[Samba] AD Auth, but Unix users and groups

Gary Algier gaa at ulticom.com
Mon Oct 22 17:20:17 GMT 2007

Gerald (Jerry) Carter wrote:
> Gary Algier wrote:
>> Hello All:
>> I have a Samba server (running 3.0.11) that uses an LDAP SAM for
>> authentication.  We now have AD (native mode) running in house.
>> Since everyone has a login there, I would like to use the AD
>> credentials for authentication.  However, I would like to continue
>> to use the Unix user ids and group ids, etc.
>> All the documentation for AD authentication talks about ID mapping, etc.
>> I don't think I need this.  I already have ids.  I don't need to map
>> them.
>> Is there an easy way to do what I want?
> Yes.  There are several ways.  In Samba 3.0.25 and later there
> is the idmap_nss plugin for winbind.  Prior to that is the
> "winbind trusted domains only" setting but that has some drawbacks.
> or you can possible forego Winbind and use something like nss_ldap.
> But you need to make sure that the user and group names in
> you directory match the AD environment.
> cheers, jerry
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"      --Balian

I am running Samba on Solaris 9.  The system in question uses NIS for
Unix users and groups.  However, the NIS is derived from Sun's N2L
products and the real store is in LDAP.  Because the data was in
LDAP, this led me to add the appropriate attributes to support Samba
for authentication (sambaNTPassword, et. al.).

This coming Friday the company is going with an Identity Management
system that will keep the AD passwords and the LDAP userpassword
attribute in sync.  Unfortunately, I have no way to have it also
update the sambaNTPassword attribute.  I figured that would be no
problem.  It would be simple to switch just the authentication.
I don't need to switch the user id source, just the authentication
source.  I got winbindd working and I joined the ad domain and
"smbclient -L gaa" (with my AD password) worked.  I cannot access
my home directory, however.

It sounds like the Samba solution only supports fully using the
Windows environment for everything.  I only want to use it for
the auth (and possibly SID, etc.).

Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
    People don't read documentation voluntarily.

More information about the samba mailing list