[Samba] External Authentication

Vex Mage dosmage at gmail.com
Thu Apr 11 17:54:13 UTC 2019

Hello, I've done a lot of reading and searching however; I could use some
guidance. I just started working for a school in which there are a few
Windows labs as a Linux systems administrator. Our workstation sysadmins
have asked me to look into a Samba issue for them, Windows 10 systems have
to have SMB1 turned on to authenticate against the existing Samba3 server.
This work around hasn't been acceptable due to privacy and security
concerns. The campus has a black box LDAP server for which we use to
authenticate users. The Samba3 server is currently using this LDAP to
authenticate users.

I've spun up a Samba4 server and set it up as an active directory domain
controller and I can definitely see that this is a very robust system and
is working well however; I don't see a management solution to
synchronization between the campus LDAP server and Samba4 AD/DC.

One approach I was thinking was leveraging "password server" and point the
directive to the Samba3 NT4 domain and turn on the auto creation of
accounts. Groups would still need to be managed by hand. The issue is that
the Samba4 server seems to not be honouring the password server directive.
Indeed I cannot find any directed traffic from Samba4 to Samba3 during an
authentication attempt with the directive.

I can also think of a convoluted LDAP diff of both systems to shore up the
Samba4 LDAP with the campus LDAP however; this script would have to run
periodically and I'm currently not aware whether Samba4 can read the
blackbox LDAP password encryption type.

I'm looking for the most straightforward way for Windows desktop
authentication of users and groups. I cannot seem to be all in for Samba4's
AD and I can't seem to be all in for campus LDAP (by way of Samba3's NT4
LDAP back end).

Any advice would be very welcome! Thank you for reading my conundrum!

More information about the samba mailing list