[Samba] Authenticating against Samba 4 AD LDAP service

Konstantin Boyandin lists at boyandin.info
Thu Sep 6 09:12:43 UTC 2018

Rowland Penny via samba wrote 2018-09-06 14:50:
> On Thu, 06 Sep 2018 12:47:02 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> Rowland Penny via samba писал 2018-09-05 16:10:
>> > However, are you sure you cannot use kerberos ?
>> > What are your existing services ?
>> to name most important ones:
>> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> - Shell (SSH) server (same, using nslcd)
>> - Apache 2.* LDAP authentication module
>> - Atlassian Confluence
>> - GitLab
> I am positive that most of the above will work with kerberos
> authentication, the only exception is 'Mail server'. This is only
> because saying 'Mail server' is a bit like saying 'I have a computer',
> it could be anything, but whatever it is, you probably can use kerberos
> and if Dovecot is in the mix, you definitely can use kerberos.

Thanks for the reassuring. The mail server/SSH server are using pam_ldap 
and nss_ldap to authenticate and get attributes from LDAP (via 
nss_pam_ldapd CentOS package).

Basically, I have configured nslcd to get info from Samba4, according to


The further questions are:

1. I have to add uidNumber/gidNumber manually per user/group, as said in


Is it possible to do that in batch mode, as well (i.e. create kind of 
.ldif and update the sam.ldb with it)?

2. I have no luck setting up pam_ldap.conf to allow  authentication 
against Samba4. There are no visible hints in Samba Wiki. I could only 
guess I have to try Kerberos, perhaps, instead of pam_ldap.



More information about the samba mailing list