samba - Jul 2020 - helping to implement samba 4 AD with ldap backend

On 13/07/2020 20:28, jmpatagonia via samba wrote:
> OK for that way (builtin ldap) is it possible to access/modify via ldap
> tools / languages / libraries, like php/rubi /etc ?
> Because if it is the only way we need to continue updating the user data
> (on ldap repository) from one place via our interface.
Probably, anything is possible, but you would have to write your own 
tools based on php etc.

Your problem is that your domain has never been updated when required 
and you are now running an hopelessly out of date version of Samba etc.

Rowland

Hello Rowland the problem is more complex, because we have 13
software/services/api linked to ldap repository on a production
environment, we try to use one single user/password for everything, and it
works.

We update samba 2 or 3 years ago, but we found that samba 4 -ad is that
moment is using a bult-in ldap, so we discard this option, because using
this ldap implied same that as now reconfigure all 13 software, import
schemas, adapt backups process, monitoring process, change ips, etc. So we
discard this option because it is a lot of work, and we think is not
compensates change everything just for samba. So in that memento use just
the last samba 4 available.

We have ad hoc classes, properties, on ldap in addition to samba/zentyal
schemas.

So in this case we are thinking of installing a new fresh samba 4-ad,
importing all existing users/computers/passwords, redeveloping our
interface to update users/passwd on both repositories.

We don't understand why samba decides to use a builtin ldap and discard
external ldap, is very annoying because in productions and largest
environments need a lot off work and implies maintenance other ldap.

Regards.








El lun., 13 jul. 2020 a las 16:45, Rowland penny via samba (<
samba at lists.samba.org>) escribi?:
> On 13/07/2020 20:28, jmpatagonia via samba wrote:
> > OK for that way (builtin ldap) is it possible to access/modify via
ldap
> > tools / languages / libraries, like php/rubi /etc ?
> > Because if it is the only way we need to continue updating the user
data
> > (on ldap repository) from one place via our interface.
>
> Probably, anything is possible, but you would have to write your own
> tools based on php etc.
>
> Your problem is that your domain has never been updated when required
> and you are now running an hopelessly out of date version of Samba etc.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 15/07/2020 20:19, jmpatagonia via samba wrote:
> Hello Rowland the problem is more complex, because we have 13
> software/services/api linked to ldap repository on a production
> environment, we try to use one single user/password for everything, and it
> works.
>
> We update samba 2 or 3 years ago, but we found that samba 4 -ad is that
> moment is using a bult-in ldap, so we discard this option, because using
> this ldap implied same that as now reconfigure all 13 software, import
> schemas, adapt backups process, monitoring process, change ips, etc. So we
> discard this option because it is a lot of work, and we think is not
> compensates change everything just for samba. So in that memento use just
> the last samba 4 available.
>
> We have ad hoc classes, properties, on ldap in addition to samba/zentyal
> schemas.
>
> So in this case we are thinking of installing a new fresh samba 4-ad,
> importing all existing users/computers/passwords, redeveloping our
> interface to update users/passwd on both repositories.
>
> We don't understand why samba decides to use a builtin ldap and discard
> external ldap, is very annoying because in productions and largest
> environments need a lot off work and implies maintenance other ldap.
>
> Regards.
>
>
Samba AD is based on Microsoft AD, so it has to be compatible with that, 
initially Samba tried to use openldap, but from my understanding (it was 
before my time) it just couldn't be made to work. I also understand that 
for at least the last 8 years, there has been work (on and off) to try 
and get Samba AD to work with openldap, but to no success.

It is of course your decision, but I would investigate if is possible to 
use Samba AD as a base for your system, you may find that some of the 
adaptions to your existing can work with AD (they may already be there) 
and that you can extend the schema to cope with the rest.

Rowland

Mandi! jmpatagonia via samba
  In chel di` si favelave...
> We don't understand why samba decides to use a builtin ldap and discard
> external ldap, is very annoying because in productions and largest
> environments need a lot off work and implies maintenance other ldap.
I'm not a samba developer, so i cannot answer tothe first part of the
question. But i suppose that the better answer is: 'because'. ;(

Afterall, samba IS an LDAP server: ok, it is not OpenLDAP, but can be
used exactly as OpenLDAP, clearly with a bit of differences. Mostly:

 + AD is a full hierarhical DB; plain LDAP too, but was tipically used
   flat; this mean less 'UID', more 'DN'.

 + group handling changed, because now 'nested groups' is possible.

 + no more anonymous bind


All this aspect can be taken into account; consider also that the 'AD
Schema' is more widespreadly used, eg many apps have 'connect to AD'
(where you put domain name and little more) and 'connect to LDAP'
(where to have to put all connection and schema detail).


For schemas, as stated by Rowland can be extendded too; consider that
the AD schema is naturally 'rich', so probably some schemas can be
discared.
Schemas can be 'converted' from the LDAP/OpenLDAP format to the AD
format with 'oLschema2ldif', in standard samba distribution (at least
in debian pacages).
Clearly because schemas are 'one way' (cannot be remove) do some
tests...


Last: what you want to do is, for me, the right thing: built the new
domain in parallel to to old, build some tools to migrate/syn data and
password (for password, a hint: use 'check password script' for NT
domain and 'samba-tool syncpasswd', eg:
	https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
for AD).

With both domain in place, migrate from LDAP to AD one app at a time.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)