[Samba] Authenticating against Samba 4 AD LDAP service

Konstantin Boyandin lists at boyandin.info
Fri Sep 7 03:57:18 UTC 2018

Rowland Penny via samba писал 2018-09-06 16:59:
> On Thu, 06 Sep 2018 16:12:43 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> Rowland Penny via samba wrote 2018-09-06 14:50:
>> > On Thu, 06 Sep 2018 12:47:02 +0700
>> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> >
>> >> Rowland Penny via samba писал 2018-09-05 16:10:
>> >> > However, are you sure you cannot use kerberos ?
>> >> > What are your existing services ?
>> >>
>> >> to name most important ones:
>> >>
>> >> - Mail server (I use pam_ldap/nss_ldap, i.e. nslcd, currently)
>> >> - Shell (SSH) server (same, using nslcd)
>> >> - Apache 2.* LDAP authentication module
>> >> - Atlassian Confluence
>> >> - GitLab
>> >>
>> >
>> > I am positive that most of the above will work with kerberos
>> > authentication, the only exception is 'Mail server'. This is only
>> > because saying 'Mail server' is a bit like saying 'I have a
>> > computer', it could be anything, but whatever it is, you probably
>> > can use kerberos and if Dovecot is in the mix, you definitely can
>> > use kerberos.
>> Thanks for the reassuring. The mail server/SSH server are using
>> pam_ldap and nss_ldap to authenticate and get attributes from LDAP
>> (via nss_pam_ldapd CentOS package).
> You keep saying 'mail server', but what mail server ? What are its
> components ? are you using postfix ?, exim4 ? or something else. Does
> it use saslauthd, dovecot or something else

I thought I answered by mentioning PAM authentication.

Exim 4, using saslauthd (which still uses PAM to auth against 
Dovecot, using PAM.

>> Basically, I have configured nslcd to get info from Samba4, according
>> to
>> https://wiki.samba.org/index.php/Nslcd
>> The further questions are:
>> 1. I have to add uidNumber/gidNumber manually per user/group, as said
>> in
>> https://wiki.samba.org/index.php/Adding_users_with_samba_tool
>> Is it possible to do that in batch mode, as well (i.e. create kind of
>> .ldif and update the sam.ldb with it)?
> Write a script around 'samba-tool user create'. You could extract the
> required data from a file (csv ?) and use this to create the users one
> by one.

Users and groups *has been* created (imported) by 'classic upgrade'. 
What is missing is group memberships and uidNumber/gidNumber fields 
(requried by nslcd).

So question is, is it possible to add attributes on per-item (user, 
group) basis in batch mode (without doing that manually with ldbedit)?

Namely, mass add uidNumber/gidNumber attributes.

There can be cases when all the attributes must be changes/added/deleted 
en masse, so I assume I am not the only one in need of batch altering 
users/groups attributes.

>> 2. I have no luck setting up pam_ldap.conf to allow  authentication
>> against Samba4. There are no visible hints in Samba Wiki. I could
>> only guess I have to try Kerberos, perhaps, instead of pam_ldap.
> Are you using a DC as a fileserver ?

Yes. It's relatively small domain, so no performance penalty is 

> This should work, but you will need to use nslcd or winbind or sssd
> You can, as you have found, use nslcd to extract rfc2307 attributes
> from AD, sssd works in a similar way, winbind only extracts the
> username & uidNumber.

Question is how to authenticate. Currently, PAM part authenticates 
against Samba 3 domain, while NSS gets required attributes. That 
satisfies all the Linux services.

On Samba 4, I wasted much time trying to make PAM authentication to 
work. I will try using Kerberos for now (if it works along with nslcd, I 
won't touch sssd, which, in my experience, is more a problem than a 



More information about the samba mailing list