[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6

Tue Sep 4 13:59:25 MDT 2012

On 22/08/2012 9:42 AM, Qing Chang wrote:
>
>
> On 21/08/2012 11:59 AM, TAKAHASHI Motonobu wrote:
>> Have you explicitly set the RHEL box's SID same as Solaris box's?
>> You will do this with "get|set localsid" command.
> they are different. net setlocalsid fails:
> [root at smb3 samba]# net setlocalsid S-1-5-21-1197990898-71428884-4196996049
> [2012/08/22 09:02:13.228237,  0] lib/interface.c:542(load_interfaces)
>   WARNING: no network interfaces found
>
> The point here is that  3.0.14a never bothered to check if a user'd SID belongs to
> the domain. It just simply sees the user and report:
>
> init_sam_from_ldap: Entry found for user: qchang
>
>
> On the other hand, 3.5.10-125.el6 insist that what ever SID a user has does not
> belong to its domain, although I only set it up as a STANDALONE server:
>
> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>
> If I understand right, as a  STANDALONE server, Samba should only care about finding and
> authenticating againt a matching uid to Windows username on the samba server (which
> uses LDAP),  and then using the uid and gid(s) to provide shared resources, which is the
> behavior observed with 3.0.14a, but not with 3.5.10-125.el6.
>
> In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
> 3.0.14a has been serving shares for years.
>
>> From: Qing Chang<qchang at sri.utoronto.ca>
>> Date: Mon, 20 Aug 2012 13:23:17 -0400
>>
>>> we are migrating our standalone Samba sever (3.0.14a) on a Solaris
>>> 10 box to an RHEL 6.3 box.
>>>
>>> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP
>>> server we are currently using and the IPA2.2 server as LDAP
>>> backend. But 3.5.10-125.el6 on  a RHEL 6.3 box does not work with
>>> either.
>> (snip)
>>
>>> pdbedit -L has different output:
>>>
>>> ===== 3.0.14a =====
>>> Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
>>> Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
>>> Found pdb backend ldapsam
>>> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: succesful connection to the LDAP server
>>> ldap_connect_system: LDAP server does support paged results
>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>> Attempting to find an passdb backend to match guest (guest)
>>> Found pdb backend guest
>>> pdb backend guest has a valid init
>>> ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
>>> init_sam_from_ldap: Entry found for user: qchang
>>> =====
>>>
>>> ===== 3.5.10-125.el6 =====
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
>>> smbldap_search_paged: base =>  [dc=sri,dc=utoronto,dc=ca], filter =>
>>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>  [1024]
>>> smbldap_search_paged: search was successful
>>> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
>>> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
>>> =====
>> ---
>> TAKAHASHI Motonobu<monyo at monyo.com>
> Qing
Is there any samba developer that can please clarify the following one way or the other?
=====
If I understand right, as a  STANDALONE server, Samba should only care about finding and
authenticating againt a matching uid to Windows username on the samba server (which
uses LDAP),  and then using the uid and gid(s) to provide shared resources, which is the
behavior observed with 3.0.14a, but not with 3.5.10-125.el6.

In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and
3.0.14a has been serving shares for years.

Thank you very much!

Qing