Hello all,
We have been working on the idmap_rfc2307 solution for this. Packet traces on
the Samba server and the LDAP server don't show any communication between
Samba and the LDAP server at any point. (Configuration below). Samba logs are
set at 10 and the error message is consistent:
../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to
convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
(dom_user[UNIV\someusername])
>>> smb.conf <<<
[global]
# workgroup and naming
workgroup = UNIV
server string = Samba Server Version %v
# server settings
interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
bind interfaces only = yes
deadtime = 15
strict locking = no
lock directory = /var/spool/locks/samba
# logging
log file = /var/log/samba/log.smbd
log level = 10
max log size = 51200
client max protocol = SMB3
security = ads
password server = KERBEROS.univ.edu
client signing = yes
## client use spnego = yes
kerberos method = secrets and keytab
realm = UNIV.EDU
idmap config * : backend = tdb
idmap config * : range = 20000001-20001000
idmap config AUBURN : backend = rfc2307
idmap config AUBURN.EDU:range = 200-20000000
idmap config AUBURN : ldap_server = stand-alone
idmap config AUBURN : ldap_url = ldap://ldaptest.subdom.univ.edu/
idmap config AUBURN : ldap_search_base = dc=univ,dc=edu
idmap config AUBURN : realm = univ.edu
idmap config AUBURN : ldap_user_dn =
cn=readonly,ou=system,dc=univ,dc=edu
--
Shannon Price
Auburn University
-----Original Message-----
From: Shannon Price
Sent: Saturday, May 3, 2025 8:56 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: RE: [Samba] Samba 4.19 and OpenLDAP
Thank you for your prompt response, Rowland.
The idmap_rfc2307 isn't working (yet) for me. I'm working down that
path now, however I do need the homedir parameter from RFC 2307.
../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to
convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
(dom_user[UNIV\someusername])
I have considered setting up a Samba AD domain and replicating users/groups (and
homedir?). I can do this as long as authentication come from the university
domain (UNIV.EDU), which I think is possible. Do I set up my own DC
(SUBDOM.UNIV.EDU), then Samba servers join to that DC? I don't think I can
establish trust between my domain (SUBDOM.UNIV.EDU) and the university domain
(UNIV.EDU), so I can replicate the information I need. My (3,000) windows
clients are already join the university domain. Would they need to change
domains as well to access my Samba file shares without a trust? Maybe a one-way
trust where I trust them, but they don't need to trust me?
Which advantages would I gain (in our situation) from 4.21 or 4.22? We've
also maintained Debian systems for many years. We can shift testing to Debian
if that moves us forward.
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Saturday, May 3, 2025 3:29 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAP
On Fri, 2 May 2025 21:40:38 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:
>
>
> We do not run our campus Active Directory, but our Linux clients
> authenticate against it. There are several different Unix-based
> environments on campus, so we cannot use the RFC2307 fields from AD
> anyway since the answers would not be the same for each group. We have
> a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an
> OpenLDAP server. Authentication is against our AD domain, but SSSD
> pulls the RFC 2307 fields from OpenLDAP.
Non of the above has anything really to do with Samba.
>
> Samba servers are also NFS servers so we need consistent UID/Group
> mappings in the whole environment. NFS is working well with this
> environment.
Again, NFS has nothing to do with Samba.
>
> Can Samba (version 4.19.4) pull RFC2307 from OpenLDAP
Well yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber &
gidNumber attributes (see 'man idmap_2307'), to get the majority of the
rfc2307 attributes, you would have to use the idmap_ad backend and that
obviously only works against an AD DC.
> (or ask SSSD
> for the answer)?
While you can get Samba to use redhats idmap_sss backend, this will only get you
mappings between AD SIDs and Unix uid/gid, so you might just as well use the
winbind idmap_rid backend.
>
> Currently:
> security=ads
> In the Samba wiki documentation, several of the idmap links are empty
> (or removed?) idmap ldap and nss specifically. Is this deprecated?
Both of those backends are still available, but the first is an allocating
backend and the second requires 'local' users (which Samba can provide)
so there doesn't seem much point in using sssd.
>
> Any advice is welcome.
Have you considered setting up Samba AD domains for each environment and syncing
users/groups from your main AD to these, or use trusts ?
Whatever problems you are having with sssd and your main AD, you are likely to
have similar problems with winbind and your main AD, are you aware that winbind
came first and the initial sssd code was based on winbind ?
You might also be better off using Debian, this will get you Samba
4.21.5 on Bookworm backports or 4.22.1 on Trixie. Samba 4.19.5 is EOL from the
Samba point of view.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba