samba - Nov 2024 - MacOS and Linux file sharing: full AD or simple server?

Hi list,

Question: what are pros and cons for the following setups:
- current setup: using OpenLDAP for users, Samba for file sharing
- Using Samba for both (do I *need* it to be an AD? Or is it possible to 
just use the LDAP infrastructure without the AD stuff?)
- Using a passwd/shadow infrastructure and just use Samba for file sharing.

Background:
I'm currently running Samba (4.15.13) with a separate LDAP daemon 
(OpenLDAP) for a small network that consists of MacOS and Linux clients. 
The setup has been running, with several upgrades, since about 2007 or 
so, hence the separate Samba/OpenLDAP setup. There are about 15 active 
users. (It's OpenLDAP running on the same server, hence the
"daemon"
terminology - it's not a separate server machine).

An excerpt from my current smb.conf file:
   workgroup = customername
   passdb backend  = ldapsam:ldap://127.0.0.1/
   ldap admin dn   = cn=admin,dc=office,dc=customername,dc=nl
   ldap ssl        = off
   ldap suffix     = dc=office,dc=customername,dc=nl
   ldap user suffix        = ou=Users
   ldap group suffix       = ou=Groups
   ldap machine suffix     = ou=Computers
   unix extensions = yes
   security = user
   ldap password sync = yes

Now I'm planning to upgrade the network and services.

As there won't be any Windows machines, all the AD funny stuff (group 
policies and whatnot) is superfluous.

However, I do need a user database.

Now I'm not sure how to proceed. Should I just migrate OpenLDAP and its 
DB, migrate Samba too, and call it a day? Or is there any advantage to 
start using the AD backend of Samba to store the LDAP stuff? The 
disadvantage I'm seeing is that AD is primarily a Microsoft thing and I 
don't have any of the MS tooling (adding users etc etc) without a 
Microsoft OS.

I could also stop using OpenLDAP and just setup local users. Would work, 
too.

As a side note: I *do* have some weird problems where smbstatus will 
show "auth in progress" and freeze, once in a while (see mailing list 
message 2021-12-29 13:50), to which a few users mentioned that running a 
separate OpenLDAP was rather uncommon... :-/ - although I'm afraid my 
setup will still be rather uncommon after switching to a full AD without 
any windows machines connecting to it.

Best regards,

Valentijn

On Mon, 25 Nov 2024 17:06:18 +0100
Valentijn Sessink via samba <samba at lists.samba.org> wrote:
> Hi list,
> 
> Question: what are pros and cons for the following setups:
> - current setup: using OpenLDAP for users, Samba for file sharing
> - Using Samba for both (do I *need* it to be an AD? Or is it possible
> to just use the LDAP infrastructure without the AD stuff?)
> - Using a passwd/shadow infrastructure and just use Samba for file
> sharing.
> 
> Background:
> I'm currently running Samba (4.15.13) with a separate LDAP daemon 
> (OpenLDAP) for a small network that consists of MacOS and Linux
> clients. The setup has been running, with several upgrades, since
> about 2007 or so, hence the separate Samba/OpenLDAP setup. There are
> about 15 active users. (It's OpenLDAP running on the same server,
> hence the "daemon" terminology - it's not a separate server
machine).
> 
> An excerpt from my current smb.conf file:
>    workgroup = customername
>    passdb backend  = ldapsam:ldap://127.0.0.1/
>    ldap admin dn   = cn=admin,dc=office,dc=customername,dc=nl
>    ldap ssl        = off
>    ldap suffix     = dc=office,dc=customername,dc=nl
>    ldap user suffix        = ou=Users
>    ldap group suffix       = ou=Groups
>    ldap machine suffix     = ou=Computers
>    unix extensions = yes
>    security = user
>    ldap password sync = yes
> 
> Now I'm planning to upgrade the network and services.
> 
> As there won't be any Windows machines, all the AD funny stuff (group 
> policies and whatnot) is superfluous.
> 
> However, I do need a user database.
> 
> Now I'm not sure how to proceed. Should I just migrate OpenLDAP and
> its DB, migrate Samba too, and call it a day? Or is there any
> advantage to start using the AD backend of Samba to store the LDAP
> stuff? The disadvantage I'm seeing is that AD is primarily a
> Microsoft thing and I don't have any of the MS tooling (adding users
> etc etc) without a Microsoft OS.
> 
> I could also stop using OpenLDAP and just setup local users. Would
> work, too.
> 
> As a side note: I *do* have some weird problems where smbstatus will 
> show "auth in progress" and freeze, once in a while (see mailing
list
> message 2021-12-29 13:50), to which a few users mentioned that
> running a separate OpenLDAP was rather uncommon... :-/ - although I'm
> afraid my setup will still be rather uncommon after switching to a
> full AD without any windows machines connecting to it.
> 
> Best regards,
> 
> Valentijn
> 
Your major problem is that the old NT4-style domains (which is what you
appear to be running) rely on SMBv1 and this is now turned off by
default because it is very insecure. there was a recent report that the
latest Windows 11 has broken Netbios again, not sure when or if they
will fix it, but this doesn't seem to be relevant to you. 
Eventually SMBv1 will be removed, in fact you can already build Samba
without it, so you shouldn't rely on anything that needs SMBv1.

I think your best plan would be to upgrade your existing setup to AD,
you don't need to use GPOs and your setup is probably more common than
you think, my only Windows machines are VMs to test things, everything
else is Linux.

You could probably upgrade your existing setup to AD, but for such a
small group of users, you are probably better off starting with a new
AD domain, this way you can leave all the old ways behind (such as
possibly having the same local users and domain users, IDs starting at
1000, etc). The one thing I always say, forget most of what you have
learnt about NT4-style domains, AD is different and better.

I now await your questions :-)

Rowland

Hi Valentijn,
I think it is easiest to run a Samba Domain Controller.
You have the user management?and the LDAP server integrated.

The steps are not that complex due to the provisioning feature:
samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN}
--realm=${UDOMAIN} --server-role=dc --dns-backend="${DNS_BACKEND}"
--adminpass="${ADMIN_PASS}" --host-ip=$HOST_IP

This creates you the domain controller smb.conf which you can adapt and the
database is created too.
Afterwards you can add users and groups.

But this is my personal taste.

Best regards,
Marco




________________________________________
From:?samba <samba-bounces at lists.samba.org> on behalf of Valentijn
Sessink via samba <samba at lists.samba.org>
Sent:?Monday, November 25, 2024 5:06 PM
To:?Samba <samba at lists.samba.org>
Subject:?[External][Samba] MacOS and Linux file sharing: full AD or simple
server?
?
Hi list,

Question: what are pros and cons for the following setups:
- current setup: using OpenLDAP for users, Samba for file sharing
- Using Samba for both (do I *need* it to be an AD? Or is it possible to
just use the LDAP infrastructure without the AD stuff?)
- Using a passwd/shadow infrastructure and just use Samba for file sharing.

Background:
I'm currently running Samba (4.15.13) with a separate LDAP daemon
(OpenLDAP) for a small network that consists of MacOS and Linux clients.
The setup has been running, with several upgrades, since about 2007 or
so, hence the separate Samba/OpenLDAP setup. There are about 15 active
users. (It's OpenLDAP running on the same server, hence the
"daemon"
terminology - it's not a separate server machine).

An excerpt from my current smb.conf file:
?? workgroup = customername
?? passdb backend? = ldapsam:ldap://127.0.0.1/
?? ldap admin dn?? = cn=admin,dc=office,dc=customername,dc=nl
?? ldap ssl??????? = off
?? ldap suffix???? = dc=office,dc=customername,dc=nl
?? ldap user suffix??????? = ou=Users
?? ldap group suffix?????? = ou=Groups
?? ldap machine suffix???? = ou=Computers
?? unix extensions = yes
?? security = user
?? ldap password sync = yes

Now I'm planning to upgrade the network and services.

As there won't be any Windows machines, all the AD funny stuff (group
policies and whatnot) is superfluous.

However, I do need a user database.

Now I'm not sure how to proceed. Should I just migrate OpenLDAP and its
DB, migrate Samba too, and call it a day? Or is there any advantage to
start using the AD backend of Samba to store the LDAP stuff? The
disadvantage I'm seeing is that AD is primarily a Microsoft thing and I
don't have any of the MS tooling (adding users etc etc) without a
Microsoft OS.

I could also stop using OpenLDAP and just setup local users. Would work,
too.

As a side note: I *do* have some weird problems where smbstatus will
show "auth in progress" and freeze, once in a while (see mailing list
message 2021-12-29 13:50), to which a few users mentioned that running a
separate OpenLDAP was rather uncommon... :-/ - although I'm afraid my
setup will still be rather uncommon after switching to a full AD without
any windows machines connecting to it.

Best regards,

Valentijn

--
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba
We continuously commit to comply with the applicable data protection laws and
ensure fair and transparent processing of your personal data.
Please read our privacy statement including an information notice and data
protection policy for detailed information on our website.