LDAP Schema Requirements for Samba 4?

[itw]

I've been happily using OS X Mavericks server as an LDAP backend for AFP for a while now. Been working fine for whole-house Time Machine, etc.

I recently decided to try to get CIFS up and running since that's apparently the direction the Apple winds are currently blowing but it appears that if I have LDAP enabled and enable CIFS, then Samba automatically configures to use LDAP.

It also appears that Samba has specific LDAP schema requirements. smbd simply does not start.

Code:

[2014/02/22 09:13:00.574881,  1, pid=10334, effective(0, 0), real(0, 0)] ../source3/passdb/pdb_ldap_util.c:236(add_new_domain_info)
  add_new_domain_info: failed to add domain dn= sambaDomainName=HOMENAS,dc=homedomain,dc=com with: Invalid DN syntax
        invalid DN
[2014/02/22 09:13:00.574926,  0, pid=10334, effective(0, 0), real(0, 0)] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
  smbldap_search_domain_info: Adding domain info for HOMENAS failed with NT_STATUS_UNSUCCESSFUL
[2014/02/22 09:13:00.575031,  0, pid=10334, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_ldap.c:6529(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.

I've found a few articles regarding updating openldap schema to accommodate samba but I know all my work will just be blown out by an OS X update in the future if I was even able to get it working at all.

Are there some FreeNAS settings for CIFS that I can use to just use simple user/password/group LDAP on CIFS shares?

Using FreeNAS-9.2.1.1-RELEASE-x64 (0da7233) - hoping it fixed 9.2.1 since it had a bunch of smb fixes but no joy.

Thanks.

 

[Chris Hoefler]

The short answer is no. It is important to remeber that Samba, first and foremost, is a project meant to be provide Windows-client compatibility to an otherwise *nix or mixed network environment. So it has to do things the way a Windows client expects, even if it seems stupid to a *nix client.

The slightly longer answer is AD is not LDAP, and Windows clients expect their auth servers to behave like AD. Samba has uniquely allowed the auth server to not be AD for quite some time, but it can only do this if the LDAP schema strictly adheres to the AD schema. In other words, it has to have all of the account attributes that Windows clients expect (SIDs, primaryGroupId, etc). And even in this case, the password can't be stored in LDAP. Samba gets around this by syncing the ldap password with its own local password database so that it can do authentication in the way that Windows clients expect.

Your best bet is to start investigating Samba4, which is a drop-in replacement for AD, if you really want to switch to CIFS. OS X supports it quite well. Depending on your version of OpenDirectory, the Windows schema may be supported. I know we were able to do this with Snow Leopard a couple years ago, but the quality of the server tools has decreased a bit since then in OS X. If it is supported and you want to use it, it will be a bear to get it working with FreeNas and doing the required password replication. Personally, I don't think it is worth it, so I've been moving everything to a Samba4 domain.

 

[itw]

Thanks.

I guess where that leaves me is wanting a switch in FreeNAS to allow local authentication for CIFS even though I have LDAP enabled. Especially since LDAP is not AD, as you state.

 

[Chris Hoefler]

That much can be done. Put,
passdb backend = tdbsam

in the "Auxilary parameters" section of the CIFS configuration dialog to override the ldap settings. I'm not completely sure where FreeNAS puts this file, so you might have to specify the location. Do this,
1) Disable ldap by turning off Directory Services.
2) Go to a root shell
3) Type "testparm" to get a dump of your Samba settings
4) Note the passdb backend setting
5) Turn Directory Services back on and put the passdb backend parameter in the CIFS config
6) That should do it.