[Samba] External Authentication

Rowland Penny rpenny at samba.org
Fri Apr 12 18:27:12 UTC 2019

On Fri, 12 Apr 2019 11:04:58 -0700
Vex Mage <dosmage at gmail.com> wrote:

> I apologize but that is what I meant by black box. The Samba3 server
> is our server. It connects to the LDAP that is out of my control and
> extends the users' entries to the Windows desktops.
> If it's easier to visualize we're getting LDAP as a service from the
> central campus IT department. It is then on us to provide services our
> school needs to our students, faculty and staff. They have no concern
> about Samba3 or Samba4. We're just using their LDAP server.
> Samba4 can't use this LDAP service in AD and I understand the
> complexities of the extensions AD has put on to its LDAP however;
> without the ability to auto discover users and groups it's a
> management burden for me to implement some form of continuous sync to
> massage data from the central campus LDAP to Samba4. I can contrive
> methods and fortunately Marco has given me a great lead but it still
> seems overly complex.
> This is why I was looking into auto discovery / auto creation of
> users and groups via an external authentication request. At least
> then the users would exist if they successfully authenticated.
> Obviously that's not a completely reasonable solution either.
> Another contrived solution I've been mulling around is using the meta
> backend in OpenLDAP and creating a combined view of Samba4 with
> central campus LDAP. The issue here is that I don't yet know whether
> OpenLDAP would be able to query Samba4, stitch together the output of
> the LDAP servers, let alone configure Samba4 to use it instead of
> directly connecting to its backend.
> The final solution I can figure is to setup Windows desktops joined
> Samba4 with a trust to FreeIPA and a replication mechanism between
> FreeIPA and campus LDAP. At my previous employer I have already got
> Windows to authenticate through to FreeIPA but that still leaves me
> with the FreeIPA to LDAP conundrum.

Lets see if I have this right, you are not adverse to using AD, you
just want to have all the users and groups that are in your central
ldap in your <whatever it is>

Do the passwords have to match ?


More information about the samba mailing list