[Samba] Is it possible to make Samba4 use an external LDAP server for authN, and its own internal LDAP server for all other LDAP purposes?

Andrew Bartlett abartlet at samba.org
Mon May 6 15:20:38 MDT 2013

On Mon, 2013-05-06 at 15:09 -0500, Jon Detert wrote:
> My company uses 389-ds for its LDAP service, and all services are configured to use that LDAP for authentication.
> I'd like to start using Samba4 as an AD DC, in order to control/manage MsWin computers.
> It was simplest to me to install Samba4 configured to use its own internal LDAP server, rather than make it use my existing 389-ds LDAP server.
> However, I want Samba4 to authenticate to the 389-ds, since that is where the user passwords are, and:
> a) I don't know how to extract the passwords into a format that Samba4 could use, and
> b) Even if I did, I don't want to maintain the passwords in 2 places (389-ds and Samba4).
> Hence the question:
> Is it possible to make Samba4 use an external LDAP server for authentication, and its own LDAP server for all other LDAP purposes (e.g. authorization; user-object data; computer-object data; etc.)?

Not at this time, but I certainly understand the attraction.

The issue is that we need all the kerberos keys, and that's unlikely to
be maintained in your server (but could quite practically be maintained
in a system like OpenLDAP using the smbk5pwd module). 

Then it would 'only' be the issue of having Samba read and write those
passwords in the remote server for the relevant user.

Passwords are in some ways the slightly easier part of this problem,
because typically last writer wins, and they are not available for read
by normal clients, so we have more latitude in the games with play, but
this is at best a development task, and at worst still too hard.

Or we could do password sync - the passwords 389 natively stores are of
no value to us, but I've been increasingly thinking that a varient of
the password set extended operation could be used on a privileged
connection to change passwords in sync between Samba and other

At this point, we recommend folks consider if their other services can
use Samba as that central LDAP server.  We realise this is not ideal

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list