Jon Detert
2013-May-06 20:09 UTC
[Samba] Is it possible to make Samba4 use an external LDAP server for authN, and its own internal LDAP server for all other LDAP purposes?
My company uses 389-ds for its LDAP service, and all services are configured to use that LDAP for authentication. I'd like to start using Samba4 as an AD DC, in order to control/manage MsWin computers. It was simplest to me to install Samba4 configured to use its own internal LDAP server, rather than make it use my existing 389-ds LDAP server. However, I want Samba4 to authenticate to the 389-ds, since that is where the user passwords are, and: a) I don't know how to extract the passwords into a format that Samba4 could use, and b) Even if I did, I don't want to maintain the passwords in 2 places (389-ds and Samba4). Hence the question: Is it possible to make Samba4 use an external LDAP server for authentication, and its own LDAP server for all other LDAP purposes (e.g. authorization; user-object data; computer-object data; etc.)? Thanks, -- Jon Detert Sr. Systems Administrator Infinity Healthcare Milwaukee, Wisconsin 414-290-6759
Andrew Bartlett
2013-May-06 21:20 UTC
[Samba] Is it possible to make Samba4 use an external LDAP server for authN, and its own internal LDAP server for all other LDAP purposes?
On Mon, 2013-05-06 at 15:09 -0500, Jon Detert wrote:> My company uses 389-ds for its LDAP service, and all services are configured to use that LDAP for authentication. > > I'd like to start using Samba4 as an AD DC, in order to control/manage MsWin computers. > > It was simplest to me to install Samba4 configured to use its own internal LDAP server, rather than make it use my existing 389-ds LDAP server. > > However, I want Samba4 to authenticate to the 389-ds, since that is where the user passwords are, and: > a) I don't know how to extract the passwords into a format that Samba4 could use, and > b) Even if I did, I don't want to maintain the passwords in 2 places (389-ds and Samba4). > > Hence the question: > > Is it possible to make Samba4 use an external LDAP server for authentication, and its own LDAP server for all other LDAP purposes (e.g. authorization; user-object data; computer-object data; etc.)?Not at this time, but I certainly understand the attraction. The issue is that we need all the kerberos keys, and that's unlikely to be maintained in your server (but could quite practically be maintained in a system like OpenLDAP using the smbk5pwd module). Then it would 'only' be the issue of having Samba read and write those passwords in the remote server for the relevant user. Passwords are in some ways the slightly easier part of this problem, because typically last writer wins, and they are not available for read by normal clients, so we have more latitude in the games with play, but this is at best a development task, and at worst still too hard. Or we could do password sync - the passwords 389 natively stores are of no value to us, but I've been increasingly thinking that a varient of the password set extended operation could be used on a privileged connection to change passwords in sync between Samba and other directories. At this point, we recommend folks consider if their other services can use Samba as that central LDAP server. We realise this is not ideal however. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Apparently Analagous Threads
- replication problems in samba4 ad domain
- would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
- how best to rollback from a yum update?
- problem joining WinXP machine to samba PDC+LDAP environment
- confusion about using samba as NT4 PDC with ldapsam backend