[Samba] Configuration of smb.conf for Active Directory authentication

Rowland Penny rpenny at samba.org
Wed Aug 24 21:09:06 UTC 2016

On Wed, 24 Aug 2016 20:04:24 +0000
Kyle Manel via samba <samba at lists.samba.org> wrote:

> I've been working through a guide documenting how to do this at
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> and am presently deciphering what needs I have in my winbind
> configuration. In doing so, I've come across the 'passdb backend =
> ldapsam' option and am curious if I can use this, and if it is wise,
> identifying that key exchange is complex and a vulnerability at
> times, but it does provide no local storage of pw either, which may
> be a greater vulnerability.
> Any insight into this, or if this passdb option even works as I
> believe it to would be valuable to me, Kyle

No it wouldn't, 'ldapsam' is meant to be used with an ldap based
system, like a standalone server or an NT4-style PDC.

Just follow the instructions on the wiki page you have referred to
and if you do not understand anything, just ask.

Basically it boils down to, do you have access to the AD DC and is
the DC 2008R2 or earlier.
if you have access and it isn't a 2012 server, you can add IDMU and
then add RFC2307 attributes with the Unix Attributes tab in ADUC. You
can then use the winbind 'ad' backend.

If you don't have access, or don't want to do the above, use the
winbind 'rid' backend.


More information about the samba mailing list