samba - May 2025 - Samba 4.19 and OpenLDAPs

I have this working using "idmap_script" for the idmapping (homegrown
script).  I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on
the backend for group membership and posix attributes (homedir mostly).  My
nsswitch.conf looks like this:


passwd:     sss files systemd
group:      sss files systemd

ID mapping is done very simply (my script is VERY short and for now uses a flat
file for username-SID-UID user mapping).  Group memberships come from OpenLDAP. 
It all looks very simple and clean.  Samba still tries to enumerate all of my
group mappings.  It pulls all of my groups from Active Directory (which have no
meaning in my Linux/Samba environment).  This means that my idmap script gets
called over and over when I initially connect.  I had hoped that "winbind
enum groups" would suppress this behavior, but it doesn't.

Winbind is running.  This is my smb.conf for reference:

[global]
        # workgroup and naming
        workgroup = UNIV

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 2
        max log size = 51200

        # authentication
        client max protocol = SMB3
        security = ads
        client signing = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend  = script
        idmap config * : range = 200-20000000
        idmap config * : script = /etc/samba/idmap.sh

        winbind enum groups = no

--
Shannon



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price
via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs


If we use "security=user" (and idmap_rfc2307), we won't be able to
authenticate against another source, right?  (e.g. an AD domain)?  The password
would also need to come from Samba?

I saw an older posting from you about "idmap_script"  is that still a
valid backend?  The man page exists, but I don't want to go down more
deprecated rabbit holes.

--
Shannon

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs

On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:
>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below.  I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).
Samba cannot do that.
>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server?  ("well there wouldn't be")
You have 'security = ads' , if you use this, Samba must be a domain
member in an ADS realm, it requires Kerberos and Samba must be joined to the
realm using 'net'.

To use idmap_rfc2307, you need to use 'security = user' and probably
also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but
normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).

Different backends use different code paths in Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I had a side suggestion from a list member whether nslcd was a possibility,
using winbind for the authentication and nslcd to get the rfc2307 attributes. 
This was essentially my approach since nslcd and SSSD are performing the same
role - connecting to an LDAP server for RFC2307.  I have SSSD working with RHEL.
RHEL has dropped NSLCD packages in favor of SSSD, but they are still available
in Ubuntu, so there could be a path with Ubuntu serving Samba instead.

The Samba option "security = ads" and the net join establishes the
authentication with AD, but I haven't been able to get the idmap to fall
back to LDAP (except the klunky id_map = script that I mention below.  It seems
like the ADS setting causes the idmap settings (e.g. idmap_ldap) to be ignored.

--
Shannon Price
Auburn University

-----Original Message-----
From: Shannon Price
Sent: Monday, May 12, 2025 4:42 PM
To: samba at lists.samba.org
Subject: RE: [Samba] Samba 4.19 and OpenLDAPs



I have this working using "idmap_script" for the idmapping (homegrown
script).  I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on
the backend for group membership and posix attributes (homedir mostly).  My
nsswitch.conf looks like this:


passwd:     sss files systemd
group:      sss files systemd

ID mapping is done very simply (my script is VERY short and for now uses a flat
file for username-SID-UID user mapping).  Group memberships come from OpenLDAP. 
It all looks very simple and clean.  Samba still tries to enumerate all of my
group mappings.  It pulls all of my groups from Active Directory (which have no
meaning in my Linux/Samba environment).  This means that my idmap script gets
called over and over when I initially connect.  I had hoped that "winbind
enum groups" would suppress this behavior, but it doesn't.

Winbind is running.  This is my smb.conf for reference:

[global]
        # workgroup and naming
        workgroup = UNIV

        # server settings
        interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
        bind interfaces only = yes
        deadtime = 15
        strict locking = no
        lock directory = /var/spool/locks/samba

        # logging
        log file = /var/log/samba/log.smbd
        log level = 2
        max log size = 51200

        # authentication
        client max protocol = SMB3
        security = ads
        client signing = yes
        kerberos method = secrets and keytab
        realm = UNIV.EDU

        idmap config * : backend  = script
        idmap config * : range = 200-20000000
        idmap config * : script = /etc/samba/idmap.sh

        winbind enum groups = no

--
Shannon



-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price
via samba
Sent: Tuesday, May 6, 2025 11:54 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs


If we use "security=user" (and idmap_rfc2307), we won't be able to
authenticate against another source, right?  (e.g. an AD domain)?  The password
would also need to come from Samba?

I saw an older posting from you about "idmap_script"  is that still a
valid backend?  The man page exists, but I don't want to go down more
deprecated rabbit holes.

--
Shannon

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, May 6, 2025 11:50 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba 4.19 and OpenLDAPs

On Tue, 6 May 2025 16:31:29 +0000
Shannon Price via samba <samba at lists.samba.org> wrote:
>
> Sorry - my redaction was incomplete/incorrect in the smb.conf message.
> Corrected, redacted smb.conf below.  I need to authenticate against
> AD, which does work, but idmap vs LDAP server (OpenLDAP).
Samba cannot do that.
>
> Why wouldn't I see traffic between the Samba server and the LDAP
> server?  ("well there wouldn't be")
You have 'security = ads' , if you use this, Samba must be a domain
member in an ADS realm, it requires Kerberos and Samba must be joined to the
realm using 'net'.

To use idmap_rfc2307, you need to use 'security = user' and probably
also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but
normally using an ldap backend with Samba requires SMBv1 e.g. a PDC).

Different backends use different code paths in Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba