[Samba] Delegate Samba4 user authentication to an external LDAP server

Mario Pio Russo mariopiorusso at ie.ibm.com
Tue Mar 10 04:46:47 MDT 2015

thanks for your answer, I cannot do the reverse authentication
unfortunately. Everything has to work as I have described. Furthermore I
cannot change my external trust authority for authentication. From this
thread it looks like the only option is to use local password for the
Samba4 domain users, which add some complexity when managing IDs (and above
all passwords), as a single user might have different ids/password in the
Samba4 domain and the LDAP one.

I've read few other threads about using OplenLdap as backend of Samba4 AD
DC, seemingly there was a project to integrate OpenLdap within Samba4 AD
DC, do you know if there is any progress in that direction?


From:	Andrew Bartlett <abartlet at samba.org>
To:	Mario Pio Russo/Ireland/IBM at IBMIE
Cc:	samba at lists.samba.org
Date:	09/03/2015 07:53
Subject:	Re: [Samba] Delegate Samba4 user authentication to an external
            LDAP server
Sent by:	samba-bounces at lists.samba.org

On Tue, 2015-03-03 at 14:50 +0000, Mario Pio Russo wrote:
> Good Day All
> first of all thank you for this mailing list, it's really great, as great
> is Samba :D
> I have a question regarding Samba4  and the possibility to delegate
> authentication to an external LDAP server using Cyrus SASL.
> Basically I have already successfully implemented an authentication
> delegation from an OpenLdap server (on CentOs) to another LDAP server (on
> AIX) via cyrus SASL. I've done steps similar to what described here:
> http://gauvain.pocentek.net/node/42
> and all worked fine.
> now I want to replicate the same operation on a Samba4 AD domain (on
> 10.4). The final goal is that users on the Samba4 domain do not need a
> password for it, but they can use the one of the centralized , external
> openldap (AIX). I know that Samba4 uses its own internal ldap server,
> is not OpenLdap anymore, so now I hav ethe following questions:
> - has any of you ever tried something similar?
> - in order to Delegate authentication from OpenLdap to LDAP, I had to
> install and use a specific cycrus-sasl plugin on my  CentOs server:
> "cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL"; this does
> not seem to be present for samba4, but only from openldap; do you know if
> still need this? is Cyrus-SASL support is already included in samba4?
> according to the cyrus-SASL official web page there is no mention of
> Samba4: http://asg.web.cmu.edu/sasl/sasl-projects.html
> - I need to change the "password" attribute of each user and make it look
> similar to this {SASL}username at externalldap.com , how can I modify that
> attribute?

No, it isn't possible.  Samba can only delegate authentication to AD or
Samba domains, not other LDAP servers or SASL, as our authentication
protocols do not disclose the plaintext password.  AD and Samba domains
support pass-though mechanisms for NTLM, and we can accept Kerberos
tickets issued by Kerberos servers.'

To be an AD DC, you need to be the source of truth for passwords.  I can
only suggest you arrange the reverse, that your OpenLDAP servers talk to
the Samba AD DC.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list