[Samba] Samba file server using ldap backend without AD or PDC?

Brian Gold bgold at simons-rock.edu
Fri Nov 30 07:42:31 MST 2012

On 2012-11-30 9:22 am, Gaiseric Vandal wrote:
> Can you clarify one thing -  why are you using the sambaNTPassword in
> openldap if openldap is not currently used samba authentication?   I
> would have thought that you would use the standard password field.

We are using the standard userPassword field for most things, but for 
radius authentication via PEAP/MSCHAPv2, we needed to use 
sambaNTPassword instead.

> I use Samba 3.x DC's with an ldap back end.   I also use the ldap
> backend for unix authentication as well as authentication to various
> other systems that support LDAP authentication.       If you are 
> using
> one or more BDC's you really do have to use an LDAP back end.  But
> there is no reason why member server's can use an LDAP backend.
> If the underlying unix account for each samba account is in
> /etc/passwd and not LDAP, you should consolidate it all into LDAP.

We currently don't want to deploy a PDC or BDC if we don't need to. All 
we want to do is have a file server that can authenticate using the 
username/password stored in openldap.

> Do the sambaNTPassword (and other samba attributes)  in LDAP match
> those in the tdb backend?    You may find you want to blast away the
> existing sambaNTPassword entries in LDAP before  you migrate the TDB
> data to LDAP.

No, our current Samba file server has a totally separate set of 
passwords. When we transition over to this new Samba file server, we 
will be having all our users use their openldap password instead. We do 
not want to sync their existing tdb passwords over to LDAP.

More information about the samba mailing list