[Samba] stand-alone server with ldap-auth without AD

lists at zxt10d.de lists at zxt10d.de
Wed Mar 23 14:18:35 UTC 2022

Am 23.03.2022 um 13:07 schrieb Gaiseric Vandal via samba:> Can you 
provide a little more information?
Sure - sorry!

System itself: Debian Bullseye
ldap:~# smbd -V
Version 4.13.13-Debian
> You want to setup a Samba server.     Some of the clients have machines 
> that they don't want to join to the domain but they still want to access 
> resources on your server?   Presumably these are file shares ?
Yes, they are and that's the idea ...
> It seems to me that regardless of whether your server is joined to a 
> domain, or is standalone, or has to access some other authentication 
> server,    that the client users still need accounts to connect to your 
> server.

We are a Chair at a german university, and have a read-only access to 
the universities central LDAP - not to every object, but to all which 
belong to our chair. There are accounts for each member of the 
university, employees, students, scientists, scientific guests, etc., 
and they are managed centrally.
All of 'our users' should have access to network-shares, provided by samba.
As most of the students use their own (private) laptop, they don't want 
to join the system to any AD ...

> In the past I have setup Samba as "NT4" style domain controllers with an 
> LDAP backend.      This then adds the overhead of managing an LDAP server.
If that is suitable enough for such an enviroment, I'd be fine with it.

But, to be honest, I have no idea how to configure samba to handle the 
user-auth versus ldap - I always get error messages like this when 
trying to access a share, and type-in an username and password:
[2022/03/23 14:54:06.343084,  0] 
   check_winbind_security: winbindd not running - but required as domain 

nmbd gives an error:
Mar 23 15:08:27 ldap systemd[1]: Started Samba NMB Daemon.
Mar 23 15:08:27 ldap nmbd[916]:   daemon_ready: daemon 'nmbd' finished 
starting up and ready to serve connections
Mar 23 15:08:27 ldap nmbd[916]: [2022/03/23 15:08:27.633290,  0] 
Mar 23 15:08:27 ldap nmbd[916]:   query_name_response: Multiple (2) 
responses received for a query on subnet for name AFP<1d>.
Mar 23 15:08:27 ldap nmbd[916]:   This response was from IP, reporting an IP address of
( is just another stand-alone-system on the net)

While smbd seems to start fine:
Mar 23 15:08:23 ldap systemd[1]: Started Samba SMB Daemon.
Mar 23 15:08:24 ldap smbd[909]: [2022/03/23 15:08:24.001867,  0] 
Mar 23 15:08:24 ldap smbd[909]:   daemon_ready: daemon 'smbd' finished 
starting up and ready to serve connections

So, I guess I either misunderstood something, or mixed something in smb.conf

Here it is:
workgroup = AFP
server string = %h
security = user
domain master = No
dns proxy = no
syslog only = no
syslog = 5
log file = /var/log/samba/log.%m
max log size = 1000
encrypt passwords = true
wins server =
ldap ssl = no
idmap config DOMAIN : backend = sss
idmap config DOMAIN : range = 10000-20000
winbind refresh tickets = yes
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = no
guest account = nobody
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#printing = cups
#printcap name = cups
interfaces =
admin users = USERID
unix charset = UTF-8
dos charset = cp1252
time server = Yes
#logon path =
#logon home = \\%L\%u
use sendfile = No
os level = 25
wide links = No
unix extensions = yes
map archive = No
delete readonly = Yes
case sensitive = auto
mangled names = no
unix password sync = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

path = /srv/public
read only = yes
guest ok = yes

> On 3/23/2022 7:25 AM, lists--- via samba wrote:
>> Hi,
>> is possible to configure a stand-alone samba server with 
>> authentification versus a readonly ldap (proxy) using 'passdb backend 
>> = ldapsam', sssd or winbindd, or something else, but not setting-up or 
>> joining an AD. Reason for this: ~30% of the computers using that 
>> samba-services are private computers, who's owners don't want to join 
>> an AD.
>> Thanks in advance!
>> Cheers,
>> Torsten

More information about the samba mailing list