[Samba] winbindd with LDAPS

Rowland Penny rpenny at samba.org
Wed Mar 8 13:49:12 UTC 2023

On 08/03/2023 12:58, jose.celestino--- via samba wrote:
> Hi,
> We have a samba installation (4.17.5) where a winbindd is part of an
> AD domain and used to authenticate radius (radiator) logins.
> The thing is, the AD administration is closing port 386 on the
> password server and only allowing requests on 636 (ldaps).
> I don't seem to be able to change the winbindd to use the ldaps port. Tried
> ldap ssl = start tls
> ldap ssl ads = yes
> tls enabled = yes
> but both the net join and the ntlm_auth go to port 386 and will cease
> to work as soon as that is disabled.
> Winbindd only works on 389 or am I missing something?
> Thank you.

If I remember correctly (and someone will surely put my right if I don't 
remember correctly), winbind doesn't use ldap, it use RPC.
Unless you are using an old NT4-style domain based on ldap, you probably 
will not notice any difference.
The other thing is, I thought that a lot of the ldap calls on AD start 
off on port 389 and get 'ported' to 636


More information about the samba mailing list