[Samba] Multiple Standalone Servers With Single LDAP Server

Wed Aug 6 03:54:23 MDT 2014

On 06/08/14 10:31, Gordan Bobic wrote:
> On 2014-08-06 10:05, Rowland Penny wrote:
>> On 04/08/14 16:45, Gordan Bobic wrote:
>>> Hi,
>>>
>>> I'm trying to set up multiple standalone Samba servers that use the 
>>> same OpenLDAP back-end database for authentication, but on any 
>>> servers beyond the first one I cannot seem to get past the error 
>>> like the following:
>>>
>>> "The primary group domain sid($SecondaryServerSID) does not match 
>>> the domain sid($PrimaryServerSID) for $UserName($UserSID)"
>>>
>>> It seems nuts to have to set up a domain controller just to have 
>>> multiple standalone servers within the same workgroup.
>>>
>>> If I configure the secondary server to use a local user password 
>>> database for authentication, everything works fine, but that means 
>>> having to maintain the database in multiple locations.
>>>
>>> Is there a way to completely neuter all the domain functionality and 
>>> use LDAP _only_ for username/password authentication from multiple 
>>> standalone servers within the same workgroup?
>>>
>>> Gordan
>>
>> Short answer, NO
>>
>> Long answer, in this instance, samba is working just like a windows
>> workgroup, you can have lots of windows machines in the same
>> workgroup, but you have to create any users & groups that you want to
>> connect to a machine on that machine AND any others that you want the
>> users or groups to connect to. Once you get past 10 or 12 machines
>> this gets complicated and hard to keep track of, this is why domains
>> were created. Now that you know this, can you see why what you are
>> trying to do with samba will not work.
>
> Now that I know this I still absolutely DO NOT see why what I am
> trying to do with samba will not work. If it is capable of using
> a local user authentication database, I see no reason why the
> authentication mechanism cannot use some kind of a centralised
> username/password verification database.
>
> Setting up a domain on top seems like an entirely needless complication.
>
> If LDAP can be used to authenticate to a single Samba server
> in a workgroup, I see no reason at all why this would necessitate
> existence of a domain to perform the same authentication to additional
> Samba servers in the same workgroup.
>
> Gordan
when you set up each 'standalone' server (I would have thought the name 
would have given you a hint) it gets its own SID, this is just like a 
standalone windows machine. Your machines need to have the same SID, 
this is what happens in a domain i.e. SID 
S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxx is not the same as 
S-1-5-21-yyyyyyyyyy-yyyyyyyyyy-yyyyyyyy. A user created on one machine 
cannot connect to another machine unless the user also exists on that 
machine. If you want to use a central database, you are going to have to 
use a domain, if microsoft could have got it working your way, they 
would have and not spent all the money on creating domains!

Rowland