Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Samba] "passwd program" in samba4

2 views
Skip to first unread message

Tomasz D.

unread,
May 17, 2013, 9:30:05 AM5/17/13
to
Dear Andrew,

We encounter the same problem. For over 10 years we've been using Samba (2,
then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly working
LDAP environment with replication, well tuned, with many additional
attributes and with a lot of non-samba related services (email, mailing
list, address book, user specific data). For all that time we had
comfortable situation, that the users had to remeber just one password.

And now, if I understand the situation correctly, there is no way to keep
the password synchronized between Samba4 and external LDAP. I don't need to
authenticate samba against external LDAP, but I want to somehow trigger
password change in LDAP in case of changing it in Windows, and vice-versa.

And I really think that migration of our well known and fully functional
LDAP system, which is the core of our environment, is not the best and
proper way.

Did we reached a dead end?

--
kind regards
Tomasz



--
View this message in context: http://samba.2283325.n4.nabble.com/passwd-program-in-samba4-tp4647906p4648289.html
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Marc Muehlfeld

unread,
May 17, 2013, 10:50:11 AM5/17/13
to
Hello Tomasz,

Am 17.05.2013 15:30, schrieb Tomasz D.:
> We encounter the same problem. For over 10 years we've been using Samba (2,
> then 3) with OpenLDAP (and then 389 DS) backend. We have perfectly working
> LDAP environment with replication, well tuned, with many additional
> attributes and with a lot of non-samba related services (email, mailing
> list, address book, user specific data). For all that time we had
> comfortable situation, that the users had to remeber just one password.
>
> And now, if I understand the situation correctly, there is no way to keep
> the password synchronized between Samba4 and external LDAP. I don't need to
> authenticate samba against external LDAP, but I want to somehow trigger
> password change in LDAP in case of changing it in Windows, and vice-versa.
>
> And I really think that migration of our well known and fully functional
> LDAP system, which is the core of our environment, is not the best and
> proper way.


I don't know your environment, so maybe the following doesn't fit for
your situation.

Before I moved our production to Samba4 last autumn, we had about 25
services (postfix, cyrus, apache, addressbooks, etc.) hooked up to our
openLDAP backend for authentication and as source for information. But
for all I found great ways to have everything in sambas AD (ldap). And
the good thing is: I can administrate now everything in ADUC with just
one tool.

For the additional attributes (phone, mail, what ever) I wrote a small
script, that transfers them to AD.

And for your DMZ (mailserver, etc.) you don't need to have a replicated
Samba-DC with all it's services. I use an openLDAP proxy for that.

Most of my experiences and how to set them up, I wrote down here:
http://wiki.samba.org/index.php/Samba4/beyond

If you post some information about your environment, maybe there are
good other ways to bring all your services up to Samba 4.

Regards,
Marc

Tomasz D.

unread,
May 21, 2013, 6:59:12 AM5/21/13
to
Hello Marc,
In my environment (~5000 accounts, over 500 client devices) only relatively
small part (lets say, 20%) relays on Samba. But all authentication issues
relays on LDAP. As I wrote before, we have perfectly working, tuned and well
known dedicated LDAP server, which can be even switched to commercially
supported solution (Red Hat Directory Server). It is developed for years,
scalable, stable as rock, etc. I have tons of scripts that do various LDAP
tasks, I have commercial tools to managing it. Now, migrating
business-critical service to a new product (Samba Internal LDAP), which was
created, so to say, as a side effect (correct me if I'm wrong) and which is
still under development (e.g.: user-defined schemas are still experimental,
as Samba FAQ says) doesn't sounds for me like a good idea.

I'm sure that Samba AD works perfectly for all operations related to SMB/AD
and I'm not agains that. I've read why developers choose that way and I
totally agrees with that. I don't want to push all the Windows attributes in
external LDAP. But also I'd like to let the external LDAP the rest of
authentication/authorisation issues (not related to Windows Auth). In such
scenario, the possibility to synchronise passwords is very important.
Otherwise we are going backwards.

--
best regards,
Tomasz



--
View this message in context: http://samba.2283325.n4.nabble.com/passwd-program-in-samba4-tp4647906p4648535.html
Sent from the Samba - General mailing list archive at Nabble.com.
0 new messages