search for: pricesw

...on vs an actual Active Directory server, separate from the LDAP server? Also, what type of LDAP server (OpenLDAP? FreeIPA? Other?) and is the LDAP server also Debian? -- Shannon From: Morgan, Andrew J <morgan at oregonstate.edu> Sent: Wednesday, May 14, 2025 4:40 PM To: Shannon Price <pricesw at auburn.edu>; samba at lists.samba.org Subject: Re: [Samba] Samba 4.19 and OpenLDAPs I'm using the libnss-ldapd, libpam-ldapd, and nslcd packages. These replaced the old nss-ldap and pam-ldap software from a long time ago. Andy ________________________________ From: Shannon Price <p...

I'm using the libnss-ldapd, libpam-ldapd, and nslcd packages. These replaced the old nss-ldap and pam-ldap software from a long time ago. Andy ________________________________ From: Shannon Price <pricesw at auburn.edu> Sent: Wednesday, May 14, 2025 2:34 PM To: Morgan, Andrew J <morgan at oregonstate.edu>; samba at lists.samba.org <samba at lists.samba.org> Subject: RE: [Samba] Samba 4.19 and OpenLDAPs [This email originated from outside of OSU. Use caution with links and attachment...

On Sat, 3 May 2025 13:56:25 +0000 Shannon Price <pricesw at auburn.edu> wrote: > > Thank you for your prompt response, Rowland. > > The idmap_rfc2307 isn't working (yet) for me. I'm working down that > path now, however I do need the homedir parameter from RFC 2307. As far as I am aware, only the idmap_ad config backend can...

On Tue, 6 May 2025 15:39:34 +0000 Shannon Price <pricesw at auburn.edu> wrote: > > > Hello all, > > We have been working on the idmap_rfc2307 solution for this. Packet > traces on the Samba server and the LDAP server don't show any > communication between Samba and the LDAP server at any point. > (Configuration below)....

...provide LDAP in your nsswitch.conf? Failed to convert SID S-1-5-21-2286752186-3697686403-#######-##### to a UID (dom_user[AUBURN\myusername]) -- Shannon From: Morgan, Andrew J <morgan at oregonstate.edu> Sent: Wednesday, May 14, 2025 4:22 PM To: samba at lists.samba.org; Shannon Price <pricesw at auburn.edu> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs Shannon, We run Samba similar to what you describe. Here are excerpts from our smb.conf: [global] security = ads allow trusted domains = no idmap config * : backend = tdb idmap config * : range = 100...

...From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Tuesday, May 6, 2025 11:14 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Samba 4.19 and OpenLDAPs On Tue, 6 May 2025 15:39:34 +0000 Shannon Price <pricesw at auburn.edu> wrote: > > > Hello all, > > We have been working on the idmap_rfc2307 solution for this. Packet > traces on the Samba server and the LDAP server don't show any > communication between Samba and the LDAP server at any point. > (Configuration below). W...

Hello all, We have been working on the idmap_rfc2307 solution for this. Packet traces on the Samba server and the LDAP server don't show any communication between Samba and the LDAP server at any point. (Configuration below). Samba logs are set at 10 and the error message is consistent: ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID

Thank you for your prompt response, Rowland. The idmap_rfc2307 isn't working (yet) for me. I'm working down that path now, however I do need the homedir parameter from RFC 2307. ../../source3/auth/auth_util.c:1946(check_account) check_account: Failed to convert SID S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID (dom_user[UNIV\someusername]) I have considered setting up a

Shannon, We run Samba similar to what you describe. Here are excerpts from our smb.conf: [global] security = ads allow trusted domains = no idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config ONID : backend = nss idmap config ONID : range = 1000-999999 # our users in LDAP have uidnumbers in this range

We do not run our campus Active Directory, but our Linux clients authenticate against it. There are several different Unix-based environments on campus, so we cannot use the RFC2307 fields from AD anyway since the answers would not be the same for each group. We have a pilot environment on Ubuntu 24.04 and RHEL 8 that uses SSSD and an OpenLDAP server. Authentication is against our AD domain, but

If we use "security=user" (and idmap_rfc2307), we won't be able to authenticate against another source, right? (e.g. an AD domain)? The password would also need to come from Samba? I saw an older posting from you about "idmap_script" is that still a valid backend? The man page exists, but I don't want to go down more deprecated rabbit holes. -- Shannon

I have this working using "idmap_script" for the idmapping (homegrown script). I authenticate vs Active Directory and use SSSD to talk to OpenLDAP on the backend for group membership and posix attributes (homedir mostly). My nsswitch.conf looks like this: passwd: sss files systemd group: sss files systemd ID mapping is done very simply (my script is VERY short and for now

I had a side suggestion from a list member whether nslcd was a possibility, using winbind for the authentication and nslcd to get the rfc2307 attributes. This was essentially my approach since nslcd and SSSD are performing the same role - connecting to an LDAP server for RFC2307. I have SSSD working with RHEL. RHEL has dropped NSLCD packages in favor of SSSD, but they are still available in