[Samba] Samba as AD member & without winbind...

Thomas Besser thomas.besser at kit.edu
Fri Oct 30 10:50:43 UTC 2020

Am 30.10.20 um 11:30 schrieb Rowland penny via samba:
> On 30/10/2020 10:09, Thomas Besser via samba wrote:
>> Am 30.10.20 um 10:57 schrieb Rowland penny via samba:
>>> On 30/10/2020 09:20, Thomas Besser via samba wrote:
>>>> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD
>>>> member without winbind configured. UID and GID informations coming
>>>> from NSS (nslcd -> LDAP). LDAP and AD are in sync.
>>> So you will have uidNumber and gidNumber attributes in AD.
>> No, AD does not have uidNumber and gidNumber. Only LDAP (separate
>> OpenLDAP!) does have this informations.
> So, that's what you get for not really reading a post, I missed that 😅
>> Both, AD and LDAP are provided by identity management system, so are
>> in sync according accounts and groups.
> I think we might have been here before, but why use AD and LDAP ?

Because they are there ;-)

I'm not the admin of theses systems. In our big organization (kit.edu) 
these two systems are provided from the computer center having all users 
and groups in it.

>>> Ok, then I would need a winbind 'ldap' backend. Does this exist?
> There is the 'idmap_ldap' winbind backend, but I do not think this will
> work with 'security = ADS', but then I have never tried it and there is
> also the problem that it is an allocating backend i.e. your users and
> groups will get new ID's
> There is also the 'idmap_nss' backend, but this will also suffer with
> the same problems as 'idmap_ldap'

That's the reason why I configured NSS to get this informations from 
LDAP until now.

I don't want 'new ID's' for the users/groups in AD. I want to use the 
real one from LDAP.

I need a winbind backend with that I can use the informations from 
configured NSS.

> I think your best idea will be to load your users and groups in AD with
> the relevant uidNumber or gidNumber attributes and use this for
> authentication and sync passwords between your AD and your LDAP.

No, that's no option for me. See above.


Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft

More information about the samba mailing list