How to test samba LDAP parameters with openldap tools, eg ldapsearch?

Rowland Penny rpenny at
Wed Apr 12 10:08:22 UTC 2023

On 12/04/2023 10:58, Jan Andersen via samba-technical wrote:
> I have an openLDAP service running on a debian 11 system, and Samba 4.13 
> on another Debian 11. In smb.conf I have set up the following:
>    # LDAP Settings
>    passdb backend = ldapsam:ldap://
>    ldap suffix = dc=zombie,dc=io
>    ldap user suffix = ou=people
>    ldap group suffix = ou=groups
>    ldap machine suffix = ou=computers
>    ldap idmap suffix = ou=Idmap
>    ldap admin dn = cn=admin,dc=zombie,dc=io
>    ldap ssl = start tls
>    ldap passwd sync = yes
> I have some trouble understanding why this doesn't appear to work, and I 
> would like to try to understand how these parameters map to the 
> parameters of, say, ldapsearch, so I can see if the problem lies there.
> I have run smbd with max debugging, and as far as I can see, it 
> successfully makes contact with the LDAP server, but then doesn't find 
> the user I'm trying to log in with. However, when I do a search with 
> ldapsearch, like this:
> ldapsearch -v -b "dc=zombie,dc=io" -H ldaps:// -D 
> "cn=admin,dc=zombie,dc=io" -W
> - I find the user in the output. So, my question is, which ldapsearch 
> command would be equivalent to what smbd is doing?

It will probably help if you can supply logs showing Samba failing.
Also showing us your complete smb.conf will help.

Do you have 'server min protocol = NT1' set in your smb.conf ?

Are you also aware that Samba is actively working on removing SMBv1 
(which a PDC requires) and that several of the attributes required are 
now turned off by default ?
see here:


More information about the samba-technical mailing list