[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6

Dale Schroeder dale at BriannasSaladDressing.com
Wed Aug 22 11:15:20 MDT 2012 

If you add to [global] "map untrusted to domain = Yes", does it work then?

 From 3.4.0 release notes:

Authentication Changes
======================

Previously, when Samba was a domain member and a client was connecting using an
untrusted domain name, such as BOGUS\user smbd would remap the untrusted
domain to the primary domain smbd was a member of and attempt authentication
using that DOMAIN\user name.  This differed from how a Windows member server
would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
where smbd is acting as a domain member server this will be WORKSTATION\user.
Thus, smbd will never assume that an incoming user name which is not qualified
with the same primary domain, is part of smbd's primary domain.

While this behavior matches Windows, it may break some workflows which depended
on smbd to always pass through bogus names to the DC for verification.  A new
parameter "map untrusted to domain" can be enabled to revert to the legacy
behavior.

Dale



On 08/22/2012 8:42 AM, Qing Chang wrote:
>
>
> On 21/08/2012 11:59 AM, TAKAHASHI Motonobu wrote:
>> Have you explicitly set the RHEL box's SID same as Solaris box's?
>> You will do this with "get|set localsid" command.
> they are different. net setlocalsid fails:
> [root at smb3 samba]# net setlocalsid 
> S-1-5-21-1197990898-71428884-4196996049
> [2012/08/22 09:02:13.228237,  0] lib/interface.c:542(load_interfaces)
>   WARNING: no network interfaces found
>
> The point here is that  3.0.14a never bothered to check if a user'd 
> SID belongs to
> the domain. It just simply sees the user and report:
>
> init_sam_from_ldap: Entry found for user: qchang
>
>
> On the other hand, 3.5.10-125.el6 insist that what ever SID a user has 
> does not
> belong to its domain, although I only set it up as a STANDALONE server:
>
> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to 
> our domain
> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>
> If I understand right, as a  STANDALONE server, Samba should only care 
> about finding and
> authenticating againt a matching uid to Windows username on the samba 
> server (which
> uses LDAP),  and then using the uid and gid(s) to provide shared 
> resources, which is the
> behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
>
> In fact, SID never matters with 3.0.14a, I have populated all users 
> with the same SIDs and
> 3.0.14a has been serving shares for years.
>
>> From: Qing Chang<qchang at sri.utoronto.ca>
>> Date: Mon, 20 Aug 2012 13:23:17 -0400
>>
>>> we are migrating our standalone Samba sever (3.0.14a) on a Solaris
>>> 10 box to an RHEL 6.3 box.
>>>
>>> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP
>>> server we are currently using and the IPA2.2 server as LDAP
>>> backend. But 3.5.10-125.el6 on  a RHEL 6.3 box does not work with
>>> either.
>> (snip)
>>
>>> pdbedit -L has different output:
>>>
>>> ===== 3.0.14a =====
>>> Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
>>> Attempting to find an passdb backend to match 
>>> ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
>>> Found pdb backend ldapsam
>>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: succesful connection to the LDAP server
>>> ldap_connect_system: LDAP server does support paged results
>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>> Attempting to find an passdb backend to match guest (guest)
>>> Found pdb backend guest
>>> pdb backend guest has a valid init
>>> ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
>>> init_sam_from_ldap: Entry found for user: qchang
>>> =====
>>>
>>> ===== 3.5.10-125.el6 =====
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>> smbldap_search_paged: base =>  [dc=sri,dc=utoronto,dc=ca], filter =>
>>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>  
>>> [1024]
>>> smbldap_search_paged: search was successful
>>> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong 
>>> to our domain
>>> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>> =====
>> ---
>> TAKAHASHI Motonobu<monyo at monyo.com>
> Qing

More information about the samba mailing list