samba - Nov 2024 - How to configuring 389ds to the backed user authentication on Samba-ad

Hi,

 

I hope this is the correct forum to ask this question. I am looking for some
guidance on whether Samba-ad can be (or should be) configured using ldap
(389-ds) as the back end for user authentication in a production environment.

 

I have come across a few forums and went through you?re documentation pages but
the information isn?t clear so thought to ask the question directly to the
source.

 

What we are looking to achieve:

Our environment is mainly consistent of Linux/Unix operating systems. Our users
are mainly researcher and we use 389ds for user authenticating.

I am looking for a solution to maintain a relatively small setup of Windows
machines (20 nodes) used by researchers to remote visualise their work. We are
currently using pGina to authenticate our users Windows login against our
389-ds, though we would like to also manage Windows using Group Policies which
is where Samba-ad comes in.

 

My concern with pGina is that is been a quiet project and the uncertainty
whether the developers are still interested in the project if Windows decides to
change the way it authenticates its users.

 

We were also considering syncing our 389-ds with AD in a one way sync, but
having to unhash user passwords in the change log seemed a bit .. unsecure.

 

Any guidance would be greatly appreciated. 

 

Ahmed

On Fri, 15 Nov 2024 10:31:50 +0800
Ahmed Taleb via samba <samba at lists.samba.org> wrote:
> Hi,
> 
>  
> 
> I hope this is the correct forum to ask this question. I am looking
> for some guidance on whether Samba-ad can be (or should be)
> configured using ldap (389-ds) as the back end for user
> authentication in a production environment.
> 
>  
> 
> I have come across a few forums and went through you?re documentation
> pages but the information isn?t clear so thought to ask the question
> directly to the source. 
> 
>  
> 
> What we are looking to achieve:
> 
> Our environment is mainly consistent of Linux/Unix operating systems.
> Our users are mainly researcher and we use 389ds for user
> authenticating. 
> 
> I am looking for a solution to maintain a relatively small setup of
> Windows machines (20 nodes) used by researchers to remote visualise
> their work. We are currently using pGina to authenticate our users
> Windows login against our 389-ds, though we would like to also manage
> Windows using Group Policies which is where Samba-ad comes in. 
> 
>  
> 
> My concern with pGina is that is been a quiet project and the
> uncertainty whether the developers are still interested in the
> project if Windows decides to change the way it authenticates its
> users. 
> 
>  
> 
> We were also considering syncing our 389-ds with AD in a one way
> sync, but having to unhash user passwords in the change log seemed a
> bit .. unsecure. 
> 
>  
> 
> Any guidance would be greatly appreciated. 
> 
>  
> 
> Ahmed
> 
>  
> 
Sorry but no you cannot run a Samba AD DC on top of 389-ds or any other
ldap, you must use the builtin Samba ldap.

From what you are describing, it will probably be easier to replace
your 389-ds server with Samba AD DC(s).

Rowland