[Samba] How to configuring 389ds to the backed user authentication on Samba-ad
Rowland Penny
rpenny at samba.org
Fri Nov 15 07:51:45 UTC 2024
On Fri, 15 Nov 2024 10:31:50 +0800
Ahmed Taleb via samba <samba at lists.samba.org> wrote:
> Hi,
>
>
>
> I hope this is the correct forum to ask this question. I am looking
> for some guidance on whether Samba-ad can be (or should be)
> configured using ldap (389-ds) as the back end for user
> authentication in a production environment.
>
>
>
> I have come across a few forums and went through you’re documentation
> pages but the information isn’t clear so thought to ask the question
> directly to the source.
>
>
>
> What we are looking to achieve:
>
> Our environment is mainly consistent of Linux/Unix operating systems.
> Our users are mainly researcher and we use 389ds for user
> authenticating.
>
> I am looking for a solution to maintain a relatively small setup of
> Windows machines (20 nodes) used by researchers to remote visualise
> their work. We are currently using pGina to authenticate our users
> Windows login against our 389-ds, though we would like to also manage
> Windows using Group Policies which is where Samba-ad comes in.
>
>
>
> My concern with pGina is that is been a quiet project and the
> uncertainty whether the developers are still interested in the
> project if Windows decides to change the way it authenticates its
> users.
>
>
>
> We were also considering syncing our 389-ds with AD in a one way
> sync, but having to unhash user passwords in the change log seemed a
> bit .. unsecure.
>
>
>
> Any guidance would be greatly appreciated.
>
>
>
> Ahmed
>
>
>
Sorry but no you cannot run a Samba AD DC on top of 389-ds or any other
ldap, you must use the builtin Samba ldap.
From what you are describing, it will probably be easier to replace
your 389-ds server with Samba AD DC(s).
Rowland
More information about the samba
mailing list