some 'samba-tool user create' on AD. I've setup some scripts, but probably are soo tightned to my setup to be littleor no help generally. To sync password, you can instead wrap 'check password script' in old samba with 'samba-tool user syncpassword' in new samba/AD, look at: https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP Supposing a frequent password change (3 months?) you can wait a bit to have password in sync, and then use both the domain in 'parallel'. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hi there Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :> Mandi! Vex Mage via samba > In chel di` si favelave... > >> I've spun up a Samba4 server and set it up as an active directory domain >> controller and I can definitely see that this is a very robust system and >> is working well however; I don't see a management solution to >> synchronization between the campus LDAP server and Samba4 AD/DC. > You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server > and some 'samba-tool user create' on AD. > I've setup some scripts, but probably are soo tightned to my setup to > be littleor no help generally. > > To sync password, you can instead wrap 'check password script' in old > samba with 'samba-tool user syncpassword' in new samba/AD, look at: > > https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP > > Supposing a frequent password change (3 months?) you can wait a bit to > have password in sync, and then use both the domain in 'parallel'. >I agree with marco, I'm actually working on migrating a samba3 domain to a samba4 domain (with different name). A POC environment is setup in a separate network I popuplated Samba4/AD from samba3 with this very usefull tool https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory Keep in mind you will have to map attributes from one to another, and don't forget to synchronize uid/gid as unix attributes in Samba4, so that your migrated users can still have access to their samba shares or whatever you had in your old samba3 domain. And keep password synchronized between the two domains with (works as a trigger, once a password is updated on samb4 server, et keeps it synchronized to your old ldap server https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP But there's a trick, you'll have to modifiy the script to update both userpassword _*AND *_sambantpassword fields (the script only updates userpassword), so you can access to your former samba resources. @Rowland : |See the answer above, plus there is a very big hole in your proposed |set up, if your clients see the AD DC, they will not contact the NT4 |PDC again. I've seen some setups where a company had a (real) AD domain and a samba3 domain working together on the same subnets with win7 or win10 workstations who could join one or another domain without troubles. What you mean is if samba4 domain has the same name as samba3 domain, workstations won't be able so see the oldest anymore once joined to the new one? Or does it mean that whatever the name of the new samba4 domain is, if a workstation joins it, it won't be able to join the old domain anymore? (never tried it) As my POC seems to work well, I intend ton install it in production soon. Is it recommended to set the new samba4 domain in production up on a different subnet or not? Julien