[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

Philipp Lies philipp.lies at cin.uni-tuebingen.de
Fri Jun 21 14:38:04 MDT 2013

Thanks for the recommendations! I was hoping that there'd be a simple
solution/config parameter to force the samba server trust the LDAP (it's 
still puzzling me why the other machines I have do work like that).

I'll try to set up my new servers as DCs and see how this goes. The idea 
with using the samba servers for LDAP replication as well sounds 
interesting. I'll look into that as well.



On 21.06.2013 10:23, Daniel Müller wrote:
> For me the better way would be, to run serveral openldap servers in master
> master replication on your
> DC and several BDC. And no headache about anything.
> Or just point your BSCs to authenticate against the DCs openldap. But when
> your DC is down your authentication is gone.
> Greetings
> Daniel
> -----------------------------------------------
> EDV Daniel Müller
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Andrew Bartlett
> Gesendet: Freitag, 21. Juni 2013 09:58
> An: Philipp Lies
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary
> group SID mismatch
> On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote:
>> Hi,
>> I'm trying to get my new samba server running for a few days now and I
>> start losing my mind over not figuring out what I'm doing wrong.
>> Here's my setup:
>> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a
>> unix and a samba NT password stored in the LDAP as well as a User SID
>> and Primary Group SID assigned and stored in the LDAP, derived from
>> the SID of the LDAP Server.
>> Now I want several samba servers to use the LDAP server to
>> authenticate users.
> If you want multiple samba servers to use the same LDAP backend, they
> essentially all need to be domain controllers of the same domain.  This is
> the supported way to have a single backend shared between multiple servers.
> You don't need to ever use the DC function from windows clients, but the
> servers need to think they are a DC.
> Andrew Bartlett

More information about the samba mailing list