Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] What is Samba_dsdb???
575 views
Skip to first unread message
Greg Zartman
Oct 25, 2014, 3:30:03 PM10/25/14
to
In the configuration parameters created by samba-tool interactive, I get
passdb backend = samba_dsdb, but I have no idea what kind of backend this
is. It also doesn't seem to be documented anywhere.
Further down the config, it mentions tdb as the backend for winbind.
It's a little unclear to me if Samba 4 uses LDAP auth out of the gate or
you have to do something to configure it.
Greg
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
passdb backend = samba_dsdb, but I have no idea what kind of backend this
is. It also doesn't seem to be documented anywhere.
Further down the config, it mentions tdb as the backend for winbind.
It's a little unclear to me if Samba 4 uses LDAP auth out of the gate or
you have to do something to configure it.
Greg
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Oct 25, 2014, 4:20:03 PM10/25/14
to
On 25/10/14 20:22, Greg Zartman wrote:
> In the configuration parameters created by samba-tool interactive, I get
> passdb backend = samba_dsdb, but I have no idea what kind of backend this
> is. It also doesn't seem to be documented anywhere.
>
> Further down the config, it mentions tdb as the backend for winbind.
>
> It's a little unclear to me if Samba 4 uses LDAP auth out of the gate or
> you have to do something to configure it.
>
> Greg
To answer your question 'what is Samba_dsdb' , this is Samba directory
> In the configuration parameters created by samba-tool interactive, I get
> passdb backend = samba_dsdb, but I have no idea what kind of backend this
> is. It also doesn't seem to be documented anywhere.
>
> Further down the config, it mentions tdb as the backend for winbind.
>
> It's a little unclear to me if Samba 4 uses LDAP auth out of the gate or
> you have to do something to configure it.
>
> Greg
services database.
As you have run samba-tool provision, you have configured it, and samba4
after provision doesn't use LDAP auth, it uses AD auth, it is an
implementation of Active Directory. What you will have now (hopefully)
is an AD Domain Controller, this will act like a windows AD DC to
control a Domain. You will now have to add users, groups etc, you can do
this with ADUC on windows or with samba-tool.
Rowland
Rowland Penny
Oct 25, 2014, 5:50:04 PM10/25/14
to
On 25/10/14 22:37, Greg Zartman wrote:
>
> Is this AD auth backend LDAP compatible? I'm trying to dump OpenLDAP
> and use Samba's LDAP for my simple LDAP needs, all of which are user
> account related.
>
> Thanks,
>
To a greater extent yes, but it does not work in the same way, you may
have to extend the schema, but you cannot use standard openldap schemas
or ldifs, just what do you need to use AD for ?
> On Sat, Oct 25, 2014 at 1:18 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> As you have run samba-tool provision, you have configured it, and
> samba4 after provision doesn't use LDAP auth, it uses AD auth, it
> is an implementation of Active Directory. What you will have now
> (hopefully) is an AD Domain Controller, this will act like a
> windows AD DC to control a Domain. You will now have to add users,
> groups etc, you can do this with ADUC on windows or with samba-tool.
>
>
> Thanks for the reply Rowland.
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> As you have run samba-tool provision, you have configured it, and
> samba4 after provision doesn't use LDAP auth, it uses AD auth, it
> is an implementation of Active Directory. What you will have now
> (hopefully) is an AD Domain Controller, this will act like a
> windows AD DC to control a Domain. You will now have to add users,
> groups etc, you can do this with ADUC on windows or with samba-tool.
>
>
>
> Is this AD auth backend LDAP compatible? I'm trying to dump OpenLDAP
> and use Samba's LDAP for my simple LDAP needs, all of which are user
> account related.
>
> Thanks,
>
To a greater extent yes, but it does not work in the same way, you may
have to extend the schema, but you cannot use standard openldap schemas
or ldifs, just what do you need to use AD for ?
Rowland Penny
Oct 25, 2014, 6:30:05 PM10/25/14
to
On 25/10/14 23:16, Greg Zartman wrote:
> (www.contribs.org <http://www.contribs.org>). Right now it uses
> Samba3.6 and has an LDAP backend for auth. I want to move that auth
> to Samba4/AD auth.
>
> My initial thought was that we would need to import the old LDAP auth
> schema's from our LDAP work into Samba4 LDAP/AD. However, in doing
> more research, it looks like Samba4s AD approach is completely
> different, yes? It looks like we will need to scrap all of this old
> LDAP work.
>
> Greg
Hi Greg, it has been some time since I tried out SME, but if I remember
correctly it is based on Centos, if this is correct, then things got a
bit easier for you. Forget using Samba as an AD DC, you cannot at this
time setup a DC on Centos, just migrate your samba 3.6 setup to whatever
version of samba comes with whatever version of Centos you are basing
SME on, this will allow you to use openldap as before.
> On Sat, Oct 25, 2014 at 2:43 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> To a greater extent yes, but it does not work in the same way, you
> may have to extend the schema, but you cannot use standard
> openldap schemas or ldifs, just what do you need to use AD for ?
>
>
> I'm working on samba4 support for the SME Server distro
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> To a greater extent yes, but it does not work in the same way, you
> may have to extend the schema, but you cannot use standard
> openldap schemas or ldifs, just what do you need to use AD for ?
>
>
> (www.contribs.org <http://www.contribs.org>). Right now it uses
> Samba3.6 and has an LDAP backend for auth. I want to move that auth
> to Samba4/AD auth.
>
> My initial thought was that we would need to import the old LDAP auth
> schema's from our LDAP work into Samba4 LDAP/AD. However, in doing
> more research, it looks like Samba4s AD approach is completely
> different, yes? It looks like we will need to scrap all of this old
> LDAP work.
>
> Greg
Hi Greg, it has been some time since I tried out SME, but if I remember
correctly it is based on Centos, if this is correct, then things got a
bit easier for you. Forget using Samba as an AD DC, you cannot at this
time setup a DC on Centos, just migrate your samba 3.6 setup to whatever
version of samba comes with whatever version of Centos you are basing
SME on, this will allow you to use openldap as before.
Rowland Penny
Oct 25, 2014, 6:50:04 PM10/25/14
to
On 25/10/14 23:32, Greg Zartman wrote:
> Samba 3.6 is working fine for legacy type domains (NT4), simple
> shares, domain membership; and we have a good implementation of an
> OpenLDAP auth backend.
>
> What I'm doing is looking forward to True Samba 4 AD and working to
> build a deployment for an alpha type release of SME Server. I've
> rebuild the Sernet Samba 4 packages for SME Server (Centos) and they
> work just fine for providing the Samba AD tools.
>
> I'm just having a hard time wrapping my brain around around the AD
> auth in Samba 4 versus our older OpenLDAP auth. Is it true that many
> of the LDAP parameters in the smb.conf man pages really don't apply to
> Samba 4 AD DC config?
>
> Thanks!
>
> Greg
Yes, you can probably forget most if not all of the LDAP parameters,
samba4 in AD Mode just doesn't work like samba3.6 + openldap.
You probably have something like this in smb.conf:
# Global parameters
[global]
workgroup = EXAMPLE
realm = example.com
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
As you can see, there are no ldap lines!
What you have to understand is that you need to connect to samba4 AD
just like you would connect to windows AD and will need to use different
commands i.e samba-tool and/or ldb-tools for instance.
You can extend the schema fairly easily, autofs, sudo etc are being used
fairly extensively.
> On Sat, Oct 25, 2014 at 3:26 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> Hi Greg, it has been some time since I tried out SME, but if I
> remember correctly it is based on Centos, if this is correct, then
> things got a bit easier for you. Forget using Samba as an AD DC,
> you cannot at this time setup a DC on Centos, just migrate your
> samba 3.6 setup to whatever version of samba comes with whatever
> version of Centos you are basing SME on, this will allow you to
> use openldap as before.
>
>
> Yep, your memory is correct. The CORE distro is Centos. Right now
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> Hi Greg, it has been some time since I tried out SME, but if I
> remember correctly it is based on Centos, if this is correct, then
> things got a bit easier for you. Forget using Samba as an AD DC,
> you cannot at this time setup a DC on Centos, just migrate your
> samba 3.6 setup to whatever version of samba comes with whatever
> version of Centos you are basing SME on, this will allow you to
> use openldap as before.
>
>
> Samba 3.6 is working fine for legacy type domains (NT4), simple
> shares, domain membership; and we have a good implementation of an
> OpenLDAP auth backend.
>
> What I'm doing is looking forward to True Samba 4 AD and working to
> build a deployment for an alpha type release of SME Server. I've
> rebuild the Sernet Samba 4 packages for SME Server (Centos) and they
> work just fine for providing the Samba AD tools.
>
> I'm just having a hard time wrapping my brain around around the AD
> auth in Samba 4 versus our older OpenLDAP auth. Is it true that many
> of the LDAP parameters in the smb.conf man pages really don't apply to
> Samba 4 AD DC config?
>
> Thanks!
>
> Greg
Yes, you can probably forget most if not all of the LDAP parameters,
samba4 in AD Mode just doesn't work like samba3.6 + openldap.
You probably have something like this in smb.conf:
# Global parameters
[global]
workgroup = EXAMPLE
realm = example.com
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/example.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
As you can see, there are no ldap lines!
What you have to understand is that you need to connect to samba4 AD
just like you would connect to windows AD and will need to use different
commands i.e samba-tool and/or ldb-tools for instance.
You can extend the schema fairly easily, autofs, sudo etc are being used
fairly extensively.
Rowland Penny
Oct 26, 2014, 4:50:03 AM10/26/14
to
On 26/10/14 00:03, Greg Zartman wrote:
> OK, the muddy water is starting to become a little more clear... Thanks.
>
> I noticed in previous threads you've stated that the only server role
> supported is "DC". How does one go about serving up simple shares
> with no need for machines to join a domain? For now is it best to just
> leave server role = DC and then have users just auth every time they
> want to access the share? Seems to me that once you start using the
> AD auth backend in Samba, you wouldn't want to change this.
>
> Thanks,
>
> Greg
I don't think that I actually said that samba4 could only be an AD DC,
in fact samba4 can do anything that samba3 can do as well.
> OK, the muddy water is starting to become a little more clear... Thanks.
>
> I noticed in previous threads you've stated that the only server role
> supported is "DC". How does one go about serving up simple shares
> with no need for machines to join a domain? For now is it best to just
> leave server role = DC and then have users just auth every time they
> want to access the share? Seems to me that once you start using the
> AD auth backend in Samba, you wouldn't want to change this.
>
> Thanks,
>
> Greg
I don't think that I actually said that samba4 could only be an AD DC,
in fact samba4 can do anything that samba3 can do as well.
Rowland Penny
Oct 27, 2014, 5:00:05 AM10/27/14
to
On 27/10/14 02:26, Greg Zartman wrote:
> mode is "Active Directory Domain Controller."
No, I never said that either.
Rowland
>
>
>
> --
> Greg J. Zartman
> Board Member
>
> Koozali Foundation, Inc.
> 2755 19th Street SE
> Salem, Oregon 97302
> Cell: 541-5218449
>
> SME Server user and community member since 2000
> On Sun, Oct 26, 2014 at 1:42 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> I don't think that I actually said that samba4 could only be an AD
> DC, in fact samba4 can do anything that samba3 can do as well.
>
>
>
> Indeed. I was going off of your statement that the only supported
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> I don't think that I actually said that samba4 could only be an AD
> DC, in fact samba4 can do anything that samba3 can do as well.
>
>
>
> mode is "Active Directory Domain Controller."
No, I never said that either.
Rowland
>
>
>
> --
> Greg J. Zartman
> Board Member
>
> Koozali Foundation, Inc.
> 2755 19th Street SE
> Salem, Oregon 97302
> Cell: 541-5218449
>
> SME Server user and community member since 2000
Greg Zartman
Oct 27, 2014, 12:40:03 PM10/27/14
to
On Oct 27, 2014 1:54 AM, "Rowland Penny" <rowlan...@googlemail.com>
wrote:
wrote:
>
> On 27/10/14 02:26, Greg Zartman wrote:
>
>> On Sun, Oct 26, 2014 at 1:42 AM, Rowland Penny <
rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>>
>> I don't think that I actually said that samba4 could only be an AD
>> DC, in fact samba4 can do anything that samba3 can do as well.
>>
>>
>>
>> Indeed. I was going off of your statement that the only supported mode
is "Active Directory Domain Controller."
>
>
> No, I never said that either.
>
> Rowland
https://lists.samba.org/archive/samba/2014-April/180336.html
> On 27/10/14 02:26, Greg Zartman wrote:
>
>> On Sun, Oct 26, 2014 at 1:42 AM, Rowland Penny <
rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>>
>> I don't think that I actually said that samba4 could only be an AD
>> DC, in fact samba4 can do anything that samba3 can do as well.
>>
>>
>>
>> Indeed. I was going off of your statement that the only supported mode
is "Active Directory Domain Controller."
>
>
> No, I never said that either.
>
> Rowland
Rowland Penny
Oct 27, 2014, 1:00:05 PM10/27/14
to
On 27/10/14 16:35, Greg Zartman wrote:
>
>
> On Oct 27, 2014 1:54 AM, "Rowland Penny" <rowlan...@googlemail.com
>
>
> On Oct 27, 2014 1:54 AM, "Rowland Penny" <rowlan...@googlemail.com
> <mailto:rowlan...@googlemail.com>> wrote:
> >
> > On 27/10/14 02:26, Greg Zartman wrote:
> >
> >> On Sun, Oct 26, 2014 at 1:42 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
> <mailto:rowlan...@googlemail.com
> >
> > On 27/10/14 02:26, Greg Zartman wrote:
> >
> >> On Sun, Oct 26, 2014 at 1:42 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
> <mailto:rowlan...@googlemail.com>>> wrote:
> >>
> >> I don't think that I actually said that samba4 could only be an AD
> >> DC, in fact samba4 can do anything that samba3 can do as well.
> >>
> >>
> >>
> >> Indeed. I was going off of your statement that the only supported
> mode is "Active Directory Domain Controller."
> >
> >
> > No, I never said that either.
> >
> > Rowland
>
> https://lists.samba.org/archive/samba/2014-April/180336.html
>
OK, I thought that you were referring to this thread =-O
> >>
> >> I don't think that I actually said that samba4 could only be an AD
> >> DC, in fact samba4 can do anything that samba3 can do as well.
> >>
> >>
> >>
> >> Indeed. I was going off of your statement that the only supported
> mode is "Active Directory Domain Controller."
> >
> >
> > No, I never said that either.
> >
> > Rowland
>
> https://lists.samba.org/archive/samba/2014-April/180336.html
>
The thread that you are quoting really has nothing to do with this
thread, but, as far as I know, the only server that you can get directly
from running 'samba-tool domain provision' is a DC.
I know it says that the server-role can be a DC, MEMBER SERVER, MEMBER
or STANDALONE, but as far as I know only the DC provision works. It was
pointed out that if you provision as a 'MEMBER SERVER' then join this to
the domain, you do get a domain server. I have never really investigated
this further than the 'join' part because it is easier to just set up a
member server via smb.conf i.e. the original way.
Rowland
Rowland Penny
Oct 27, 2014, 1:40:04 PM10/27/14
to
On 27/10/14 17:31, Greg Zartman wrote:
> support DC mode. Thanks!
>
> Greg
But I did say in this thread:
I don't think that I actually said that samba4 could only be an AD DC,
in fact samba4 can do anything that samba3 can do as well.
Rowland
PS: is there any reason why you keep emailing me direct and not keeping
it on list ??
> On Mon, Oct 27, 2014 at 9:52 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
>
> The thread that you are quoting really has nothing to do with this
> thread, but, as far as I know, the only server that you can get
> directly from running 'samba-tool domain provision' is a DC.
>
>
> Ah. Good thing I asked then. I tought the current Samba4 would only
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
>
> The thread that you are quoting really has nothing to do with this
> thread, but, as far as I know, the only server that you can get
> directly from running 'samba-tool domain provision' is a DC.
>
>
> support DC mode. Thanks!
>
> Greg
But I did say in this thread:
I don't think that I actually said that samba4 could only be an AD DC,
in fact samba4 can do anything that samba3 can do as well.
PS: is there any reason why you keep emailing me direct and not keeping
it on list ??
0 new messages