[Samba] samba 4 preexisting openldap servers

[Brian Gold]

Hi all,

 

We currently have a pair of openldap servers that we use pretty heavily for
some of our web product authentication and for radius. We recently added the
samba3 schema and got sambaNTPassword hashes created for our users so that
we could implement PEAP/MSCHAP to simplify our radius authentication. We
don't currently have AD or a samba PDC.

 

We have a physical samba file server currently which gets its group info
from ldap, but passwords are all stored in tdb. I was getting ready to build
a new samba file server VM that could tie into our openldap server for
authentication but I've hit a few snags along the way.

 

I just noticed that Samba4 should be hitting release in just a few days
(according to the wiki). I'm now tempted to hold off and just implement a
full blown samba4 domain. Because samba4 is so new though, I'm having some
trouble understanding some of the documentation. I'm not clear on how to
implement this based on our current infrastructure.

 

Can I use my existing openldap servers with samba4, or will I have to
migrate my current ldap data into samba4's own ldap server? We are currently
using a split view bind server for internal  external DNS. Can we continue
to use this or will we have to move our internal dns over to Samba4's
builtin dns server? Will I need to ditch our current DHCP server as well?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 preexisting openldap servers

[Andrew Bartlett]

On Mon, 2012-12-03 at 13:13 -0500, Brian Gold wrote:
 Hi all,
 
  
 Can I use my existing openldap servers with samba4, or will I have to
 migrate my current ldap data into samba4's own ldap server? We are currently
 using a split view bind server for internal  external DNS. Can we continue
 to use this or will we have to move our internal dns over to Samba4's
 builtin dns server? Will I need to ditch our current DHCP server as well?

Samba 4.0 cannot use an external LDAP server.  We know this is
incredibly frustrating to users who deployed Samba 3.x 'classic' domains
using OpenLDAP, because that was an incredibly flexible, productive
partnership that integrated very well with so many other tools.
However, try as we might, we couldn't make it work - the modal is just
too different. 

On DNS, you can continue to use BIND, but the zone that your internal
clients see must be the one handled by our BIND9 plugin, or forwarded to
our internal dns server.  How to configure BIND for that is up to you
however.

Samba 4.0 does not include a DHCP server, however be aware that the
traditional DHCP+dynamic DNS configuration does not work, you will need
to follow up on this list with those who have found the existing
solutions to for DHCP and AD.  (I'm rather keen to see this gap closed,
but I don't expect to do that very soon). 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba