Marcus Mundt
2013-Jun-21 15:27 UTC
[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Dear List, I am used to Samba 3 and LDAP. But since Samba 4 I'm struggeling hard to understand what has to be done and how a possible solution might look like for our scenario. I already found out that Samba 4 comes with its own LDAP Server and if I want to use a slapd on the same system, it should listen on another port. I know that using a LDAP backend isn't supported in the current version of samba, but I'm looking for a similar solution anyway. Environtment: - LDAP-Master-Server with all the information needed - mostly Windows XP and Windows 7 Clients They should auto mount network drives after login (user, pass and rights from LDAP-Master) Here is what I want to achieve: A LDAP-Master-Server should be the basis for all users, passwords, groups, rights, rights to execute Programs, mails and mounting network drives. We are looking for a "single sign on" solution based on the LDAP-Master-Server. Our Mail-Server and some other services rely on the LDAP-Master. Now Samba should work as ADS using the Information stored on the LDAP-Master. Meaning getting users, passwords, groups, rights, drives etc. from LDAP. Is that even possible? Any ideas? My quick guesses of possible solutions: - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD - I don't know if I get this one... - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync? Questions: - What about using "smbd + nmbd" instead of "samba"? What are the drawbacks and what functionalities would we sacrifice? - Is using samba 3 + LDAP backend a possible solution? We really waited for Samba 4 and are now a bit overwhelmed by the numerous innovations. But we would like to use the most current software. Any hints or some short step by step list with the required services and their dependencies would be highly appreciated. Thanks for reading. Have a wonderful weekend! Cheers, Marcus
Marc Muehlfeld
2013-Jun-21 16:40 UTC
[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Hello Marcus, Am 21.06.2013 17:27, schrieb Marcus Mundt:> Environtment: > - LDAP-Master-Server with all the information needed > - mostly Windows XP and Windows 7 Clients > They should auto mount network drives after login (user, pass and rights from LDAP-Master) > > Here is what I want to achieve: > A LDAP-Master-Server should be the basis for all users, passwords,> groups, rights, rights to execute Programs, mails and mounting > network drives. We are looking for a "single sign on" solution > based on the LDAP-Master-Server. Our Mail-Server and some other > services rely on the LDAP-Master. Now Samba should work as ADS > using the Information stored on the LDAP-Master. Meaning > getting users, passwords, groups, rights, drives etc. from > LDAP. Is that even possible? Any ideas? This is all possible with samba 4 and AD. Setup an DC according to the HowTo, do a classicupgrade and then hook up all your services to AD. I did this in production last september (170 users, 230 workstations, and around 25 services getting information from LDAP or authenticating against). After some weeks of building a testing environment with everything, I did the final switch on a weekend (1.5 days for changing and adapting everything). And it's running absolutely great.> My quick guesses of possible solutions: > - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master > - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD > - I don't know if I get this one...The "beyond samba" page is from me. Just let me know, what's unclear. Then I will extend the HowTo and improve the descriptions. The openLDAP proxy is a good way if you have in your internal network your ADC and don't want to have a "real" DC in your DMZ for mailserver, etc. too. An additional DC would bring you many open ports you mostly don't need, etc. That's why I use an openLDAP proxy for that (just one service with one open port: 389/tcp). You have to use the configuration from the HowTo. Then openLDAP doesn't use a own database. All requests are forwarded to the DC(s). The openLDAP server you can use as usual (I only use it read-only. I don't require write-access in LDAP in the DMZ). Also you can use openLDAP ACLs to restrict access to attributes, like before, etc. And of course, you can authenticate against it (also mentioned on the wiki page). But the openLDAP proxy doesn't mean, that it's only a proxy. You can have different tree of your LDAP pointing to a local database, too. Then you can store additional information in LDAP, byside the AD backend.> - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync?I wouldn't do that. Much workaround stuff, directory ACLs won't be synced, etc.> Questions: > - What about using "smbd + nmbd" instead of "samba"? What> are the drawbacks and what functionalities would we sacrifice? You need the samba binary, because it provides the AD stuff. If you plan to keep your NT4-style domain, then you can just upgrade. Samba 4 doesn't mean "AD only" and "build-in LDAP only". AD is just "an additionally feature" of version 4. But AD requires the internal LDAP.> - Is using samba 3 + LDAP backend a possible solution? We really> waited for Samba 4 and are now a bit overwhelmed by > the numerous innovations. But we would like to use the most > current software. It depents what you plan to have. If you are happy, you can stay at the NT4-style domain together with your openLDAP backend. But then you miss all the great improvements of AD (group policies, to manage your clients, easy multi-DC environments, etc.). But as already said: Samba 4 with openLDAP is still possible - but not when you want to have an AD. Regards, Marc
Marcus Mundt
2013-Jun-24 08:30 UTC
[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Hello Marc, first of all thanks for the quick reply. My Samba ADC was setup quite quick following the how to, good work! Since we are running low on time and want to stick with our LDAP server, I hope I can setup a file server for WinXP and Win7 with Samba 4 using smbd and nmbd and keep using the LDAP backend. I guess we don't really need the AD stuff for what we want to achieve, right? I really need to know if it is possible to setup some kind of auto mount for Windows clients. They should mount all of the users drives while logging in, now this happens with some script, which is run after successfully loggin in. The whole users, groups and rights stuff shouldn't be a problem.> I did this in production last september (170 users, 230 workstations, > and around 25 services getting information from LDAP or authenticating > against). After some weeks of building a testing environment with > everything, I did the final switch on a weekend (1.5 days for changing > and adapting everything). And it's running absolutely great.How did you transfer the information from the (old) LDAP server to the Samba 4 ADS? Or did you separate things, like servers relying on the slapd and other systems communicating with the ADS?>> My quick guesses of possible solutions: >> - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master >> - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD >> - I don't know if I get this one...> The "beyond samba" page is from me. Just let me know, what's unclear. > Then I will extend the HowTo and improve the descriptions.Ok, I thought so. I guess I wished for something like an AD to openLDAP proxy :)>> - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync?> I wouldn't do that. Much workaround stuff, directory ACLs won't be > synced, etc.Tried it and got an error. Won't do it again...>> Questions: >> - What about using "smbd + nmbd" instead of "samba"? What >> are the drawbacks and what functionalities would we sacrifice?> You need the samba binary, because it provides the AD stuff. If you plan > to keep your NT4-style domain, then you can just upgrade. Samba 4 > doesn't mean "AD only" and "build-in LDAP only". AD is just "an > additionally feature" of version 4. But AD requires the internal LDAP.As mention above, I will now try using samba 4 but not the samba binary. Now switching back to smbd, nmbd and LDAP backend. Wish me luck :) Thanks for your time and explanations! Cheers, Marcus