[Samba] Configuring Linux openldap ldapsearch client-side tool to authenticate against a Samba AD server

Rowland Penny rpenny at samba.org
Tue Apr 25 21:10:53 UTC 2023

On 25/04/2023 21:40, John R. Graham via samba wrote:
> Hi, Rowland. There is no openldap server. I'm working on achieving 
> single sign on for both Linux and Windows machines against a new Samba 
> AD server. I'm not against authenticating; I'm just ignorant on how to 
> go about that. Single sign on is, I understand, provided "out of the 
> box" for Windows clients once the AD server is properly set up. The 
> eventual goal on the Linux side would be to use pam_ldap or SSSD to 
> communicate with the Samba AD LDAP server to achieve the same thing. My 
> initial thought was to do this /without/ installing the Samba client 
> side tools on every Linux box. If that's a bad decision, please feel 
> free to wave me off.
> In trying to get things working incrementally, I was trying to use the 
> openldap-provided ldapsearch tool to query Samba AD for user 
> information. Clearly I need to set up ldapsearch to authenticate with 
> Samba AD. Hopefully you can just point me to some documentation now that 
> I have (hopefully) less ambiguously explained myself.
> - John
I still don't fully understand just what you are trying to achieve, to 
get any method to work, your Linux machine really needs to join the domain.

If you don't require shares, don't run the Samba smbd daemon, just run 
winbind. The problem is mapping AD users as Linux users, by using 
winbind you make the AD users appear as Linux users without creating 
them on the Linux box. If you do use the Samba tools, you can install 
the ldb tools (ldbsearch etc), these can use the machine password for 
most searches.


More information about the samba mailing list