[Samba] Samba & (anonymous) LDAP Authentication

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Mar 29 15:38:39 MDT 2010

According to how you have described your environment, whether or not you 
use LDAP for Samba's backend, your users will still need corresponding 
unix accounts AND will still have separate unix and windows 
passwords.    If you use ldap there will be separate fields for the 
different passwords.     If you configure password sync it should appear 
to the users that they have a single password.   (i.e. they change the 
password in Windows or with smbpassword the unix password should also 

If you really want a single password I think your options are as follows-
     Configure unix logons  to use windbind authentication (ie. 
authenticate using the samba/windows password.)
     Use kerberos for unix and samba.

But that may not resolve your concerns with Samba writing to LDAP.

So if you only have one samba machine  and only a few users you may 
still want to stick to the TDB backend for the windows account info. 
Samba will still match the unix name to the windows name either way.

# pdbedit -Lv jsmith
Unix username:        jsmith
NT username:          jsmith

I am running LDAP backend for both unix and samba/windows accounts.  
Initially I was running NIS for unix passwords and TDB for samba, then I 
moved unix to ldap (while keeping samba in TDB) and then I moved samba 
to TDB.  I wanted LDAP backend for everything to make it easier to 
support multiple Samba machines and also because I did want to 
consolidated account information as much as possible.

You should be able to create an ldap user that has full (or a lot) of  
rights on a particular branch of your ldap tree.    I use sun directory 
studio  so I am not sure how this would be handled with OpenLDAP.    I 
think Samba will still need to write things like "last logon" info to 
ldap.  And if you have password sync Samba needs to write  to the 
password fields.   LDAP ACL's are not my strong point-  I mostly copy, 
edit and paste existing ACL's.

On 03/29/2010 04:43 PM, Robert Heller wrote:
> I am trying to things up to allow a *few* select users on a small
> number of MS-Windows boxes to write to a couple of directories on a
> Linux server.  Most of the users on the MS-Windows boxes will only have
> anonymous (guest) read-only access to one directory and anonymous
> (guest) access to the printers.
> The Linux server primarily is a PXEBoot and NFS server for a group of
> diskless Linux workstations.  I am using LDAP for user Authentication
> for these machines.  I would *like* to have just one user authentication
> database (the LDAP one).  The MS-Windows machines will *never* need to
> allow things like user creation or modification (including password
> changing), so Samba *should not need* the rootdn password for the LDAP
> server.
> I am having a hard time figuring out how to do this.  It *seems* that
> Samba wants to have the rootdn password -- do I have to configure it
> that way?  Or do I have to *duplicate* the user authentication in
> Samba's own user database (resulting in people having their passwords
> in two separate places and/or end up having two passwords for their
> accounts [a Linux password and a MS-Windows password])?  The *best*
> option would be for Samba to just go though pam/nss (like everything
> else under Linux), but it looks like Samba no longer does things this
> way.
> I am using Samba 3.0.33-3.15.el5_4.1 on a CentOS 5.4 (32-bit) system.

More information about the samba mailing list