[Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 16 07:46:28 MDT 2012

On 05/16/12 09:24, Jon Detert wrote:
> ----- Original Message -----
>> From: "Volker Lendecke" <Volker.Lendecke at SerNet.DE>
>> To: "Jon Detert" <jdetert at infinityhealthcare.com>
>> Cc: samba at lists.samba.org
>> Sent: Wednesday, May 16, 2012 1:28:51 AM
>> Subject: Re: [Samba] would like to use samba3 pdc, no ldap account backend db, but use ldap for authN
>> On Tue, May 15, 2012 at 04:54:37PM -0500, Jon Detert wrote:
>>> I'd like to:
>>> 1) use samba3 as a PDC, and
>>> 2) not use LDAP as the account backend database, and
>>> 3) specify samba to use but use "encrypt passwords = true", and
>>> 4) use an ldap server as the authentication source for samba.
>>> Is that possible?
> -- snip --
>>> work-around?  I don't want to add the samba schema to my
>>> existing ldap server, but I do want to use my existing
>>> ldap server for authN.
>> No, this is not possible. Samba never sees the plain text
>> password which is required for authentication via PAM.
>> Volker
> How then does it work when using ldap as the account backend database?
> Does the schema include an attribute for the LMAN hashed password?
LDAP has attributes for both unix and windows passwords.  Since samba
can reset the unix password when you change your windows password, it
lets it appear to be a single password (even if both, neither, or only
one system uses LDAP backend.)    If you are going to use LDAP for unix
authentication, the incremental effort for samba authentication isn't
that much.    I think it makes for a cleaner IT environment if you can
consolidate your account backends. 

More information about the samba mailing list