[Samba] Delegate Samba4 user authentication to an external LDAP server

Andrew Bartlett abartlet at samba.org
Mon Mar 9 01:52:54 MDT 2015

On Tue, 2015-03-03 at 14:50 +0000, Mario Pio Russo wrote:
> Good Day All
> first of all thank you for this mailing list, it's really great, as great
> is Samba :D
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
> http://gauvain.pocentek.net/node/42
> and all worked fine.
> now I want to replicate the same operation on a Samba4 AD domain (on Ubuntu
> 10.4). The final goal is that users on the Samba4 domain do not need a new
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server, which
> is not OpenLdap anymore, so now I hav ethe following questions:
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL"; this does
> not seem to be present for samba4, but only from openldap; do you know if I
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?

No, it isn't possible.  Samba can only delegate authentication to AD or
Samba domains, not other LDAP servers or SASL, as our authentication
protocols do not disclose the plaintext password.  AD and Samba domains
support pass-though mechanisms for NTLM, and we can accept Kerberos
tickets issued by Kerberos servers.'

To be an AD DC, you need to be the source of truth for passwords.  I can
only suggest you arrange the reverse, that your OpenLDAP servers talk to
the Samba AD DC.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list