Replace LDAP for Samba authentication

[matthias-ronge]

Description

I asked a question on Ask Ubuntu. As a side note, I was told:

you should be aware that Samba is actively working on removing SMBv1, this will mean that you will no longer be able to use openldap with Samba. This will not happen at once, it may be a year or so, but it will happen, so I suggest you start planning to upgrade to Samba AD or similar

This will mess up our whole system of using LDAP, with LDAP groups, for creating Samba users.

TODO:

It seems to me, that the simplest solution is: to do without LDAP authentication for file upload access. Instead, the script_createUserHome should be passed the user password in clear text so that the script can configure file upload access using system commands. A second script_changeUserPassword would need to be added, which is run when a user changes their password so that the script can catch up with the password change for file upload access.

This does not affect the options for authentication against LDAP, which will still be possible. But, on the other hand, it would also make it possible for Production to manage file upload access, even if the LDAP is a non-writable, company-wide directory (that does not support a Samba scheme, for example Microsoft Active Directory), which is currently not supported.

Estimated Costs and Complexity

This is a mid-ranged project with 5 PT.

[henning-gerhardt]

Thank you for sharing this information.

• A samba AD for the Kitodo.Production environment could be difficult if you have already a Windows AD environment. I don't know if there a problems in a local network with two AD environments.
• Moving current users to a Windows AD could be possible but then must you must provide the access to the image files with a samba configuration which is using the Windows AD. I don't know if this is possible and how a good and clean integration should look like.
• Providing the image files through a WebDAV system which is using the LDAP for authentification could be an useful solution. In SLUB we are using ownCloud (maybe in future Nextcloud) to provide access for some partners from outside to up- and download image files. But: Windows is more and more removing the support for WebDAV :-( If you want to use a fast WebDAV client you should not relay on the Windows WebDAV client.

[matthias-ronge]

It seems that the best solution would be to get all of the writable LDAP stuff out of Production. Instead, the script_createUserHome invokes useradd and samba-tool user create to create the user locally and create the file share. A second script_updateUserPassword could handle password changes. This would save us a lot of complexity in the Production server installation process.

I do not mean to dispose of all of the LDAP functionality, but to keep the LDAP functionality only optionally usable for authenticating against an external LDAP. In combination with local scripts, local file shares could even be combined with authentication against external LDAP without any problems, which is currently not possible.

[henning-gerhardt]

If we move the LDAP writing stuff for samba into this scripts but keep the other functionality alive then should this changes "small". Except that I did not know how this scripts are integrated into the application. Calling them outside by an administrator is not a solution in my opinion.

[solth]

Votes: 1

[BartChris]

Has anyone already tested the current setup on newer Kernel Versions >= 5.15, which are shipping with Debian 12 or Ubuntu 22/24? There seem to be problems with SMBv1 already: https://bugzilla.kernel.org/show_bug.cgi?id=215375