samba - Mar 2022 - stand-alone server with ldap-auth without AD

@All
Thank you very much for your comments! :)


Maybe I have to set-up a samba AD DC ...
Is it possible to "import" data from an openldap-proxy?

Cheers,
Torsten

Am 23.03.22 um 21:39 schrieb Andrew Bartlett via samba:
> On Wed, 2022-03-23 at 17:02 +0000, Rowland Penny via samba wrote:
>> On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba wrote:
>>> You need to have an account on the LDAP server that samba can use
>>> to
>>> read user information including the Windows password field.
>>> Then
>>> you need to configure smb.conf with the server name, the search
>>> path,
>>> the ldap name and password.
>>>
>>> I think what is going to be a problem is that the "NT4"
Windows
>>> password
>>> requires a separate password field than the regular LDAP password,
>>> and
>>> keeping the 2 in sync will be a challenge.     The client machines
>>> will
>>> be sending a hash of the user password to the server (rather than
>>> "plaintext" password over TLS.)      In fact the schema
on the
>>> LDAP
>>> server may need to be extended.
>>
>> If a new NT4-style machine is being set up, you should be aware that
>> they rely on SMBv1 and this is going away. You could end up within a
>> year or two having to upgrade again or use an older version of Samba.
> 
> Even for the standalone server case, using LDAP as a passdb backend for
> a single fileserver and keeping things in sync with the smbk5pwd
> overlay or Samba's ldap password sync, just be aware that this relies
> on the pdb_ldap backend.
> 
> The historical purpose for pdb_ldap was the NT4 DC, and while we
> haven't any particular plans to remove this (we know folks use it even
> when not doing an NT4 domain) just be aware that with less use there is
> even less ongoing maintenance.  pdb_ldap is also not tested in
> selftest.
> 
> Andrew Bartlett
>

> @All
> Thank you very much for your comments! :)
> 
> 
> Maybe I have to set-up a samba AD DC ...
> Is it possible to "import" data from an openldap-proxy?
>
let me jump here.
LDAP-SAMBA sincronization has always been a big topic since forever.
there's no "clean" way to do it, even when on NT4 mode (some
internal work is done for nt hashes).

I've been struggling with this for a long time and best advice is use a tool
that replicates passwords between these two worlds, just as it was another (read
unintegrated) system.

we use some custom scripts and a SSO to keep everything in sync, but if you
manually change it on samba there's no way for LDAP to know it, and the same
for the other way around.
UNLESS you centralize password change and propagate it to all systems.
that's the job of a SSO/Identity Manager and is not trivial.

I'd really love to see some work done on the Samba side, as it's a
pretty common request, but it seems that feature falls off the roadmap as Samba
4 is not trying to emulate AD but efectively become AD.


Oh, and now I see you're german, maybe you can ask people from Uninvention
to make their s4 connector a generic tool, instead of tied to their product:
https://www.univention.com/contact/


regards,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es
destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar
aquest missatge ni lliurar-lo a terceres persones sense permis expres de
l'IMAS. Si no sou la persona destinataria que s'hi indica (o la
responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a
l'adreca electronica de la persona remitent. Abans d'imprimir aquest
missatge, pensau si es realment necessari.