[Samba] How to configuring 389ds to the backed user authentication on Samba-ad

Rowland Penny rpenny at samba.org
Fri Nov 15 07:51:45 UTC 2024


On Fri, 15 Nov 2024 10:31:50 +0800
Ahmed Taleb via samba <samba at lists.samba.org> wrote:

> Hi,
> 
>  
> 
> I hope this is the correct forum to ask this question. I am looking
> for some guidance on whether Samba-ad can be (or should be)
> configured using ldap (389-ds) as the back end for user
> authentication in a production environment.
> 
>  
> 
> I have come across a few forums and went through you’re documentation
> pages but the information isn’t clear so thought to ask the question
> directly to the source. 
> 
>  
> 
> What we are looking to achieve:
> 
> Our environment is mainly consistent of Linux/Unix operating systems.
> Our users are mainly researcher and we use 389ds for user
> authenticating. 
> 
> I am looking for a solution to maintain a relatively small setup of
> Windows machines (20 nodes) used by researchers to remote visualise
> their work. We are currently using pGina to authenticate our users
> Windows login against our 389-ds, though we would like to also manage
> Windows using Group Policies which is where Samba-ad comes in. 
> 
>  
> 
> My concern with pGina is that is been a quiet project and the
> uncertainty whether the developers are still interested in the
> project if Windows decides to change the way it authenticates its
> users. 
> 
>  
> 
> We were also considering syncing our 389-ds with AD in a one way
> sync, but having to unhash user passwords in the change log seemed a
> bit .. unsecure. 
> 
>  
> 
> Any guidance would be greatly appreciated. 
> 
>  
> 
> Ahmed
> 
>  
> 

Sorry but no you cannot run a Samba AD DC on top of 389-ds or any other
ldap, you must use the builtin Samba ldap.

From what you are describing, it will probably be easier to replace
your 389-ds server with Samba AD DC(s).

Rowland
 



More information about the samba mailing list