Samba Domain with readonly Active Directory and OpenLDAP

Rodrigo Antunes

5/18/24, 4:25 PM

I have a working Samba Windows Domain getting its users from an OpenLDAP database, but now I need to get these users from an Active Directory database. I have full access to the OpenLDAP database but only read access to the Active Directory database.

How could I achieve that? Thanks.

Edit: All my users are in an openldap database and my samba domain authenticate these users against this database, but now the user database migrated to active directory and I need to authenticate the domain users against this active directory database. The simple solution would use the ad only and abandon the samba domain, but that is not possible because we dont have write access to add machines to the domain.

Another solution would be to synchronize the ad users with our openldap and samba would keep consulting openldap.

Resuming: we need a local domain that authenticate the users against a remote ad database.

0 + 7

openldap

active-directory

samba

larsks

6/13/24, 5:36 PM

Is [this example](https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD) from the Samba wiki useful?

Greg Askew

6/13/24, 11:04 PM

`Another solution would be to synchronize the ad users with our openldap and samba would keep consulting openldap.` That is what many organizations do.

Rodrigo Antunes

6/15/24, 12:03 PM

@GregAskew how can we synchronize the ad users with openldap? We would need to obtain the passwords from ad, but ad use different hashes.

Rodrigo Antunes

6/15/24, 12:08 PM

@larsks I think not, because the main problem is that the samba domain need the ad users passwords to create the hashes to register the machines in openldap.

Greg Askew

6/15/24, 12:28 PM

A common solution is a password change web site that updates the username/password on both AD and Samba (and any other sources) at the same time. If you need Kerberos tickets interoperable between both, there would need to be a trust between Active Directory and the other product/solution, which may not be desirable.

Rodrigo Antunes

6/16/24, 11:57 AM

@GregAskew I had thought about that, but we don't have write permissions on the active directory to write the new passwords. All the users use wifi, freeradius, another thing I have thought is to use some kind of captive portal on the wifi to capture the passwords: if the authentication succeeds then register the user/password on openldap, but I think that would be insecure.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Samba Domain with readonly Active Directory and OpenLDAP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.