Thank you for your prompt response, Rowland. The idmap_rfc2307 isn't working (yet) for me. I'm working down that path now, however I do need the homedir parameter from RFC 2307. ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername]) I have considered setting up a Samba AD domain and replicating users/groups (and homedir?). I can do this as long as authentication come from the university domain (UNIV.EDU), which I think is possible. Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba servers join to that DC? I don't think I can establish trust between my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so I can replicate the information I need. My (3,000) windows clients are already join the university domain. Would they need to change domains as well to access my Samba file shares without a trust? Maybe a one-way trust where I trust them, but they don't need to trust me? Which advantages would I gain (in our situation) from 4.21 or 4.22? We've also maintained Debian systems for many years. We can shift testing to Debian if that moves us forward. -- Shannon -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, May 3, 2025 3:29 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAP On Fri, 2 May 2025 21:40:38 +0000 Shannon Price via samba <samba at lists.samba.org> wrote:> > > We do not run our campus Active Directory, but our Linux clients > authenticate against it. There are several different Unix-based > environments on campus, so we cannot use the RFC2307 fields from AD > anyway since the answers would not be the same for each group. We have > a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an > OpenLDAP server. Authentication is against our AD domain, but SSSD > pulls the RFC 2307 fields from OpenLDAP.Non of the above has anything really to do with Samba.> > Samba servers are also NFS servers so we need consistent UID/Group > mappings in the whole environment. NFS is working well with this > environment.Again, NFS has nothing to do with Samba.> > Can Samba (version 4.19.4) pull RFC2307 from OpenLDAPWell yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber & gidNumber attributes (see 'man idmap_2307'), to get the majority of the rfc2307 attributes, you would have to use the idmap_ad backend and that obviously only works against an AD DC.> (or ask SSSD > for the answer)?While you can get Samba to use redhats idmap_sss backend, this will only get you mappings between AD SIDs and Unix uid/gid, so you might just as well use the winbind idmap_rid backend.> > Currently: > security=ads > In the Samba wiki documentation, several of the idmap links are empty > (or removed?) idmap ldap and nss specifically. Is this deprecated?Both of those backends are still available, but the first is an allocating backend and the second requires 'local' users (which Samba can provide) so there doesn't seem much point in using sssd.> > Any advice is welcome.Have you considered setting up Samba AD domains for each environment and syncing users/groups from your main AD to these, or use trusts ? Whatever problems you are having with sssd and your main AD, you are likely to have similar problems with winbind and your main AD, are you aware that winbind came first and the initial sssd code was based on winbind ? You might also be better off using Debian, this will get you Samba 4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL from the Samba point of view. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Sat, 3 May 2025 13:56:25 +0000 Shannon Price <pricesw at auburn.edu> wrote:> > Thank you for your prompt response, Rowland. > > The idmap_rfc2307 isn't working (yet) for me. I'm working down that > path now, however I do need the homedir parameter from RFC 2307.As far as I am aware, only the idmap_ad config backend can obtain the homedir and that only works with AD.> > ../../source3/auth/auth_util.c:1946(check_account) check_account: > Failed to convert SID > S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID > (dom_user[UNIV\someusername])Does the user 'someusername' have a uidNumber attribute containing a number inside range set in smb.conf ?> > I have considered setting up a Samba AD domain and replicating > users/groups (and homedir?). I can do this as long as authentication > come from the university domain (UNIV.EDU), which I think is > possible.Then that isn't going to work, authentication must come from the DCs in the domain, though you can get trusts to work.> Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba > servers join to that DC? I don't think I can establish trust between > my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so > I can replicate the information I need. My (3,000) windows clients > are already join the university domain. Would they need to change > domains as well to access my Samba file shares without a trust? > Maybe a one-way trust where I trust them, but they don't need to > trust me?I think you really need to read up on AD and Samba AD, one difference is that Samba does not (yet) do child domains.> > Which advantages would I gain (in our situation) from 4.21 or 4.22? > We've also maintained Debian systems for many years. We can shift > testing to Debian if that moves us forward.Samba is a rapidly moving target, one of the benefits of using a Samba supported version is that you can get to functional level 2016. Like all software, Samba has bugs and these only get fixed in Samba supported versions (4.20.x, 4.21.x and 4.22.x at present), you have to rely on the distros backporting any fixes to their versions, this doesn't usually happen for minor fixes. One of the problems with using Samba with ldap is that normally requires using the samba schema and that requires SMBv1 and that is no longer recommended. Rowland
Hello all, We have been working on the idmap_rfc2307 solution for this. Packet traces on the Samba server and the LDAP server don't show any communication between Samba and the LDAP server at any point. (Configuration below). Samba logs are set at 10 and the error message is consistent: ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername])>>> smb.conf <<<[global] # workgroup and naming workgroup = UNIV server string = Samba Server Version %v # server settings interfaces = 127.0.0.1, xxx.xxx.xxx.xxx bind interfaces only = yes deadtime = 15 strict locking = no lock directory = /var/spool/locks/samba # logging log file = /var/log/samba/log.smbd log level = 10 max log size = 51200 client max protocol = SMB3 security = ads password server = KERBEROS.univ.edu client signing = yes ## client use spnego = yes kerberos method = secrets and keytab realm = UNIV.EDU idmap config * : backend = tdb idmap config * : range = 20000001-20001000 idmap config AUBURN : backend = rfc2307 idmap config AUBURN.EDU:range = 200-20000000 idmap config AUBURN : ldap_server = stand-alone idmap config AUBURN : ldap_url = ldap://ldaptest.subdom.univ.edu/ idmap config AUBURN : ldap_search_base = dc=univ,dc=edu idmap config AUBURN : realm = univ.edu idmap config AUBURN : ldap_user_dn = cn=readonly,ou=system,dc=univ,dc=edu -- Shannon Price Auburn University -----Original Message----- From: Shannon Price Sent: Saturday, May 3, 2025 8:56 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: RE: [Samba] Samba 4.19 and OpenLDAP Thank you for your prompt response, Rowland. The idmap_rfc2307 isn't working (yet) for me. I'm working down that path now, however I do need the homedir parameter from RFC 2307. ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername]) I have considered setting up a Samba AD domain and replicating users/groups (and homedir?). I can do this as long as authentication come from the university domain (UNIV.EDU), which I think is possible. Do I set up my own DC (SUBDOM.UNIV.EDU), then Samba servers join to that DC? I don't think I can establish trust between my domain (SUBDOM.UNIV.EDU) and the university domain (UNIV.EDU), so I can replicate the information I need. My (3,000) windows clients are already join the university domain. Would they need to change domains as well to access my Samba file shares without a trust? Maybe a one-way trust where I trust them, but they don't need to trust me? Which advantages would I gain (in our situation) from 4.21 or 4.22? We've also maintained Debian systems for many years. We can shift testing to Debian if that moves us forward. -- Shannon -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, May 3, 2025 3:29 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAP On Fri, 2 May 2025 21:40:38 +0000 Shannon Price via samba <samba at lists.samba.org> wrote:> > > We do not run our campus Active Directory, but our Linux clients > authenticate against it. There are several different Unix-based > environments on campus, so we cannot use the RFC2307 fields from AD > anyway since the answers would not be the same for each group. We have > a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an > OpenLDAP server. Authentication is against our AD domain, but SSSD > pulls the RFC 2307 fields from OpenLDAP.Non of the above has anything really to do with Samba.> > Samba servers are also NFS servers so we need consistent UID/Group > mappings in the whole environment. NFS is working well with this > environment.Again, NFS has nothing to do with Samba.> > Can Samba (version 4.19.4) pull RFC2307 from OpenLDAPWell yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber & gidNumber attributes (see 'man idmap_2307'), to get the majority of the rfc2307 attributes, you would have to use the idmap_ad backend and that obviously only works against an AD DC.> (or ask SSSD > for the answer)?While you can get Samba to use redhats idmap_sss backend, this will only get you mappings between AD SIDs and Unix uid/gid, so you might just as well use the winbind idmap_rid backend.> > Currently: > security=ads > In the Samba wiki documentation, several of the idmap links are empty > (or removed?) idmap ldap and nss specifically. Is this deprecated?Both of those backends are still available, but the first is an allocating backend and the second requires 'local' users (which Samba can provide) so there doesn't seem much point in using sssd.> > Any advice is welcome.Have you considered setting up Samba AD domains for each environment and syncing users/groups from your main AD to these, or use trusts ? Whatever problems you are having with sssd and your main AD, you are likely to have similar problems with winbind and your main AD, are you aware that winbind came first and the initial sssd code was based on winbind ? You might also be better off using Debian, this will get you Samba 4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL from the Samba point of view. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba