[GH-ISSUE #599] Samba integration

kerem commented

2026-02-27 08:15:57 +03:00

Owner

Originally created by @alsvartr on GitHub (Jun 8, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/599

Hello, can lldap be used for samba authentication?
Trying to integrate it with samba gives me following errors:

../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for LDAP_SERVER failed with NT_STATUS_UNSUCCESSFUL
../../source3/passdb/pdb_ldap.c:6751(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
../../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
pdb backend ldapsam:ldap://ldap_server:3890 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

I assume that lldap just missing some schemas to work with samba?

Originally created by @alsvartr on GitHub (Jun 8, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/599 Hello, can lldap be used for samba authentication? Trying to integrate it with samba gives me following errors: > ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info) smbldap_search_domain_info: Adding domain info for LDAP_SERVER failed with NT_STATUS_UNSUCCESSFUL ../../source3/passdb/pdb_ldap.c:6751(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. ../../source3/passdb/pdb_interface.c:179(make_pdb_method_name) pdb backend ldapsam:ldap://ldap_server:3890 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) I assume that lldap just missing some schemas to work with samba?

kerem added the

labels

2026-02-27 08:15:57 +03:00

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Jun 8, 2023):

I haven't looked into it, but I'd wager that sambda requires some non-lldap-default fields, which would be blocked by https://github.com/lldap/lldap/issues/67
But it's being (slowly) worked on!

That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up?

@nitnelave commented on GitHub (Jun 8, 2023): I haven't looked into it, but I'd wager that sambda requires some non-lldap-default fields, which would be blocked by https://github.com/lldap/lldap/issues/67 But it's being (slowly) worked on! That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up?

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Jun 8, 2023):

For future reference, this seems to be the list of fields required by samba: https://serverfault.com/a/1051389

@nitnelave commented on GitHub (Jun 8, 2023): For future reference, this seems to be the list of fields required by samba: https://serverfault.com/a/1051389

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@alsvartr commented on GitHub (Jun 8, 2023):

That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up?

I'm trying to set simple auth via LDAP. Like this (example from 'Samba with OpenLDAP' tutorials):

passdb backend = ldapsam:ldap://ldap_server:3890
ldap suffix = dc=domain,dc=tld
ldap admin dn = uid=bind_ro,ou=people,dc=domain,dc=tld
ldap ssl = no
ldap user suffix = ou=people
ldap group suffix = ou=groups

https://7thzero.com/blog/configure-centos-7-samba-server-use-secure-ldap-authentication

@alsvartr commented on GitHub (Jun 8, 2023): > That said, a cursory search mostly brings up sambda acting as a ldap server for linux, rather than the opposite. How are you trying to set it up? I'm trying to set simple auth via LDAP. Like this (example from 'Samba with OpenLDAP' tutorials): > passdb backend = ldapsam:ldap://ldap_server:3890 ldap suffix = dc=domain,dc=tld ldap admin dn = uid=bind_ro,ou=people,dc=domain,dc=tld ldap ssl = no ldap user suffix = ou=people ldap group suffix = ou=groups https://7thzero.com/blog/configure-centos-7-samba-server-use-secure-ldap-authentication

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@pcmediapear commented on GitHub (Jul 2, 2023):

+1 for samba integration
same issue on qnap nas:

[2023/07/02 21:32:57.590384, 0] ../../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for DOMAIN.NAME failed with NT_STATUS_UNSUCCESSFUL
[2023/07/02 21:32:57.590479, 0] ../../source3/passdb/pdb_ldap.c:6756(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2023/07/02 21:32:57.590512, 0] ../../source3/passdb/pdb_interface.c:186(make_pdb_method_name)
pdb backend ldapsam:ldaps://LDAP.SERVER did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

@pcmediapear commented on GitHub (Jul 2, 2023): +1 for samba integration same issue on qnap nas: > [2023/07/02 21:32:57.590384, 0] ../../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info) > smbldap_search_domain_info: Adding domain info for DOMAIN.NAME failed with NT_STATUS_UNSUCCESSFUL > [2023/07/02 21:32:57.590479, 0] ../../source3/passdb/pdb_ldap.c:6756(pdb_ldapsam_init_common) > pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. > [2023/07/02 21:32:57.590512, 0] ../../source3/passdb/pdb_interface.c:186(make_pdb_method_name) > pdb backend ldapsam:ldaps://LDAP.SERVER did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@ipsi commented on GitHub (Sep 22, 2023):

I'd also like to see this. I'd like to use something simpler than OpenLDAP but my Synology NAS needs some amount of Samba stuff - I think just the password control portions of it, but not 100% sure.

@ipsi commented on GitHub (Sep 22, 2023): I'd also like to see this. I'd like to use something simpler than OpenLDAP but my Synology NAS needs some amount of Samba stuff - I _think_ just the password control portions of it, but not 100% sure.

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Sep 22, 2023):

@ipsi FWIW, I'm not sure that LLDAP will ever be compatible with Synology, even with Samba. Last time I looked, Synology was requesting the hashed password to be able to check the login locally. That's something we just can't do in LLDAP, by design (we don't store the hashed password, but instead we use a zero-knowledge protocol to verify the password)

@nitnelave commented on GitHub (Sep 22, 2023): @ipsi FWIW, I'm not sure that LLDAP will ever be compatible with Synology, even with Samba. Last time I looked, Synology was requesting the hashed password to be able to check the login locally. That's something we just can't do in LLDAP, by design (we don't store the hashed password, but instead we use a zero-knowledge protocol to verify the password)

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@ipsi commented on GitHub (Sep 22, 2023):

I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can optionally cache passwords, and can also be used to change the password. If you don't do either, it shouldn't matter if it doesn't return the userPassword attribute.

Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that.

@ipsi commented on GitHub (Sep 22, 2023): I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can _optionally_ cache passwords, and can also be used to _change_ the password. If you don't do either, it shouldn't matter if it doesn't return the `userPassword` attribute. Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that.

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@nitnelave commented on GitHub (Sep 22, 2023):

Alright. Feel free to follow the progress at https://github.com/lldap/lldap/issues/67
If you're feeling exceptionally motivated, you can already create the fields and set the values directly in the database, and they'll be returned over LDAP, so you can directly check your assumptions. But I totally understand if you want to wait until I actually implement field creation/setting in the web UI :)

@nitnelave commented on GitHub (Sep 22, 2023): Alright. Feel free to follow the progress at https://github.com/lldap/lldap/issues/67 If you're feeling exceptionally motivated, you can already create the fields and set the values directly in the database, and they'll be returned over LDAP, so you can directly check your assumptions. But I totally understand if you want to wait until I actually implement field creation/setting in the web UI :)

kerem commented

2026-02-27 08:15:57 +03:00

Author

Owner

@eudaldgr commented on GitHub (Oct 6, 2023):

I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can optionally cache passwords, and can also be used to change the password. If you don't do either, it shouldn't matter if it doesn't return the userPassword attribute.

Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that.

Have you already tried something or have you had success with this? I am interested in this very thing.

@eudaldgr commented on GitHub (Oct 6, 2023): > I think that topic is more complex (and completely unrelated to Samba). Briefly, though, I believe Synology uses SSSD to communicate with the LDAP server. SSSD can _optionally_ cache passwords, and can also be used to _change_ the password. If you don't do either, it shouldn't matter if it doesn't return the `userPassword` attribute. > > Once it's possible to get Samba attributes in, I might have a poke and see if I'm right about that. Have you already tried something or have you had success with this? I am interested in this very thing.

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 22, 2024):

By the way, #67 should be ready now, you can create custom attributes with https://github.com/Zepmann/lldap-cli

Who wants to give samba a try?

@nitnelave commented on GitHub (Jan 22, 2024): By the way, #67 should be ready now, you can create custom attributes with https://github.com/Zepmann/lldap-cli Who wants to give samba a try?

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@johnmmcgee commented on GitHub (Jan 27, 2024):

I would love to see this integration working.

@johnmmcgee commented on GitHub (Jan 27, 2024): I would love to see this integration working.

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 27, 2024):

@johnmmcgee we just need a volunteer to figure out the configuration. Want to give it a try?

@nitnelave commented on GitHub (Jan 27, 2024): @johnmmcgee we just need a volunteer to figure out the configuration. Want to give it a try?

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@johnmmcgee commented on GitHub (Jan 27, 2024):

sure. how would one create these fields? My ldap experience is not that great, so any direction would be welcome.

@johnmmcgee commented on GitHub (Jan 27, 2024): sure. how would one create these fields? My ldap experience is not that great, so any direction would be welcome.

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 28, 2024):

Usually that requires looking at the docs of the service to see what fields they expect (they sometimes provide an ldif file that outlines the schema they expect), and/or reverse engineering their expectations from the services' debug logs and LLDAP verbose mode.

Then using lldap-cli, you can create the user/group attributes required.

Feel free to head over to LLDAP's discord server if you have any questions.

@nitnelave commented on GitHub (Jan 28, 2024): Usually that requires looking at the docs of the service to see what fields they expect (they sometimes provide an ldif file that outlines the schema they expect), and/or reverse engineering their expectations from the services' debug logs and LLDAP verbose mode. Then using lldap-cli, you can create the user/group attributes required. Feel free to head over to LLDAP's discord server if you have any questions.

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Oct 30, 2024):

Now that we have full UI support for custom attributes, does anyone want to give this a try?

@nitnelave commented on GitHub (Oct 30, 2024): Now that we have full UI support for custom attributes, does anyone want to give this a try?

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@pcmediapear commented on GitHub (Nov 6, 2024):

still same issue...
we can start to play with user attributes if schema will be extended
based on logs at least sambaDomainName is missing in schema:

dn: sambaDomainName=<WORKGROUP>,dc=example,dc=com
objectclass: sambaDomain
objectclass: sambaUnixIdPool
objectclass: top
sambaDomainName: <WORKGROUP>
sambaSID: S-1-2-33-4444444444-555555555-6666666666
uidNumber: 999
gidNumber: 999

and most likely also some other things are missing in schema
without these information samba will not start

@pcmediapear commented on GitHub (Nov 6, 2024): still same issue... we can start to play with user attributes if schema will be extended based on logs at least sambaDomainName is missing in schema: ``` dn: sambaDomainName=<WORKGROUP>,dc=example,dc=com objectclass: sambaDomain objectclass: sambaUnixIdPool objectclass: top sambaDomainName: <WORKGROUP> sambaSID: S-1-2-33-4444444444-555555555-6666666666 uidNumber: 999 gidNumber: 999 ``` and most likely also some other things are missing in schema without these information samba will not start

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Nov 6, 2024):

Can you try creating that attribute? That should be easy with the web UI (though it has to be populated for each user)

@nitnelave commented on GitHub (Nov 6, 2024): Can you try creating that attribute? That should be easy with the web UI (though it has to be populated for each user)

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@pcmediapear commented on GitHub (Nov 6, 2024):

sorry, it is not an user attribute
if I good understand it is an separate entry in root of ldap tree
https://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database

@pcmediapear commented on GitHub (Nov 6, 2024): sorry, it is not an user attribute if I good understand it is an separate entry in root of ldap tree https://wiki.samba.org/index.php/3.0:_Initialization_LDAP_Database

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Nov 6, 2024):

If all of that is needed, I'll basically have to hardcore the samba structure in LLDAP. That's out of scope for now, but if someone really motivated wants to give it a try, be my guest :)

@nitnelave commented on GitHub (Nov 6, 2024): If all of that is needed, I'll basically have to hardcore the samba structure in LLDAP. That's out of scope for now, but if someone really motivated wants to give it a try, be my guest :)

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@MassiPi commented on GitHub (Nov 24, 2024):

hello,
is this what prevents openmediavault to be able to use lldap?
i like a lot the starting point of this project, but being able to work with samba seems a big point for A LOT of homelabs, isn't it? (and also integration with OMV seems a big point..)
thanks

@MassiPi commented on GitHub (Nov 24, 2024): hello, is this what prevents openmediavault to be able to use lldap? i like a lot the starting point of this project, but being able to work with samba seems a big point for A LOT of homelabs, isn't it? (and also integration with OMV seems a big point..) thanks

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Nov 25, 2024):

is this what prevents openmediavault to be able to use lldap?

I don't know OMV very well, but it seems to be Linux based, and using the system users. Rather than Samba integration (more adapted for windows), you're probably looking for PAM integration to get the LLDAP users in the system. There is a guide for this (linked from the readme).

@nitnelave commented on GitHub (Nov 25, 2024): > is this what prevents openmediavault to be able to use lldap? I don't know OMV very well, but it seems to be Linux based, and using the system users. Rather than Samba integration (more adapted for windows), you're probably looking for PAM integration to get the LLDAP users in the system. There is a guide for this (linked from the readme).

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@MassiPi commented on GitHub (Nov 25, 2024):

yes i am very interested in this. I mean, OMV really uses /etc/group /etc/passwd and so on, afaik configuring pam and the other services is just going to add users to those files, isn't it?
ok i need to try to break something :)
OMV would be a great addon since i see you already have NextCloud as working..

@MassiPi commented on GitHub (Nov 25, 2024): yes i am very interested in this. I mean, OMV really uses /etc/group /etc/passwd and so on, afaik configuring pam and the other services is just going to add users to those files, isn't it? ok i need to try to break something :) OMV would be a great addon since i see you already have NextCloud as working..

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@thomaschampagne commented on GitHub (Dec 23, 2024):

Up vote 👍

Looking for this feature too 😃

Thanks for your work !

@thomaschampagne commented on GitHub (Dec 23, 2024): Up vote 👍 Looking for this feature too 😃 Thanks for your work !

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@nitnelave commented on GitHub (Dec 23, 2024):

Sorry to disappoint, but I don't foresee Samba integration anytime soon, if ever. I had a look, and Samba is a beast, expecting you to define machines, roles and so on as part of the LDAP server.

It would be very complicated to integrate with LLDAP, and honestly probably not worth it.

@nitnelave commented on GitHub (Dec 23, 2024): Sorry to disappoint, but I don't foresee Samba integration anytime soon, if ever. I had a look, and Samba is a beast, expecting you to define machines, roles and so on as part of the LDAP server. It would be very complicated to integrate with LLDAP, and honestly probably not worth it.

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@MassiPi commented on GitHub (Dec 23, 2024):

Samba is a beast

yes it's unplayable. I'm trying to get OMV to authenticate over ldap, and also with (way) heavier and complex solution like OpenDJ where getting sssd to work is trivial, Samba is still a complete mess.
I'm sure there will be a proper reason, but it's still unbelievebly hard to sort out lol

@MassiPi commented on GitHub (Dec 23, 2024): > Samba is a beast yes it's unplayable. I'm trying to get OMV to authenticate over ldap, and also with (way) heavier and complex solution like OpenDJ where getting sssd to work is trivial, Samba is still a complete mess. I'm sure there will be a proper reason, but it's still unbelievebly hard to sort out lol

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@thomaschampagne commented on GitHub (Dec 23, 2024):

Sorry to disappoint, but I don't foresee Samba integration anytime soon, if ever. I had a look, and Samba is a beast, expecting you to define machines, roles and so on as part of the LDAP server.

It would be very complicated to integrate with LLDAP, and honestly probably not worth it.

I understand. I will give a try through sssd (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/windows_integration_guide/smb-sssd#SMB-SSSD)

Thanks again !

@thomaschampagne commented on GitHub (Dec 23, 2024): > Sorry to disappoint, but I don't foresee Samba integration anytime soon, if ever. I had a look, and Samba is a beast, expecting you to define machines, roles and so on as part of the LDAP server. > > It would be very complicated to integrate with LLDAP, and honestly probably not worth it. I understand. I will give a try through sssd (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/windows_integration_guide/smb-sssd#SMB-SSSD) Thanks again !

kerem commented

2026-02-27 08:15:58 +03:00

Author

Owner

@divStar commented on GitHub (Apr 15, 2025):

Please excuse me for asking this (I have read through this issue to the best of my abilities), but I couldn't figure out whether it is possible to have Samba use LLDAP for authentication for file shares - I personally do not use Samba AD or anything like that. Maybe adding the custom attributes would help? But the special object classes Samba expects would probably still be absent - are they needed for the file shares though?

@divStar commented on GitHub (Apr 15, 2025): Please excuse me for asking this (I have read through this issue to the best of my abilities), but I couldn't figure out whether it is possible to have Samba use LLDAP for authentication for file shares - I personally do not use Samba AD or anything like that. Maybe adding the custom attributes would help? But the special object classes Samba expects would probably still be absent - are they needed for the file shares though?

kerem referenced this issue

2026-02-27 08:18:14 +03:00

[PR #221] [MERGED] server: remove spurious debug message #627

Rows
Columns

[GH-ISSUE #599] Samba integration #221