[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Andrew Bartlett abartlet at samba.org
Fri Jun 21 01:58:20 MDT 2013

On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote:
> Hi,
> I'm trying to get my new samba server running for a few days now and I
> start losing my mind over not figuring out what I'm doing wrong. Here's
> my setup:
> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
> and a samba NT password stored in the LDAP as well as a User SID and
> Primary Group SID assigned and stored in the LDAP, derived from the SID
> of the LDAP Server.
> Now I want several samba servers to use the LDAP server to authenticate
> users.

If you want multiple samba servers to use the same LDAP backend, they
essentially all need to be domain controllers of the same domain.  This
is the supported way to have a single backend shared between multiple

You don't need to ever use the DC function from windows clients, but the
servers need to think they are a DC. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list