I have this working using "idmap_script" for the idmapping (homegrown
script). I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on
the backend for group membership and posix attributes (homedir mostly). My
nsswitch.conf looks like this:
passwd: sss files systemd
group: sss files systemd
ID mapping is done very simply (my script is VERY short and for now uses a flat
file for username-SID-UID user mapping). Group memberships come from OpenLDAP.
It all looks very simple and clean. Samba still tries to enumerate all of my
group mappings. It pulls all of my groups from Active Directory (which have no
meaning in my Linux/Samba environment). This means that my idmap script gets
called over and over when I initially connect. I had hoped that "winbind
enum groups" would suppress this behavior, but it doesn't.
Winbind is running. This is my smb.conf for reference:
[global]
# workgroup and naming
workgroup = UNIV
# server settings
interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
bind interfaces only = yes
deadtime = 15
strict locking = no
lock directory = /var/spool/locks/samba
# logging
log file = /var/log/samba/log.smbd
log level = 2
max log size = 51200
# authentication
client max protocol = SMB3
security = ads
client signing = yes
kerberos method = secrets and keytab
realm = UNIV.EDU
idmap config * : backend = script
idmap config * : range = 200-20000000
idmap config * : script = /etc/samba/idmap.sh
winbind enum groups = no
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price
via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
If we use "security=user" (and idmap_rfc2307), we won't be able to
authenticate against another source, right? (e.g. an AD domain)? The password
would also need to come from Samba?
I saw an older posting from you about "idmap_script" is that still a
valid backend? The man page exists, but I don't want to go down more
deprecated rabbit holes.
--
Shannon
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs
On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:
>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below. I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).
Samba cannot do that.
>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server? ("well there wouldn't be")
You have 'security = ads' , if you use this, Samba must be a domain
member in an ADS realm, it requires Kerberos and Samba must be joined to the
realm using 'net'.
To use idmap_rfc2307, you need to use 'security = user' and probably
also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but
normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).
Different backends use different code paths in Samba.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba