Thank you for your prompt response, Rowland.
The idmap_rfc2307 isn't working (yet) for me. I'm working down that
path now, however I do need the homedir parameter from RFC 2307.
../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to
convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
(dom_user[UNIV\someusername])
I have considered setting up a Samba AD domain and replicating users/groups (and
homedir?). I can do this as long as authentication come from the university
domain (UNIV.EDU), which I think is possible. Do I set up my own DC
(SUBDOM.UNIV.EDU), then Samba servers join to that DC? I don't think I can
establish trust between my domain (SUBDOM.UNIV.EDU) and the university domain
(UNIV.EDU), so I can replicate the information I need. My (3,000) windows
clients are already join the university domain. Would they need to change
domains as well to access my Samba file shares without a trust? Maybe a one-way
trust where I trust them, but they don't need to trust me?
Which advantages would I gain (in our situation) from 4.21 or 4.22? We've
also maintained Debian systems for many years. We can shift testing to Debian
if that moves us forward.
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Saturday, May 3, 2025 3:29 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAP
On Fri, 2 May 2025 21:40:38 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:
>
>
> We do not run our campus Active Directory, but our Linux clients
> authenticate against it. There are several different Unix-based
> environments on campus, so we cannot use the RFC2307 fields from AD
> anyway since the answers would not be the same for each group. We have
> a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an
> OpenLDAP server. Authentication is against our AD domain, but SSSD
> pulls the RFC 2307 fields from OpenLDAP.
Non of the above has anything really to do with Samba.
>
> Samba servers are also NFS servers so we need consistent UID/Group
> mappings in the whole environment. NFS is working well with this
> environment.
Again, NFS has nothing to do with Samba.
>
> Can Samba (version 4.19.4) pull RFC2307 from OpenLDAP
Well yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber &
gidNumber attributes (see 'man idmap_2307'), to get the majority of the
rfc2307 attributes, you would have to use the idmap_ad backend and that
obviously only works against an AD DC.
> (or ask SSSD
> for the answer)?
While you can get Samba to use redhats idmap_sss backend, this will only get you
mappings between AD SIDs and Unix uid/gid, so you might just as well use the
winbind idmap_rid backend.
>
> Currently:
> security=ads
> In the Samba wiki documentation, several of the idmap links are empty
> (or removed?) idmap ldap and nss specifically. Is this deprecated?
Both of those backends are still available, but the first is an allocating
backend and the second requires 'local' users (which Samba can provide)
so there doesn't seem much point in using sssd.
>
> Any advice is welcome.
Have you considered setting up Samba AD domains for each environment and syncing
users/groups from your main AD to these, or use trusts ?
Whatever problems you are having with sssd and your main AD, you are likely to
have similar problems with winbind and your main AD, are you aware that winbind
came first and the initial sssd code was based on winbind ?
You might also be better off using Debian, this will get you Samba
4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL from the
Samba point of view.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba