[Samba] How to use ldapsam only for authentication?

Rowland penny rpenny at samba.org
Thu Jan 28 18:33:27 UTC 2016

On 28/01/16 17:42, mathias dufresne wrote:
> Hi Meike,
> As far as I understood you are using ldapsam only when Samba is running as
> AD domain controller.

No, you don't use ldapsam on a DC, you use ldapsam when your users etc 
are stored in LDAP.

> And when Samba is running as AD DC, all user stuffs go to AD and so ldapsam.

Everything is stored in AD, this is a version of ldap, but you don't use 
ldapsam with it.

> In the configuration you described I expect your users are existing twice:
> once in /etc/passwd as Linux users and once in Samba TDB as Samba users.

This would seem to be correct, I would suggest adding 'unix password 
sync = yes' to smb.conf, I also think the OP also needs to add 'ldap' to 
the passwd & group lines in /etc/nsswitch.

> As there is work to do to the change you speak about, why not take
> advantage of this change to also remove users from flat files? I mean, you
> can declare your AD users with the very same UID/GID and groups as those in
> flat files...

No, on a standalone server (this is what the OP has) you need the users 
in /etc/passwd and Samba.


More information about the samba mailing list