[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Daniel Müller mueller at tropenklinik.de
Fri Jun 21 02:23:37 MDT 2013 

For me the better way would be, to run serveral openldap servers in master
master replication on your
DC and several BDC. And no headache about anything.
Or just point your BSCs to authenticate against the DCs openldap. But when
your DC is down your authentication is gone.

Greetings
Daniel

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Andrew Bartlett
Gesendet: Freitag, 21. Juni 2013 09:58
An: Philipp Lies
Cc: samba at lists.samba.org
Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary
group SID mismatch

On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote:
> Hi,
> 
> I'm trying to get my new samba server running for a few days now and I 
> start losing my mind over not figuring out what I'm doing wrong. 
> Here's my setup:
> 
> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a 
> unix and a samba NT password stored in the LDAP as well as a User SID 
> and Primary Group SID assigned and stored in the LDAP, derived from 
> the SID of the LDAP Server.
> 
> Now I want several samba servers to use the LDAP server to 
> authenticate users.

If you want multiple samba servers to use the same LDAP backend, they
essentially all need to be domain controllers of the same domain.  This is
the supported way to have a single backend shared between multiple servers.

You don't need to ever use the DC function from windows clients, but the
servers need to think they are a DC. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list