[Samba] Samba as AD member & without winbind...

Rowland penny rpenny at samba.org
Fri Oct 30 10:30:02 UTC 2020

On 30/10/2020 10:09, Thomas Besser via samba wrote:
> Am 30.10.20 um 10:57 schrieb Rowland penny via samba:
>> On 30/10/2020 09:20, Thomas Besser via samba wrote:
>>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD
>>> member without winbind configured. UID and GID informations coming
>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync.
>> So you will have uidNumber and gidNumber attributes in AD.
> No, AD does not have uidNumber and gidNumber. Only LDAP (separate 
> OpenLDAP!) does have this informations.

So, that's what you get for not really reading a post, I missed that 😅

> Both, AD and LDAP are provided by identity management system, so are 
> in sync according accounts and groups.

I think we might have been here before, but why use AD and LDAP ?

Why not just use AD ?

>> Ok, then I would need a winbind 'ldap' backend. Does this exist?
There is the 'idmap_ldap' winbind backend, but I do not think this will 
work with 'security = ADS', but then I have never tried it and there is 
also the problem that it is an allocating backend i.e. your users and 
groups will get new ID's

There is also the 'idmap_nss' backend, but this will also suffer with 
the same problems as 'idmap_ldap'

I think your best idea will be to load your users and groups in AD with 
the relevant uidNumber or gidNumber attributes and use this for 
authentication and sync passwords between your AD and your LDAP.


More information about the samba mailing list