[Samba] stand-alone server with ldap-auth without AD

Andrew Bartlett abartlet at samba.org
Wed Mar 23 20:39:08 UTC 2022

On Wed, 2022-03-23 at 17:02 +0000, Rowland Penny via samba wrote:
> On Wed, 2022-03-23 at 12:53 -0400, Gaiseric Vandal via samba wrote:
> > You need to have an account on the LDAP server that samba can use
> > to 
> > read user information including the Windows password field.     
> > Then 
> > you need to configure smb.conf with the server name, the search
> > path, 
> > the ldap name and password.
> > 
> > I think what is going to be a problem is that the "NT4" Windows
> > password 
> > requires a separate password field than the regular LDAP password,
> > and 
> > keeping the 2 in sync will be a challenge.     The client machines
> > will 
> > be sending a hash of the user password to the server (rather than 
> > "plaintext" password over TLS.)      In fact the schema on the
> > LDAP 
> > server may need to be extended.
> If a new NT4-style machine is being set up, you should be aware that
> they rely on SMBv1 and this is going away. You could end up within a
> year or two having to upgrade again or use an older version of Samba.

Even for the standalone server case, using LDAP as a passdb backend for
a single fileserver and keeping things in sync with the smbk5pwd
overlay or Samba's ldap password sync, just be aware that this relies
on the pdb_ldap backend.

The historical purpose for pdb_ldap was the NT4 DC, and while we
haven't any particular plans to remove this (we know folks use it even
when not doing an NT4 domain) just be aware that with less use there is
even less ongoing maintenance.  pdb_ldap is also not tested in

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list