[Samba] Multiple Standalone Servers With Single LDAP Server

Gordan Bobic gordan at bobich.net
Wed Aug 6 16:09:01 MDT 2014


On 08/06/2014 10:54 AM, Rowland Penny wrote:
> On 06/08/14 10:31, Gordan Bobic wrote:
>> On 2014-08-06 10:05, Rowland Penny wrote:
>>> On 04/08/14 16:45, Gordan Bobic wrote:
>>>> Hi,
>>>>
>>>> I'm trying to set up multiple standalone Samba servers that use the
>>>> same OpenLDAP back-end database for authentication, but on any
>>>> servers beyond the first one I cannot seem to get past the error
>>>> like the following:
>>>>
>>>> "The primary group domain sid($SecondaryServerSID) does not match
>>>> the domain sid($PrimaryServerSID) for $UserName($UserSID)"
>>>>
>>>> It seems nuts to have to set up a domain controller just to have
>>>> multiple standalone servers within the same workgroup.
>>>>
>>>> If I configure the secondary server to use a local user password
>>>> database for authentication, everything works fine, but that means
>>>> having to maintain the database in multiple locations.
>>>>
>>>> Is there a way to completely neuter all the domain functionality and
>>>> use LDAP _only_ for username/password authentication from multiple
>>>> standalone servers within the same workgroup?
>>>>
>>>> Gordan
>>>
>>> Short answer, NO
>>>
>>> Long answer, in this instance, samba is working just like a windows
>>> workgroup, you can have lots of windows machines in the same
>>> workgroup, but you have to create any users & groups that you want to
>>> connect to a machine on that machine AND any others that you want the
>>> users or groups to connect to. Once you get past 10 or 12 machines
>>> this gets complicated and hard to keep track of, this is why domains
>>> were created. Now that you know this, can you see why what you are
>>> trying to do with samba will not work.
>>
>> Now that I know this I still absolutely DO NOT see why what I am
>> trying to do with samba will not work. If it is capable of using
>> a local user authentication database, I see no reason why the
>> authentication mechanism cannot use some kind of a centralised
>> username/password verification database.
>>
>> Setting up a domain on top seems like an entirely needless complication.
>>
>> If LDAP can be used to authenticate to a single Samba server
>> in a workgroup, I see no reason at all why this would necessitate
>> existence of a domain to perform the same authentication to additional
>> Samba servers in the same workgroup.
>>
>> Gordan
> when you set up each 'standalone' server (I would have thought the name
> would have given you a hint) it gets its own SID, this is just like a
> standalone windows machine. Your machines need to have the same SID,
> this is what happens in a domain i.e. SID
> S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxx is not the same as
> S-1-5-21-yyyyyyyyyy-yyyyyyyyyy-yyyyyyyy. A user created on one machine
> cannot connect to another machine unless the user also exists on that
> machine. If you want to use a central database, you are going to have to
> use a domain, if microsoft could have got it working your way, they
> would have and not spent all the money on creating domains!

Right, OK. So is there a reason why I cannot do one of the following:

1) Make both servers have the same SID without a PDC

2) Have two sambaSID entries for the user in LDAP, each with a different 
machine SID part, but the same UID suffix and only one password entry

?

Gordan


More information about the samba mailing list