[Samba] Re: Re: SID problem with working samba

toni tonign at xtec.net
Thu Jan 24 16:56:20 GMT 2008

hi again,

El Thu, 24 Jan 2008 05:49:20 -0500
Jamrock <news_jamrock at yahoo.com> ha escrit:

> "toni" <tonign at xtec.net> wrote in message
> news:20080123201746.45b21417 at gamma...
> > this server has also a ldap server to resolve system users (via
> > nsswitch), and the contents are replicated from a master ldap in the
> > PDC (i think this is what you are proposing, isn't it?)
> Not really.  On a Windows 2003 domain, there are a few domain
> controllers that contain Active Directory.  Active Directory is not
> loaded on member servers.  No replication takes place there.
> The member server is configured to redirect all authentication
> requests to a domain controller.
> Chapter 7 discusses the various ways that Samba member servers can be
> configured to redirect authentication requests to a single database of
> usernames and passwords.
> You can use NSS/LDAP.  You can use NSS and Winbind.  You can use an
> adduser script if you don't want to use NSS.

i would like to use nss/ldap, because BDC and PDC use it, for
simplicity. this is what i'm trying

> The common factor in all three approaches is the fact that the pdc
> contains the authoritative list of usernames and passwords.  Member
> servers query that list.
> The member server will cache the data it sees on the pdc but the pdc
> is the definitive source.
yes, this is what i'm doing, ldap server on BDC and member server is
replicated from PDC and synchronized using slurpd. however i've changed
my ldap.conf and smb.conf to check directly against ldap on the PDC

> Look at the smb.conf file in example 7.1..  It simply tells the member
> server to look to the ldap installation on the pdc when it needs to
> authenticate users.  The /etc/nsswitch.conf is configured to use ldap
> for authentication.  The only difference here is that the ldap is
> stored on another machine.

i have same configuration (as far as i can understand) that example 7.1
shows, but with winbindd started i can't mount shares from clients and
log file shows:

[2008/01/24 17:13:32, 0, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2362)
  cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED

if i stop winbindd, i can mount shres but i must wait the 60
seconds timeout.

i'm trying to figure out where the problem is, regards to the nss/ldap
configuration, and i think the problem is Primary Group SID, when
winbindd runs, pdbedit shows the correct value, but when it's stopped,
it shows an incorrect value (i think it causes the timeout)

thanks for your help!

my smb.conf now (complete):

    netbios name = SERVER
    workgroup = DOMAIN
    local master = no
    security = domain
    password server = *
    mangling method = hash2
    encrypt passwords = yes
    passdb backend = ldapsam:"ldaps://pdc ldap://localhost"
    idmap backend = ldap:"ldaps://pdc ldap://localhost"
    ldap suffix = dc=domain,dc=intranet
    ldap admin dn = cn=Manager,dc=domain,dc=intranet
    ldap ssl = yes
    ldap machine suffix = ou=Machines
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap passwd sync = Yes
    ldap delete dn = Yes
    add user script = /opt/smbldap_tools-0.9.1/smbldap-useradd -a '%u'
    delete user script = /opt/smbldap_tools-0.9.1/smbldap-userdel '%u'
    add group script = /opt/smbldap_tools-0.9.1/smbldap-groupadd -p '%g'
    delete group script = /opt/smbldap_tools-0.9.1/smbldap-groupdel '%g'
    add user to group script 
= /opt/smbldap_tools-0.9.1/smbldap-groupmod -m '%u' '%g' delete user 
from group script = /opt/smbldap_tools-0.9.1/smbldap-groupmod -x '%u' 
'%g' set primary group script
= /opt/smbldap_tools-0.9.1/smbldap-usermod -g '%g' '%u' add machine
script = /opt/smbldap_tools-0.9.1/smbldap-useradd -w '%u' passwd
program = /opt/smbldap_tools-0.9.1/smbldap-passwd '%u' passwd chat =
*ew*password* %n\n *new*password* %n\n passwd chat debug = Yes socket
SO_SNDBUF=8192 interfaces = eth0 name resolve order = hosts wins
lmhosts bcast dos charset = CP850
    unix charset = ISO8859-1
    wins server =
    time server = yes
    log file = /var/log/samba/samba.%m.log
    log level = 0
    max log size = 100000
    debug uid = yes
    load printers = yes
    printing = cups
    printcap name = cups
    cups server =
    enable privileges = yes
    nt acl support = yes
    inherit acls = Yes
    unix password sync = no
    unix extensions = no

More information about the samba mailing list