[Samba] AD authentication with separate LDAP authorization

Rowland penny rpenny at samba.org
Tue Jun 11 17:40:23 UTC 2019

On 11/06/2019 17:48, Ryan via samba wrote:
> Hi all,
> How can I configure Samba 4.8.0 serving users on Windows 7 clients to
> authenticate using their domain login credentials (winbindd and Active
> Directory) but be authorized (i.e. perform user/group lookup) against
> a separate OpenLDAP server?
> This was easy in previous versions of Samba with the fallback
> mechanism (https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP).
> It seems to be more complicated once winbind must be involved.
> It seems like SSSD, and people bringing it up, isn't very popular on
> the lists.
Its not that it isn't popular, it is that Samba cannot support it 
because Samba does not produce it. If you want to  use sssd, then you 
can, but Samba cannot give you support with any problems you may have.
> Despite its mention below, I am happy with a solution that
> involves it or not, and I can work out how to modify it after I get
> something working via any other method.
> We have a CentOS 7 machine that needs to share files with Windows 7
> machines in an Active Directory domain (that I do not control) for
> users in the EXAMPLE.COM domain but perform user/group lookup against
> a separate OpenLDAP server (that I do control) at ldap.mydomain.com.
> With current versions of CentOS 7, as of Samba 4.8.0, the winbindd
> fallback is no longer available and winbindd is required.
> So we do the following:
> - open firewall port 445 (but for testing, systemctl stop firewalld)
> - set SELinux Booleans for sharing home directories (but for testing,
> setenforce 0)
> - add trust for the certificate authority that certified
> ldap.mydomain.com (tested and LDAP lookups are functional on the
> system)
> - install packages samba, samba-client, samba-winbind,
> samba-winbind-clients, and samba-winbind-krb5-locator
> - net ads join -U 'user' (the domain allows non-admin creation of
> machine accounts; net ads testjoin returns 'Join is OK')
> - authconfig --enablesssd --enablesssdauth --disablemkhomedir --update
As you can join the machine to your AD domain, have you considered the 
winbind 'rid' backend ?


More information about the samba mailing list