[Samba] nslcd samba 4.1 and FreeBSD 10

Doug Sampson dougs at dawnsign.com
Tue Oct 14 13:20:39 MDT 2014

Hello list-

As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success. We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers.

I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows:

# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
pagesize 1000
referrals off
#idle_timelimit 800
filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
#map    passwd uid           cn
map    passwd uid           sAMAccountName 
map    passwd uidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX 
map    passwd gidNumber     objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
map    passwd homeDirectory "/home/$cn"
map    passwd gecos         displayName
map    passwd loginShell    "/bin/csh"
#filter group (|(objectClass=group)(objectClass=person))
filter group (objectClass=group)
map    group gidNumber      objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX

The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses?

If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies:

root at cache:/home# ll /etc/pam.d/
total 64
-r--r--r--  1 root  wheel  2911 Jan 16  2014 README
-rw-r--r--  1 root  wheel   322 Jan 16  2014 atrun
-rw-r--r--  1 root  wheel   199 Jan 16  2014 cron
-rw-r--r--  2 root  wheel   531 Jan 16  2014 ftp
-rw-r--r--  2 root  wheel   531 Jan 16  2014 ftpd
-rw-r--r--  1 root  wheel   365 Jan 16  2014 imap
-rw-r--r--  1 root  wheel   588 Oct 10 12:16 login
-rw-r--r--  1 root  wheel   907 Oct 10 11:12 other
-rw-r--r--  1 root  wheel   318 Jan 16  2014 passwd
-rw-r--r--  1 root  wheel   365 Jan 16  2014 pop3
-rw-r--r--  1 root  wheel   328 Jan 16  2014 rsh
-rw-r--r--  1 root  wheel   884 Oct 10 13:46 sshd
-rw-r--r--  1 root  wheel   384 Jan 16  2014 su
-rw-r--r--  1 root  wheel   714 Jan 16  2014 system
-rw-r--r--  1 root  wheel   764 Jan 16  2014 telnetd
-rw-r--r--  1 root  wheel   529 Jan 16  2014 xdm
root at cache:/home#

Which one of these policies should be used for Samba?

If it is suggested to use LDAP, I am finding that this link:


may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP?

Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine.


More information about the samba mailing list