[Samba] External Authentication

Rowland Penny rpenny at samba.org
Thu Apr 11 18:32:08 UTC 2019

On Thu, 11 Apr 2019 10:54:13 -0700
Vex Mage via samba <samba at lists.samba.org> wrote:

> Hello, I've done a lot of reading and searching however; I could use
> some guidance. I just started working for a school in which there are
> a few Windows labs as a Linux systems administrator. Our workstation
> sysadmins have asked me to look into a Samba issue for them, Windows
> 10 systems have to have SMB1 turned on to authenticate against the
> existing Samba3 server. This work around hasn't been acceptable due
> to privacy and security concerns. The campus has a black box LDAP
> server for which we use to authenticate users. The Samba3 server is
> currently using this LDAP to authenticate users.

That is your problem right there, Samba 3 is EOL, dead, finito
> I've spun up a Samba4 server and set it up as an active directory
> domain controller and I can definitely see that this is a very robust
> system and is working well however; I don't see a management solution
> to synchronization between the campus LDAP server and Samba4 AD/DC.

There isn't one, AD is supposed to replace your NT4 domain

> One approach I was thinking was leveraging "password server" and
> point the directive to the Samba3 NT4 domain and turn on the auto
> creation of accounts. Groups would still need to be managed by hand.
> The issue is that the Samba4 server seems to not be honouring the
> password server directive. Indeed I cannot find any directed traffic
> from Samba4 to Samba3 during an authentication attempt with the
> directive.

See the answer above, plus there is a very big hole in your proposed
set up, if your clients see the AD DC, they will not contact the NT4
PDC again.

> I can also think of a convoluted LDAP diff of both systems to shore
> up the Samba4 LDAP with the campus LDAP however; this script would
> have to run periodically and I'm currently not aware whether Samba4
> can read the blackbox LDAP password encryption type.

I have heard of some convoluted ways of doing things, but yours just
might be the strangest ;-)
> I'm looking for the most straightforward way for Windows desktop
> authentication of users and groups. I cannot seem to be all in for
> Samba4's AD and I can't seem to be all in for campus LDAP (by way of
> Samba3's NT4 LDAP back end).

First and foremost, you need to turn off your Samba 3 machine (yes, I
know you wont like this), it is insecure. You will be better off
classicupgrading your PDC to an AD domain, see here:



More information about the samba mailing list