samba - Mar 2022 - stand-alone server with ldap-auth without AD

On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba
wrote:
> You need to have an account on the LDAP server that samba can use to 
> read user information including the Windows password field.     
> Then 
> you need to configure smb.conf with the server name, the search
> path, 
> the ldap name and password.
> 
> I think what is going to be a problem is that the "NT4" Windows
> password 
> requires a separate password field than the regular LDAP password,
> and 
> keeping the 2 in sync will be a challenge.     The client machines
> will 
> be sending a hash of the user password to the server (rather than 
> "plaintext" password over TLS.)      In fact the schema on the
LDAP
> server may need to be extended.
If a new NT4-style machine is being set up, you should be aware that
they rely on SMBv1 and this is going away. You could end up within a
year or two having to upgrade again or use an older version of Samba.

Rowland

On Wed, 2022-03-23 at 17:02 +0000, Rowland Penny via samba
wrote:
> On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba wrote:
> > You need to have an account on the LDAP server that samba can use
> > to 
> > read user information including the Windows password field.     
> > Then 
> > you need to configure smb.conf with the server name, the search
> > path, 
> > the ldap name and password.
> > 
> > I think what is going to be a problem is that the "NT4"
Windows
> > password 
> > requires a separate password field than the regular LDAP password,
> > and 
> > keeping the 2 in sync will be a challenge.     The client machines
> > will 
> > be sending a hash of the user password to the server (rather than 
> > "plaintext" password over TLS.)      In fact the schema on
the
> > LDAP 
> > server may need to be extended.
> 
> If a new NT4-style machine is being set up, you should be aware that
> they rely on SMBv1 and this is going away. You could end up within a
> year or two having to upgrade again or use an older version of Samba.
Even for the standalone server case, using LDAP as a passdb backend for
a single fileserver and keeping things in sync with the smbk5pwd
overlay or Samba's ldap password sync, just be aware that this relies
on the pdb_ldap backend.

The historical purpose for pdb_ldap was the NT4 DC, and while we
haven't any particular plans to remove this (we know folks use it even
when not doing an NT4 domain) just be aware that with less use there is
even less ongoing maintenance.  pdb_ldap is also not tested in
selftest.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions