[Samba] Question(s) about user mapping

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 18 13:12:56 MDT 2014 

On 18/07/14 19:59, Jon Yeargers wrote:
> When I attempt to put 'security = ADS' in here the samba service won't start.  Is this what you are referring to?
To get the smb.conf you posted, you must have run 'samba-tool domain 
provision' with various options, ergo you are now running an AD DC, you 
cannot add 'security = ADS', this belongs only on a client or member server.

>
> This system is the PDC (beanbag). This system is running sssd to authenticate against a separate LDAP server. I can ssh to the machine using accounts from the LDAP machine. I just can't use windows logins in the same manner.

Have you joined ANY machines to your new AD DC ? if not, then don't, 
until you decide where you want to end up.

If you have joined any machines, then there is no going back without 
re-installing those windows machines.

You need to decide what you want, if you decide to use the AD DC, then 
your clients will authenticate to this, an AD DC does not authenticate 
to anything, it is the authenticator!

You can run samba4 just like samba3 i.e. in what is know as 'classic' mode.

So having said all that, where do you need to be from here ?? just what 
are you trying to attain ??

Rowland

>
> It's clear that I've done something incorrectly here. Hopefully it's obvious to someone on this list.
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: Friday, July 18, 2014 11:56 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Question(s) about user mapping
>
> On 18/07/14 19:47, Jon Yeargers wrote:
>> (apologies)
>> # Global parameters
>> [global]
>>           workgroup = BME
>>           realm = DOMAIN.EDU
>>           netbios name = BEANBAG
>>
>>           encrypt passwords = yes
>>           log level = 5
>>
>>           server role = active directory domain controller
>>           dns forwarder = 137.10.10.10
>>           idmap_ldb:use rfc2307 = yes
>>
>>           map untrusted to domain = Yes
>>
>> [netlogon]
>>           path = /usr/local/samba/var/locks/sysvol/domain.edu/scripts
>>           read only = No
>>
>> [sysvol]
>>           path = /usr/local/samba/var/locks/sysvol
>>           read only = No
>>
>>
>> What other configs are relevant here?
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: Friday, July 18, 2014 9:49 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Question(s) about user mapping
>>
>> On 18/07/14 17:14, Jon Yeargers wrote:
>>> I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
>>>
>>> Relevant errors:
>>>
>>> [2014/07/18 06:46:28.177400,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)     auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host]    auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
>>>
>>> [2014/07/18 06:46:28.178098,  3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account)      sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
>>>
>>> [2014/07/18 06:46:28.178184,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)      auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user]    FAILED with error NT_STATUS_NO_SUCH_USER
>>>
>>>
>>> It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
>>>
>>> CentOS 6.4 x64
>>> Samba 4.1.0
>>> Sssd 1.9.2
>> Hi, I think that you are going to have to give us some more info here,
>> smb.conf etc
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> You posted 'I've setup samba4 to authenticate against a separate LDAP server' yet now you post that your samba4 server is running as an AD DC, I was expecting that you were running samba4 as an NT style PDC.
>
> Have you joined the windows machines to your AD DC ??
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list