[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jun 20 09:12:16 MDT 2013

OK.  I understand (at least a little better.)

So the correct behaviour would be for the standalone workgroup machines 
to say  "I don't know who DOMAIN/user1 is, so I will map to local 
user1."     The standalone  servers should be using LDAP for unix 
accounts put I don't think you really should use the common LDAP backend 
for samba accounts.    You would need to use smbpasswd or pdbedit to 
create local samba users on each member server, which means the member 
server would each use a local tdb database not ldap for samba.

If you want to centralize the samba accounts I think the proper way 
would be to  use member servers.

That being said, if the current set up is working on some machines but 
not  others, I would run "testparm -v" on each domain member and see if 
there are differences on mapping behavior.   Different os's may have 
slightly different versions of samba and the default smb.conf paramaters 
may have changed.  Also run "net groupmap list
" on each member server.   You may need to explicitly set group mappings 
for key windows groups.    (i.e. the group sid maps to a unix group.)

# net groupmap list
Administrators (S-1-5-32-544) -> Builtin Admins
Users (S-1-5-32-545) -> Builtin Users

  getent group "Builtin Admins"
Builtin Admins::544:
# getent group "Builtin Admins"

On 06/20/13 10:40, Philipp Lies wrote:
> On 20.06.2013 15:04, Gaiseric Vandal wrote:
>> If I follow correctly the LDAP server is NOT in the domain?   The 
>> Samba accounts should be using the SID of the Samba PDC not the SID 
>> of the  LDAP server.     This of course means that a Samba member 
>> server can't use the same LDAP back end (at least for Samba 
>> authentication.)
> The LDAP server is the PDC, however, there are no domain members. All 
> my samba servers are standalone servers which are not domain members. 
> This seems to work nicely with my debian machines but not the centos 
> ones.
>> On 06/20/13 04:26, Philipp Lies wrote:
>>> Hi,
>>> I'm trying to get my new samba server running for a few days now and I
>>> start losing my mind over not figuring out what I'm doing wrong. Here's
>>> my setup:
>>> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a 
>>> unix
>>> and a samba NT password stored in the LDAP as well as a User SID and
>>> Primary Group SID assigned and stored in the LDAP, derived from the SID
>>> of the LDAP Server.
>>> Now I want several samba servers to use the LDAP server to authenticate
>>> users.
>>> One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
>>> server. getent passwd/group returns all users and ssh to the samba
>>> machine works for all users. Samba is v3.6.9-151.el6. Now here's the
>>> smb.conf (I removed the shares):
>>>      [global]
>>>      workgroup = XXXXX
>>>      security = user
>>>      passdb backend = ldapsam:ldap://myldapserver
>>>      ldap suffix = dc=mydomain,dc=com
>>>      ldap admin dn = cn=replicator,dc=mydomain,dc=com
>>>      ldap user suffix = ou=users
>>>      ldap group suffix = ou=groups
>>>      ldap machine suffix = ou=computers
>>>      ldap ssl = start tls
>>> The ldap connection works, as `pdbedit -L` shows
>>>      pm_process() returned Yes
>>>      smbldap_search_domain_info: Searching
>>> for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
>>>      StartTLS issued: using a TLS connection
>>>      smbldap_open_connection: connection opened
>>>      ldap_connect_system: successful connection to the LDAP server
>>>      The LDAP server is successfully connected
>>>      smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
>>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => 
>>> [1024]
>>>      smbldap_search_paged: search was successful
>>>      sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
>>> and then the last message repeats for all uids.
>>> Using `smbclient -L localhost -U someid` the log file says:
>>>      check_ntlm_password:  Checking password for unmapped user
>>> [XXX]\[someid]@[SAMBAHOST] with the new password interface
>>>      check_ntlm_password:  mapped user is: 
>>> [SAMBAHOST]\[someid]@[SAMBAHOST]
>>>      StartTLS issued: using a TLS connection
>>>      smbldap_open_connection: connection opened
>>>      ldap_connect_system: successful connection to the LDAP server
>>>      The LDAP server is successfully connected
>>>      init_sam_from_ldap: Entry found for user: someid
>>>      Home server: SAMBAHOST
>>>      Home server: SAMBAHOST
>>>      init_group_from_ldap: Entry found for group: 1011
>>>      init_group_from_ldap: Entry found for group: 1011
>>>      Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
>>> and not a domain group
>>>      Forcing Primary Group to 'Domain Users' for someid
>>>      ntlm_password_check: Checking NTLMv2 password with domain [CIN]
>>>      sam_account_ok: Checking SMB password for user someid
>>>      The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not 
>>> match
>>> the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
>>>      check_sam_security: make_server_info_sam() failed with
>>>      check_ntlm_password:  Authentication for user [someid] -> [someid]
>>> What I see here is that the samba server does not recognize the primary
>>> group of the user (which is an existing group in the LDAP) and therefor
>>> maps the primary group to its local "Domain Users" group which then
>>> obviously does not match the domainSID of the userid.
>>> But why doesn't the samba server recognize the group? Or is there a
>>> different underlying problem?
>>> What I tried so far:
>>> Changing the SID of the samba server to the SID of the LDAP server, but
>>> `net setlocalsid S-...` did not change the local SID. No error message,
>>> just executed successfully but getlocalsid returned the old SID.
>>> Setting the domainsid of the samba server to the SID of the ldap 
>>> server.
>>> `net setdomainsid S-...` was successful but the samba server still
>>> refuses to authenticate the users.
>>> Tried adding the server to the domain with `net join XXX` but the 
>>> answer
>>> was just "standalone server cannot join domain".
>>> I tried to run `smbpasswd -a` to add the user to the local samba db
>>> (even though this would not be an option for the final solution, but
>>> that's what other users recommended), but the error didn't change.
>>> How can I either tell samba to ignore the domain SID mismatch or force
>>> samba to have the same SID as the LDAP? Or would this cause other
>>> problems if ~10 Samba Server and the LDAP in the end all have the exact
>>> same SID?
>>> Strangely I have debian/ubuntu servers where I have the same
>>> configuration but there it works. The difference I see is that in the
>>> debian system after the "Primary Group ... is UNKNOWN" there is no
>>> forcing to "Domain Users" as group and samba just checks the 
>>> password of
>>> the user and doesn't care about the primary group SID.
>>> Any ideas what I'm missing there?
>>> Philipp

More information about the samba mailing list