[Samba] 389 Directory Server (LDAP) and SAMBA

Christian Rost christian.rost at rocon-it.de
Wed Feb 13 01:14:16 MST 2013

Hi Dorian,

samba and ldap don't need to be on the same machine, but most setups use it this way. In smb.conf you have to specify your passdb backend like

passdb backend = ldapsam:ldap://<FQDN or IP of ldap-server>/

or better 

passdb backend = ldapsam:ldaps://<FQDN or IP of ldap-server>/

to transmit the queries over TLS/ SSL. In addition to samba, you need to setup your OS itself, to authenticate against LDAP (see nsswitch, pam).

With samba 3.x you need to add additional objectlasses and attributes to your ldap based user/ group profiles. See [http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html] for more details. If the Windows RID and Linux UID/ GID are stored in your user/ group profiles, you don't need winbind and idmap. 

You only need winbind/ idmap if you're authenticating Linux against samba or a Windows host, but that's not what you want to do. 

## Additional Information:


Dipl.-Ing. Christian Rost [T.I.S.P.]
roCon - Informationstechnologie
Ulmenstraße 45

44534 Lünen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de

--------Dorian Preston <dpreston at remindermedia.com> wrote--------
Subject: [Samba] 389 Directory Server (LDAP) and SAMBA
Date: 12.02.2013 23:09

>I have:
>*389 Directory Server (v1.2) with about 100+ current and active users.
>*Separate SAMBA server that I would like to use LDAP credentials to
>authenticate with.
>Found guides for using LDAP credentials with SAMBA here:
>What I have been able to do:
>Added the samba schema information (61samba.ldif) into my 389 directory
>Used the configure.pl script to configure smbldap-tools for my 389
>Directory server.
>Ran smbldap-populate to add the basic Windows user setup for SAMBA. 
>It seems that all of the SAMBA/LDAP guides expect SAMBA and LDAP to be on
>the same server.
>Don't really understand how I am supposed to add the SAMBA schema
>information to my current LDAP users so they can be authenticated via
>One of the guides says alot about enabling winbind and authconfig. Don't
>know if this is needed.
>Is there any up to date documentation for using 389 Directory Server as an
>LDAP Authentication Backend for SAMBA?
>Is there a process (read. I unfortunately can't just delete/add user
>accounts with SAMBA info) for adding SAMBA information into my existing
>LDAP accounts?
>Do I need to do anything using authconfig?
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list