[Samba] Multiple Standalone Servers With Single LDAP Server

Thu Aug 7 06:46:47 MDT 2014

On 08/06/14 18:09, Gordan Bobic wrote:
> On 08/06/2014 10:54 AM, Rowland Penny wrote:
>> On 06/08/14 10:31, Gordan Bobic wrote:
>>> On 2014-08-06 10:05, Rowland Penny wrote:
>>>> On 04/08/14 16:45, Gordan Bobic wrote:
>>>>> Hi,
>>>>>
>>>>> I'm trying to set up multiple standalone Samba servers that use the
>>>>> same OpenLDAP back-end database for authentication, but on any
>>>>> servers beyond the first one I cannot seem to get past the error
>>>>> like the following:
>>>>>
>>>>> "The primary group domain sid($SecondaryServerSID) does not match
>>>>> the domain sid($PrimaryServerSID) for $UserName($UserSID)"
>>>>>
>>>>> It seems nuts to have to set up a domain controller just to have
>>>>> multiple standalone servers within the same workgroup.
>>>>>
>>>>> If I configure the secondary server to use a local user password
>>>>> database for authentication, everything works fine, but that means
>>>>> having to maintain the database in multiple locations.
>>>>>
>>>>> Is there a way to completely neuter all the domain functionality and
>>>>> use LDAP _only_ for username/password authentication from multiple
>>>>> standalone servers within the same workgroup?
>>>>>
>>>>> Gordan
>>>>
>>>> Short answer, NO
>>>>
>>>> Long answer, in this instance, samba is working just like a windows
>>>> workgroup, you can have lots of windows machines in the same
>>>> workgroup, but you have to create any users & groups that you want to
>>>> connect to a machine on that machine AND any others that you want the
>>>> users or groups to connect to. Once you get past 10 or 12 machines
>>>> this gets complicated and hard to keep track of, this is why domains
>>>> were created. Now that you know this, can you see why what you are
>>>> trying to do with samba will not work.
>>>
>>> Now that I know this I still absolutely DO NOT see why what I am
>>> trying to do with samba will not work. If it is capable of using
>>> a local user authentication database, I see no reason why the
>>> authentication mechanism cannot use some kind of a centralised
>>> username/password verification database.
>>>
>>> Setting up a domain on top seems like an entirely needless 
>>> complication.
>>>
>>> If LDAP can be used to authenticate to a single Samba server
>>> in a workgroup, I see no reason at all why this would necessitate
>>> existence of a domain to perform the same authentication to additional
>>> Samba servers in the same workgroup.
>>>
>>> Gordan
>> when you set up each 'standalone' server (I would have thought the name
>> would have given you a hint) it gets its own SID, this is just like a
>> standalone windows machine. Your machines need to have the same SID,
>> this is what happens in a domain i.e. SID
>> S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxx is not the same as
>> S-1-5-21-yyyyyyyyyy-yyyyyyyyyy-yyyyyyyy. A user created on one machine
>> cannot connect to another machine unless the user also exists on that
>> machine. If you want to use a central database, you are going to have to
>> use a domain, if microsoft could have got it working your way, they
>> would have and not spent all the money on creating domains!
>
> Right, OK. So is there a reason why I cannot do one of the following:
>
> 1) Make both servers have the same SID without a PDC
>
> 2) Have two sambaSID entries for the user in LDAP, each with a 
> different machine SID part, but the same UID suffix and only one 
> password entry
>
> ?
>
> Gordan

You should be able to run "net getlocalsid" on the first machine, then 
run "net setlocalsid /sidfrom1stmachine/"  on the other machines.       
But how do you machine accounts on any Windows computers and will be 
clients of these machines?

I am pretty sure you can not have 2 sambaSID entries per user-  how 
would each server know which entry to use?

I don't understand the your goal in not using a domain model.