search for: idmap_rfc2307

...;> On 04/07/2019 21:25, Ryan via samba wrote: > >>> I am still trying to configure Samba to authenticate users against > >>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP > >>> server. Related to a previous recommendation, I found the idmap_rfc2307 > >>> capability, which seems likely exactly what I what. > >>> > >>> Unfortunately, it does not seem to work. Users are not permitted to > >> access > >>> shares for which they are in the group. > >>> > >>> Tests I fo...

...ts.samba.org> wrote: > On 04/07/2019 21:25, Ryan via samba wrote: > > I am still trying to configure Samba to authenticate users against > > ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP > > server. Related to a previous recommendation, I found the idmap_rfc2307 > > capability, which seems likely exactly what I what. > > > > Unfortunately, it does not seem to work. Users are not permitted to > access > > shares for which they are in the group. > > > > Tests I found online of the idmapping using wbinfo, fail as follows...

...04/07/2019 21:25, Ryan via samba wrote: >>>>> I am still trying to configure Samba to authenticate users against >>>>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP >>>>> server. Related to a previous recommendation, I found the idmap_rfc2307 >>>>> capability, which seems likely exactly what I what. >>>>> >>>>> Unfortunately, it does not seem to work. Users are not permitted to >>>> access >>>>> shares for which they are in the group. >>>>> >>&g...

...9;t I see traffic between the Samba server and the LDAP > server? ("well there wouldn't be") You have 'security = ads' , if you use this, Samba must be a domain member in an ADS realm, it requires Kerberos and Samba must be joined to the realm using 'net'. To use idmap_rfc2307, you need to use 'security = user' and probably also SMBv1 (I have never used idmap_rfc2307, so am not sure about this, but normally using an ldap backend with Samba requires SMBv1 e.g. a PDC). Different backends use different code paths in Samba. Rowland

If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

...a samba wrote: > >>>>> I am still trying to configure Samba to authenticate users against > >>>>> ActiveDirectory, but lookup uid and gids against a stand-alone > OpenLDAP > >>>>> server. Related to a previous recommendation, I found the > idmap_rfc2307 > >>>>> capability, which seems likely exactly what I what. > >>>>> > >>>>> Unfortunately, it does not seem to work. Users are not permitted to > >>>> access > >>>>> shares for which they are in the group. > &...

...wrote: > >> On 04/07/2019 21:25, Ryan via samba wrote: >>> I am still trying to configure Samba to authenticate users against >>> ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP >>> server. Related to a previous recommendation, I found the idmap_rfc2307 >>> capability, which seems likely exactly what I what. >>> >>> Unfortunately, it does not seem to work. Users are not permitted to >> access >>> shares for which they are in the group. >>> >>> Tests I found online of the idmapping using w...

...m groups = no -- Shannon -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

...m groups = no -- Shannon -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

I am still trying to configure Samba to authenticate users against ActiveDirectory, but lookup uid and gids against a stand-alone OpenLDAP server. Related to a previous recommendation, I found the idmap_rfc2307 capability, which seems likely exactly what I what. Unfortunately, it does not seem to work. Users are not permitted to access shares for which they are in the group. Tests I found online of the idmapping using wbinfo, fail as follows. $>wbinfo -n rlicht2 THE_SID SID_USER (1) $>net cache...

...m groups = no -- Shannon -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

...at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org<mailto:samba at lists.samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

...at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org<mailto:samba at lists.samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

Thank you for your prompt response, Rowland. The idmap_rfc2307 isn't working (yet) for me. I'm working down that path now, however I do need the homedir parameter from RFC 2307. ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername]...

Hello all, We have been working on the idmap_rfc2307 solution for this. Packet traces on the Samba server and the LDAP server don't show any communication between Samba and the LDAP server at any point. (Configuration below). Samba logs are set at 10 and the error message is consistent: ../../source3/auth/auth_util.c:1946(check_account) check_a...

...at lists.samba.org<mailto:samba-bounces at lists.samba.org>> On Behalf Of Shannon Price via samba Sent: Tuesday, May 6, 2025 11:54 AM To: samba at lists.samba.org<mailto:samba at lists.samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more de...

...esday, May 6, 2025 11:14 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs On Tue, 6 May 2025 15:39:34 +0000 Shannon Price <pricesw at auburn.edu> wrote: > > > Hello all, > > We have been working on the idmap_rfc2307 solution for this. Packet > traces on the Samba server and the LDAP server don't show any > communication between Samba and the LDAP server at any point. > (Configuration below). Well there wouldn't be. > Samba logs are set at 10 and the error message is consistent: > >...

...> > Samba servers are also NFS servers so we need consistent UID/Group > mappings in the whole environment. NFS is working well with this > environment. Again, NFS has nothing to do with Samba. > > Can Samba (version 4.19.4) pull RFC2307 from OpenLDAP Well yes, by using the idmap_rfc2307 idmap backend, but only the uidNumber & gidNumber attributes (see 'man idmap_2307'), to get the majority of the rfc2307 attributes, you would have to use the idmap_ad backend and that obviously only works against an AD DC. > (or ask SSSD > for the answer)? While you can get Samb...

...> see users listed with wbinfo even if their POSIX attributes are not > allowing use as a UNIX account? you can't use idmap_ad for a trusted domain with outbound trust, as we can't connect to a DC in that domain via LDAP. You have to use a different idmap backend. You could also use idmap_rfc2307 to point at an LDAP server that does allow connections and also stores the mappings. -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed....

Hi, In winbind, are there any plans to add the idmap_ad options "unix_primary_group" and "unix_nss_info" to the idmap_rfc2307 backend? I am using an ldap proxy to preserve the UNIX uids and gids between two domains, and it would be nice to also share the shell setting and the UNIX primary group as well.