[Samba] Internal LDAP explanation

Marc Muehlfeld samba at marc-muehlfeld.de
Thu Apr 11 14:04:48 MDT 2013

Hello Eric,

Am 11.04.2013 19:22, schrieb Eric PEYREMORTE:
> - Can i connect to the new ldap server from a remote machine (
> ldapsearch on port 389 ) ? If no why ?

You work with it, as you did with openLDAP (authenticate against, etc.).
Have a look here, for some examples:

> - So, can i connect pam for linux users to this internal ldap, and can i
> still continue to use this ldap server for both windows / linux auth ?

Yes. See this wiki page, too.

> - Shall i use ldapsam:tdb://something ?

Where? For the migration? Yes. See

> - Can we have posix attributes like userPassword in there ?

If you migrate from samba 3.x, the attributes are transfered. But not 
all. E. g. if you have mail, homePhone, and others filled, you have to 
transfer them manually. I wrote a small shell script, that read them out 
of the old openLDAP with ldapsearch and writes them to the new AD with 
ldapmodify. It's not very difficult. But be sure to make a backup of 
your AD before (or try it in a test environment before :-))!

> - I've read that we do not need to have linux user account for samba
> user account : it's not mandatory isn't it ?

No. Samba 4 only use it's own database. At filesystem level you then 
only see, that files/directories are owned by UIDs/GIDs. If you want to 
see usernames/groups, you have to use winbind or you get the mappings 
from AD via Nslcd (via LDAP). For using Nslcd see
Because you don't go through a openLDAP proxy, adapt the mappings to the 
attributes in AD.


More information about the samba mailing list