[Samba] Multiple Standalone Servers With Single LDAP Server

Allen Chen achen at harbourfrontcentre.com
Wed Aug 6 12:13:35 MDT 2014 

On 8/6/2014 5:54 AM, Rowland Penny wrote:
> On 06/08/14 10:31, Gordan Bobic wrote:
>> On 2014-08-06 10:05, Rowland Penny wrote:
>>> On 04/08/14 16:45, Gordan Bobic wrote:
>>>> Hi,
>>>>
>>>> I'm trying to set up multiple standalone Samba servers that use the 
>>>> same OpenLDAP back-end database for authentication, but on any 
>>>> servers beyond the first one I cannot seem to get past the error 
>>>> like the following:
>>>>
>>>> "The primary group domain sid($SecondaryServerSID) does not match 
>>>> the domain sid($PrimaryServerSID) for $UserName($UserSID)"
>>>>
>>>> It seems nuts to have to set up a domain controller just to have 
>>>> multiple standalone servers within the same workgroup.
>>>>
>>>> If I configure the secondary server to use a local user password 
>>>> database for authentication, everything works fine, but that means 
>>>> having to maintain the database in multiple locations.
>>>>
>>>> Is there a way to completely neuter all the domain functionality 
>>>> and use LDAP _only_ for username/password authentication from 
>>>> multiple standalone servers within the same workgroup?
>>>>
>>>> Gordan
>>>
Hi Gordan,

I don't know why you get that error message. I have 5 standalone Samba 3 
file servers using one ldap server. It works perfect.
All of them are configured with "security = user" and ldap parameters.
Can you post your smb.conf on all of your samba servers?


Allen

>>> Short answer, NO
>>>
>>> Long answer, in this instance, samba is working just like a windows
>>> workgroup, you can have lots of windows machines in the same
>>> workgroup, but you have to create any users & groups that you want to
>>> connect to a machine on that machine AND any others that you want the
>>> users or groups to connect to. Once you get past 10 or 12 machines
>>> this gets complicated and hard to keep track of, this is why domains
>>> were created. Now that you know this, can you see why what you are
>>> trying to do with samba will not work.
>>
>> Now that I know this I still absolutely DO NOT see why what I am
>> trying to do with samba will not work. If it is capable of using
>> a local user authentication database, I see no reason why the
>> authentication mechanism cannot use some kind of a centralised
>> username/password verification database.
>>
>> Setting up a domain on top seems like an entirely needless complication.
>>
>> If LDAP can be used to authenticate to a single Samba server
>> in a workgroup, I see no reason at all why this would necessitate
>> existence of a domain to perform the same authentication to additional
>> Samba servers in the same workgroup.
>>
>> Gordan
> when you set up each 'standalone' server (I would have thought the 
> name would have given you a hint) it gets its own SID, this is just 
> like a standalone windows machine. Your machines need to have the same 
> SID, this is what happens in a domain i.e. SID 
> S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxx is not the same as 
> S-1-5-21-yyyyyyyyyy-yyyyyyyyyy-yyyyyyyy. A user created on one machine 
> cannot connect to another machine unless the user also exists on that 
> machine. If you want to use a central database, you are going to have 
> to use a domain, if microsoft could have got it working your way, they 
> would have and not spent all the money on creating domains!
>
> Rowland
>

More information about the samba mailing list