[Samba] Delegate Samba4 user authentication to an external LDAP server

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 3 08:24:03 MST 2015

On 03/03/15 14:50, Mario Pio Russo wrote:
> Good Day All
> first of all thank you for this mailing list, it's really great, as great
> is Samba :D
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
> http://gauvain.pocentek.net/node/42
> and all worked fine.
> now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server, which
> is not OpenLdap anymore, so now I hav ethe following questions:
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL"; this does
> not seem to be present for samba4, but only from openldap; do you know if I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?
> thanks in advance, any help is welcome!!
> ___________________________________________________________________________________________
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
> (Embedded image moved to file: pic52094.gif)

Lets see if I have got this right, from the link you have posted, you 
want to replace the Openldap side with Samba 4 in AD mode.

If this is the case, I do not think it will work, for one thing an AD 
user does not have a 'password' attribute.
If the opposite way round then probably, but just replace 'AD side' with 
'Samba4 AD side'.

You should also be aware that you can use samba4 just like samba3 i.e. 
you can use Openldap instead of the internal AD ldap.


More information about the samba mailing list