[Samba] winbind, idmap_ad and ldaps

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Jul 28 04:44:07 MDT 2011

On Thu, Jul 28, 2011 at 12:31:22PM +0200, Ollenburg, Andreas (KRZ) wrote:
> A Samba-Fileserver - Samba 3.5.6 - running in a Windows AD
> as a member server using idmap_ad for the mapping the
> User-IDs. This all works fine as long as the LDAP-port 389
> is available on the domain controllers. Now, our AD admin
> wants to close this and move over to LDAPS. And here is my
> problem. How do I configure my Samba server - resp.,
> winbindd - so it only communicates on port 636? I think I
> tried all combinations available in the manuals but it
> still uses port 389. (e.g. ldap ssl=start tls + ldap ssl
> ad = yes, winbind rpc only = Yes, name resolve order =
> host). The idmap backend should stay on "ad" for the ADS
> and we do not want to change it to an ldap.

Right now you can't do that. What you can do is convince
your admin to leave 389 open but to enforce sasl encryption
for LDAP communication. There's registry settings for that.
Then set

client ldap sasl wrapping = seal

in your smb.conf.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

More information about the samba mailing list