[Samba] How to configuring 389ds to the backed user authentication on Samba-ad

Ahmed Taleb ahmed.taleb at pawsey.org.au
Fri Nov 15 13:09:39 UTC 2024


So not even if you sync 389 to samba local ldap?

On 15 November 2024 3:51:45 pm AWST, Rowland Penny via samba <samba at lists.samba.org> wrote:
>On Fri, 15 Nov 2024 10:31:50 +0800
>Ahmed Taleb via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>> 
>>  
>> 
>> I hope this is the correct forum to ask this question. I am looking
>> for some guidance on whether Samba-ad can be (or should be)
>> configured using ldap (389-ds) as the back end for user
>> authentication in a production environment.
>> 
>>  
>> 
>> I have come across a few forums and went through you’re documentation
>> pages but the information isn’t clear so thought to ask the question
>> directly to the source. 
>> 
>>  
>> 
>> What we are looking to achieve:
>> 
>> Our environment is mainly consistent of Linux/Unix operating systems.
>> Our users are mainly researcher and we use 389ds for user
>> authenticating. 
>> 
>> I am looking for a solution to maintain a relatively small setup of
>> Windows machines (20 nodes) used by researchers to remote visualise
>> their work. We are currently using pGina to authenticate our users
>> Windows login against our 389-ds, though we would like to also manage
>> Windows using Group Policies which is where Samba-ad comes in. 
>> 
>>  
>> 
>> My concern with pGina is that is been a quiet project and the
>> uncertainty whether the developers are still interested in the
>> project if Windows decides to change the way it authenticates its
>> users. 
>> 
>>  
>> 
>> We were also considering syncing our 389-ds with AD in a one way
>> sync, but having to unhash user passwords in the change log seemed a
>> bit .. unsecure. 
>> 
>>  
>> 
>> Any guidance would be greatly appreciated. 
>> 
>>  
>> 
>> Ahmed
>> 
>>  
>> 
>
>Sorry but no you cannot run a Samba AD DC on top of 389-ds or any other
>ldap, you must use the builtin Samba ldap.
>
>From what you are describing, it will probably be easier to replace
>your 389-ds server with Samba AD DC(s).
>
>Rowland
> 
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list