[Samba] samba using external LDAP authentication

Hendry, Chris Chris.Hendry at turner.com
Tue Jul 1 07:55:44 MDT 2014

Trying to understand authentication..

In a blog, someone was asking about authentication for a remote LDAP server that they had no admin privileges.

Thus could not get samba configured correctly.  He was pointed in the direction of joining the domain.

This led me to my question... could not samba be configured to be read only? Just to pass-through authentication.

Answer from Andrew Bartlett

No, it can't because it needs to read the password hashes, or have

some other service that can interpret challenge-response values.  That

 'other service' is the DC that you join (and that is why we join it).

My next question:

So when login authentication occurs for a Linux server (configured to authenticate to LDAP server), what is reading the "password hashes"? I thought it was just doing pass-through authentication (via PAM)

Also what is typical for ldap admins to do in This  case?   Provide a read only type of admin login?

Chris H

More information about the samba mailing list