Hey! We're still running a Samba3 Domain Controller but need to upgrade to Samba4/AD soon. The core of our DC is an OpenLDAP server that holds authentication information for many services including Samba3. The LDAP server gets replicated to every machine that provides some kind of authentication or needs local user account information; changing password is done on a web interface that enforces our password policy and keeps Samba passwords and "unix passwords" in sync. The question is how can we continue to use a LDAP server for authentication while keeping accounts and passwords in sync? Is there still some development going on for the OpenLDAP backend of Samba4[1]? How did others solve such a situation? Thanks, Adi [1] https://wiki.samba.org/index.php/Samba4/LDAP_Backend
On 09/03/15 15:13, Adi Kriegisch wrote:> Hey! > > We're still running a Samba3 Domain Controller but need to upgrade to > Samba4/AD soon. The core of our DC is an OpenLDAP server that holds > authentication information for many services including Samba3. > The LDAP server gets replicated to every machine that provides some kind of > authentication or needs local user account information; changing password > is done on a web interface that enforces our password policy and keeps > Samba passwords and "unix passwords" in sync. > > The question is how can we continue to use a LDAP server for authentication > while keeping accounts and passwords in sync? > Is there still some development going on for the OpenLDAP backend of > Samba4[1]? > How did others solve such a situation? > > Thanks, > Adi > > [1] https://wiki.samba.org/index.php/Samba4/LDAP_BackendHi, just what are the services that need to authenticate via ldap ? There is a page on the samba wiki about authenticating to samba4 AD: https://wiki.samba.org/index.php/Authenticating_other_services_against_AD It is not exhaustive and other services can auth via S4 AD, postfix & dovecot for instance. I believe that there is (or is that was?) some work going on to try and make a samba4 AD DC use Openldap instead of the built ldap, but it seems to have gone quiet on that front lately. Rowland
Hi!> >The question is how can we continue to use a LDAP server for authentication > >while keeping accounts and passwords in sync? > >Is there still some development going on for the OpenLDAP backend of > >Samba4[1]? > >How did others solve such a situation? > Hi, just what are the services that need to authenticate via ldap ? > > There is a page on the samba wiki about authenticating to samba4 AD:Thanks for the pointer; this can indeed be done for some of the services. But what I am about to loose is local authentication and independence of services: A full-blown OpenLDAP server is able to do replication. The advantage of this is that servers/services may run without having access to the master OpenLDAP server and there is more: using decent crypto settings for the connection slows down lookups; another reason for using LDAP on localhost (or even better ldapi).> I believe that there is (or is that was?) some work going on to try > and make a samba4 AD DC use Openldap instead of the built ldap, but > it seems to have gone quiet on that front lately.Too bad. Do others then manually sync accounts between OpenLDAP and Samba/AD? Is there an interface that (kind of) streams out LDIF-Changesets? Is there a way to get plain LDIF out of Samba/AD? -- Adi
From: Adi Kriegisch <adi at cg.tuwien.ac.at> Date: Mon, 9 Mar 2015 16:13:38 +0100> We're still running a Samba3 Domain Controller but need to upgrade to > Samba4/AD soon. The core of our DC is an OpenLDAP server that holds > authentication information for many services including Samba3.(snip)> The question is how can we continue to use a LDAP server for authentication > while keeping accounts and passwords in sync? > Is there still some development going on for the OpenLDAP backend of > Samba4[1]? > How did others solve such a situation?If you *need* to upgrade to Samba4 but do *not* need to upgrade to AD, you can still use NT4-style Domain (compatible with Samba3) with Samba4. Does this solve this situation? --- TAKAHASHI Motonobu <monyo at monyo.com> / @damemonyo facebook.com/takahashi.motonobu
Hey!> If you *need* to upgrade to Samba4 but do *not* need to upgrade to AD, > you can still use NT4-style Domain (compatible with Samba3) with Samba4.Wow! Thank you very much, I missed that completely! That helps alot! ;-) -- Adi