[Samba] OpenSSH auth in SAMBA4 LDAP

Marc Muehlfeld samba at marc-muehlfeld.de
Mon Aug 26 02:43:06 MDT 2013

Hello Bruno,

Am 25.08.2013 22:26, schrieb Bruno Vane:
> Yes I read these sections, but I want something different. Users will
> join on AD domain (Samba 4) and will connect to an "entry" SSH server,
> and from this server they can access other SSH servers on the network.
> All SSH servers are configured with /etc/hosts.allow to allow SSH
> connections only from this "entry" SSH server. This Ubuntu servers
> running SSH will not join in the AD domain, only users of the network.
> Is this possible?

I think this shouldn't matter. You can configure the "entry" host with 
nslcd to retrieve the account information via LDAP from AD and pam_ldap 
to authenticate against AD (without necessity to join the machine to the 

Then you have the other hosts. These you can authenticate on the same 
way, if they are not joined to the domain, or you join them and the 
authentication is done through winbind.

For the nslcd you can use the following config (you must create an bind 
account in your domain for that first):

  #Mappings for Active Directory
  pagesize 1000
  referrals off

  # Passwd
  filter  passwd 
  map     passwd  uid                     sAMAccountName
  map     passwd  homeDirectory           unixHomeDirectory
  map     passwd  gecos                   displayName
  map     passwd  gidNumber               primaryGroupID

  # Shadow
  filter  shadow 
  map     shadow  uid                     sAMAccountName
  map     shadow  shadowLastChange        pwdLastSet

  # Groups
  filter  group 
  map     group   uniqueMember            member

  # Local account, nslcd runs under
  uid nslcd
  gid ldap

  # LDAP server settings
  uri ldap://
  base dc=SAMDOM,dc=example,dc=com

  # Account in AD that is used from Nslcd to bind to the directory
  binddn CN=nslcd-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
  bindpw xxxxx

pam_ldap config you find here:


More information about the samba mailing list