I apologize but that is what I meant by black box. The Samba3 server is our server. It connects to the LDAP that is out of my control and extends the users' entries to the Windows desktops. If it's easier to visualize we're getting LDAP as a service from the central campus IT department. It is then on us to provide services our school needs to our students, faculty and staff. They have no concern about Samba3 or Samba4. We're just using their LDAP server. Samba4 can't use this LDAP service in AD and I understand the complexities of the extensions AD has put on to its LDAP however; without the ability to auto discover users and groups it's a management burden for me to implement some form of continuous sync to massage data from the central campus LDAP to Samba4. I can contrive methods and fortunately Marco has given me a great lead but it still seems overly complex. This is why I was looking into auto discovery / auto creation of users and groups via an external authentication request. At least then the users would exist if they successfully authenticated. Obviously that's not a completely reasonable solution either. Another contrived solution I've been mulling around is using the meta backend in OpenLDAP and creating a combined view of Samba4 with central campus LDAP. The issue here is that I don't yet know whether OpenLDAP would be able to query Samba4, stitch together the output of the LDAP servers, let alone configure Samba4 to use it instead of directly connecting to its backend. The final solution I can figure is to setup Windows desktops joined Samba4 with a trust to FreeIPA and a replication mechanism between FreeIPA and campus LDAP. At my previous employer I have already got Windows to authenticate through to FreeIPA but that still leaves me with the FreeIPA to LDAP conundrum. On Fri, Apr 12, 2019 at 10:18 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 12 Apr 2019 09:51:44 -0700 > Vex Mage <dosmage at gmail.com> wrote: > > > Even if I am still thinking in the past it doesn't invalidate the > > problem I came here to get guidance on. Instead I just get talked > > down to by some or others don't even read the situation I'm trying to > > solve. > > > > I don't need it to work like it used to in the NT4 sense. I don't > > need to use NT4 protocols. I'm just in need of not having Samba4 > > write in all of its documentation that forklift replacing your > > central authentication server is the only way to move forward. Wasn't > > the design goal to make it compatible in a Unix environment in the > > first place? > > > > How am I holding back Samba? I have a central LDAP server I have no > > control over > > That is the first time you have said that, I thought you had total > control over the entire system. > > You need to bring to the attention of whoever does have control over > the ldap Samba3 server, that it is insecure and unsupported and if they > don't do something about it and they get hit by malware, it will be > their fault. > > >but yet Samba4 requires me to replace it. > > No it doesn't, you can use Samba4 just like you use Samba3, but it > might stop working at any time because Windows changes something. > > >I can see how > > most of Samba's niche markets can do that but we can't. > > > > AD is absolutely fine. Most of the other schools on our campus have > > moved away from Samba to Windows AD or decided to drop authentication > > altogether because it was easier to do so. Honestly, I don't think > > you're not listening. > > If you want a secure system, you have to use secure software, this > generally means recent software. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Vex
On Fri, 12 Apr 2019 11:04:58 -0700 Vex Mage <dosmage at gmail.com> wrote:> I apologize but that is what I meant by black box. The Samba3 server > is our server. It connects to the LDAP that is out of my control and > extends the users' entries to the Windows desktops. > > If it's easier to visualize we're getting LDAP as a service from the > central campus IT department. It is then on us to provide services our > school needs to our students, faculty and staff. They have no concern > about Samba3 or Samba4. We're just using their LDAP server. > > Samba4 can't use this LDAP service in AD and I understand the > complexities of the extensions AD has put on to its LDAP however; > without the ability to auto discover users and groups it's a > management burden for me to implement some form of continuous sync to > massage data from the central campus LDAP to Samba4. I can contrive > methods and fortunately Marco has given me a great lead but it still > seems overly complex. > > This is why I was looking into auto discovery / auto creation of > users and groups via an external authentication request. At least > then the users would exist if they successfully authenticated. > Obviously that's not a completely reasonable solution either. > > Another contrived solution I've been mulling around is using the meta > backend in OpenLDAP and creating a combined view of Samba4 with > central campus LDAP. The issue here is that I don't yet know whether > OpenLDAP would be able to query Samba4, stitch together the output of > the LDAP servers, let alone configure Samba4 to use it instead of > directly connecting to its backend. > > The final solution I can figure is to setup Windows desktops joined > Samba4 with a trust to FreeIPA and a replication mechanism between > FreeIPA and campus LDAP. At my previous employer I have already got > Windows to authenticate through to FreeIPA but that still leaves me > with the FreeIPA to LDAP conundrum. > >Lets see if I have this right, you are not adverse to using AD, you just want to have all the users and groups that are in your central ldap in your <whatever it is> Do the passwords have to match ? Rowland
That is correct. I'm not adverse to using AD. I've used real AD in many environments in the past and to be honest the Samba4 AD seems to work really well. I just need to have all my users from our central LDAP. The passwords would need to match so that students, faculty and staff can use the existing campus wide tools. Thank you. On Fri, Apr 12, 2019 at 11:27 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 12 Apr 2019 11:04:58 -0700 > Vex Mage <dosmage at gmail.com> wrote: > > > I apologize but that is what I meant by black box. The Samba3 server > > is our server. It connects to the LDAP that is out of my control and > > extends the users' entries to the Windows desktops. > > > > If it's easier to visualize we're getting LDAP as a service from the > > central campus IT department. It is then on us to provide services our > > school needs to our students, faculty and staff. They have no concern > > about Samba3 or Samba4. We're just using their LDAP server. > > > > Samba4 can't use this LDAP service in AD and I understand the > > complexities of the extensions AD has put on to its LDAP however; > > without the ability to auto discover users and groups it's a > > management burden for me to implement some form of continuous sync to > > massage data from the central campus LDAP to Samba4. I can contrive > > methods and fortunately Marco has given me a great lead but it still > > seems overly complex. > > > > This is why I was looking into auto discovery / auto creation of > > users and groups via an external authentication request. At least > > then the users would exist if they successfully authenticated. > > Obviously that's not a completely reasonable solution either. > > > > Another contrived solution I've been mulling around is using the meta > > backend in OpenLDAP and creating a combined view of Samba4 with > > central campus LDAP. The issue here is that I don't yet know whether > > OpenLDAP would be able to query Samba4, stitch together the output of > > the LDAP servers, let alone configure Samba4 to use it instead of > > directly connecting to its backend. > > > > The final solution I can figure is to setup Windows desktops joined > > Samba4 with a trust to FreeIPA and a replication mechanism between > > FreeIPA and campus LDAP. At my previous employer I have already got > > Windows to authenticate through to FreeIPA but that still leaves me > > with the FreeIPA to LDAP conundrum. > > > > > > Lets see if I have this right, you are not adverse to using AD, you > just want to have all the users and groups that are in your central > ldap in your <whatever it is> > > Do the passwords have to match ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Vex