[Samba] How to configure samba to use LDAP/Kerberos authentication without using winbind?

Rowland penny rpenny at samba.org
Fri May 20 07:23:42 UTC 2016

On 20/05/16 01:06, Steven Fu wrote:
> We have a environment that the we cannot(don't want to) use winbind to join
> samba server to the win2003 AD(with LDAP RFC2307bis Schema and uid/gid
> setup for users).

Samba provides winbind to do what you need, what have you got against 
winbind ???

> We managed to get the linux (CentOS) to accept windows domain user ssh to
> it(with nss/nslcd/kerberos settings).
> But couldn't make samba server to use the same way to serve windows domain
> users.

Again, this should work with winbind.

> Found this page:
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607771
> But couldn't get it working.

Not surprised, it is an extremely old page.

> Also found this page:
> https://wiki.samba.org/index.php/Nslcd
> which had information that is quite similar to what we are trying to do,
> but was deleted saying "After internal discussions, we only provide support
> for winbind"

It was decided that because Samba only produces winbind, it would only 
support the use of winbind. Samba has no control over sssd and nlscd 
etc, so it was decided to leave the support of the use of these with 
Samba to the distros.

> So now the questions are:
> 1. Does Samba has a way to support using LDAP/Kerberos without winbind.


> 2. If yes, where I can find a step-by-step guide on how to do it.


> (ps: please don't suggest using sssd or realm join, we know those maybe the
> right way to go in the future, but its not for this environment right now.)

You do know that the latest sssd uses a version of a winbind lib ?


More information about the samba mailing list