[Samba] samba as an ldap server

Rowland Penny rowlandpenny at googlemail.com
Thu May 22 13:52:56 MDT 2014

On 22/05/14 20:43, Gaiseric Vandal wrote:
> On 05/22/14 13:18, Stefan Kania wrote:
>> Hash: SHA1
>> Am 22.05.14 17:12, schrieb David Bear:
>>> We would like to use samba 4.x as our ADDC and also as an ldap
>>> source for authentication. Google apps can use an ldap server as a
>>> source for users and groups. There seems to be plenty of use of AD
>>> as a ldap server for this purpose. I wanted to check to see if
>>> anyone has used samba 4 running as an ADDC as an authentication
>>> server for other services that can consume ldap.
>> Of course you can use Samba AD for authentication for Linux-clients.
>> Just configure winbind, join the domain and install libpam-heimdal
>> then you can use Kerberos-authentication
>> - -- Stefan Kania
>> Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> egoAn2uaSIF3xUFd0ncYHEF8Sjhzrja2
>> =FrgS
>> -----END PGP SIGNATURE-----
> Kerberos aside, my understanding is that Samba 4 LDAP is rfc2307 and 
> posix compatible?     Wouldn't you be able to to use an LDAP editor 
> and add the following attributes for each user?
> objectClass =  posixUser
> uid
> uidNumber
> gidNumber
> gecos
> homeDirectory
> userPassword

Yes, this is possible, but I think you meant posixAccount instead of 
posixUser, but either way it shouldn't be added as not required.

> Even if you do use Kerberos for authentication,  wouldn't you still 
> need LDAP for group and autofs information.  Kerberos would at least 
> avoid the password sycn issue.

AD has groups and you can extend the AD schema for autofs


> I am still running Samba 3 with LDAP for Fedora  Linux and Solaris 
> machines.      Fedora and Solaris both have kerberos client support-  
> but they  use MIT Kerberos.    Or from the client perspective, is  
> there a difference between MIT and Heimdal?

More information about the samba mailing list