[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6

Qing Chang qchang at sri.utoronto.ca
Wed Aug 22 12:59:01 MDT 2012 


On 22/08/2012 1:15 PM, Dale Schroeder wrote:
> If you add to [global] "map untrusted to domain = Yes", does it work then?
>
> From 3.4.0 release notes:
>
> Authentication Changes
> ======================
>
> Previously, when Samba was a domain member and a client was connecting using an
> untrusted domain name, such as BOGUS\user smbd would remap the untrusted
> domain to the primary domain smbd was a member of and attempt authentication
> using that DOMAIN\user name.  This differed from how a Windows member server
> would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
> the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
> where smbd is acting as a domain member server this will be WORKSTATION\user.
> Thus, smbd will never assume that an incoming user name which is not qualified
> with the same primary domain, is part of smbd's primary domain.
>
> While this behavior matches Windows, it may break some workflows which depended
> on smbd to always pass through bogus names to the DC for verification.  A new
> parameter "map untrusted to domain" can be enabled to revert to the legacy
> behavior.
>
> Dale
>
>
Thanks, Dale.
But putting that entry in did not change anything.

Qing
>
> On 08/22/2012 8:42 AM, Qing Chang wrote:
>>
>>
>> On 21/08/2012 11:59 AM, TAKAHASHI Motonobu wrote:
>>> Have you explicitly set the RHEL box's SID same as Solaris box's?
>>> You will do this with "get|set localsid" command.
>> they are different. net setlocalsid fails:
>> [root at smb3 samba]# net setlocalsid S-1-5-21-1197990898-71428884-4196996049
>> [2012/08/22 09:02:13.228237,  0] lib/interface.c:542(load_interfaces)
>>   WARNING: no network interfaces found
>>
>> The point here is that  3.0.14a never bothered to check if a user'd SID belongs to
>> the domain. It just simply sees the user and report:
>>
>> init_sam_from_ldap: Entry found for user: qchang
>>
>>
>> On the other hand, 3.5.10-125.el6 insist that what ever SID a user has does not
>> belong to its domain, although I only set it up as a STANDALONE server:
>>
>> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
>> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>
>> If I understand right, as a  STANDALONE server, Samba should only care about finding and
>> authenticating againt a matching uid to Windows username on the samba server (which
>> uses LDAP),  and then using the uid and gid(s) to provide shared resources, which is the
>> behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
>>
>> In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
>> 3.0.14a has been serving shares for years.
>>
>>> From: Qing Chang<qchang at sri.utoronto.ca>
>>> Date: Mon, 20 Aug 2012 13:23:17 -0400
>>>
>>>> we are migrating our standalone Samba sever (3.0.14a) on a Solaris
>>>> 10 box to an RHEL 6.3 box.
>>>>
>>>> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP
>>>> server we are currently using and the IPA2.2 server as LDAP
>>>> backend. But 3.5.10-125.el6 on  a RHEL 6.3 box does not work with
>>>> either.
>>> (snip)
>>>
>>>> pdbedit -L has different output:
>>>>
>>>> ===== 3.0.14a =====
>>>> Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
>>>> Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
>>>> Found pdb backend ldapsam
>>>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
>>>> smbldap_open_connection: connection opened
>>>> ldap_connect_system: succesful connection to the LDAP server
>>>> ldap_connect_system: LDAP server does support paged results
>>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>>> Attempting to find an passdb backend to match guest (guest)
>>>> Found pdb backend guest
>>>> pdb backend guest has a valid init
>>>> ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
>>>> init_sam_from_ldap: Entry found for user: qchang
>>>> =====
>>>>
>>>> ===== 3.5.10-125.el6 =====
>>>> smbldap_open_connection: connection opened
>>>> ldap_connect_system: successful connection to the LDAP server
>>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>>> smbldap_search_paged: base =>  [dc=sri,dc=utoronto,dc=ca], filter =>
>>>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>  [1024]
>>>> smbldap_search_paged: search was successful
>>>> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
>>>> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>>> =====
>>> ---
>>> TAKAHASHI Motonobu<monyo at monyo.com>
>> Qing

-- 
------------------
Qing Chang
Senior Systems Administrator
M6-624 Research Computing
Sunnybrook Health Sciences Centre
2075 Bayview Ave.
Toronto, Ontario,  M4N 3M5
(416) 480-6100 x3263
qchang at sri.utoronto.ca
------------------

More information about the samba mailing list