[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 18 02:43:41 MDT 2015

On 17/04/15 23:48, john wrote:
> Hello all,
> I've just installed Samba 3.6.6 from the Debian Stable repo. I want to use
> this linux box as a smb file server for windows clients.

Is this wheezy ? if so, it might be an idea to use backports, this will 
get you 4.1.17 which is still in development, 3.6 is now EOL

> I installed NSLCD to allow users in AD to authenticate against my linux
> server per
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

Why use nlscd ? why not use winbind, see: 

> getent passwd and getent group returns domain users with UID mappings like:
> tempuser at vanguard.mydomain.org:*:16043:16043:temp
> user:/home/VANGUARD/tempuser:/bin/bash

Well, that's wrong for a start, you seem to be getting the users 
principal name, it should look like:


This is the userPrincipalName attribute for the user above:

userPrincipalName: rowland at example.com

> Those same users can log into the linux box with their domain credentials
> via ssh and create files owned by them
> However I can't figure out how to configure Samba to allow these same users
> to access a samba file share via a windows 7 client. I thought that Samba
> would check /etc/nsswitch.conf like other services and use ldap just like
> ssh would.

No, this is down to whatever you are using for authentication. Can you 
post your smb.conf ?


> the relevant part of my nsswitch.conf file looks like:
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
> Do I need to install RFC2307 extensions per
> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
> and then add something like the following to my smb.conf file?
> idmap config DOMAIN:backend = ad
> winbind nss info = sfu
> Any advice is appreciated!
> Thanks!
> John

More information about the samba mailing list