[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Philipp Lies philipp.lies at cin.uni-tuebingen.de
Thu Jun 20 02:26:57 MDT 2013 

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

    [global]
    workgroup = XXXXX
    security = user
    passdb backend = ldapsam:ldap://myldapserver
    ldap suffix = dc=mydomain,dc=com
    ldap admin dn = cn=replicator,dc=mydomain,dc=com
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers
    ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

    pm_process() returned Yes
    smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
    StartTLS issued: using a TLS connection
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    The LDAP server is successfully connected
    smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
    smbldap_search_paged: search was successful
    sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

    check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
    check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
    StartTLS issued: using a TLS connection
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    The LDAP server is successfully connected
    init_sam_from_ldap: Entry found for user: someid
    Home server: SAMBAHOST
    Home server: SAMBAHOST
    init_group_from_ldap: Entry found for group: 1011
    init_group_from_ldap: Entry found for group: 1011
    Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
    Forcing Primary Group to 'Domain Users' for someid
    ntlm_password_check: Checking NTLMv2 password with domain [CIN]
    sam_account_ok: Checking SMB password for user someid
    The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
    check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
    check_ntlm_password:  Authentication for user [someid] -> [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL

What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP)  and therefor
maps the primary group to its local "Domain Users" group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?


What I tried so far:

Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.

Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.

Tried adding the server to the domain with `net join XXX` but the answer
was just "standalone server cannot join domain".

I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.

How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause other
problems if ~10 Samba Server and the LDAP in the end all have the exact
same SID?

Strangely I have debian/ubuntu servers where I have the same
configuration but there it works. The difference I see is that in the
debian system after the "Primary Group ... is UNKNOWN" there is no
forcing to "Domain Users" as group and samba just checks the password of
the user and doesn't care about the primary group SID.

Any ideas what I'm missing there?

Philipp

More information about the samba mailing list