[Samba] Question(s) about user mapping

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 18 15:44:46 MDT 2014 

On 18/07/14 21:12, Jon Yeargers wrote:
> So there isn't a way for samba to use SSSD to authenticate?

The samba AD DC can use sssd, but it will authenticate users held in AD 
not your other LDAP machine.
>
> Yes, there are machines joined to the domain. What's the issue with un-joining them?

OH dear, if you join a machine to the AD domain, you can never go back 
to an NT4 style domain, without totally re-installing windows.

Rowland

>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
> Sent: Friday, July 18, 2014 12:13 PM
> To: sambalist
> Subject: Re: [Samba] Question(s) about user mapping
>
> On 18/07/14 19:59, Jon Yeargers wrote:
>> When I attempt to put 'security = ADS' in here the samba service won't start.  Is this what you are referring to?
> To get the smb.conf you posted, you must have run 'samba-tool domain provision' with various options, ergo you are now running an AD DC, you cannot add 'security = ADS', this belongs only on a client or member server.
>
>> This system is the PDC (beanbag). This system is running sssd to authenticate against a separate LDAP server. I can ssh to the machine using accounts from the LDAP machine. I just can't use windows logins in the same manner.
> Have you joined ANY machines to your new AD DC ? if not, then don't,
> until you decide where you want to end up.
>
> If you have joined any machines, then there is no going back without
> re-installing those windows machines.
>
> You need to decide what you want, if you decide to use the AD DC, then
> your clients will authenticate to this, an AD DC does not authenticate
> to anything, it is the authenticator!
>
> You can run samba4 just like samba3 i.e. in what is know as 'classic' mode.
>
> So having said all that, where do you need to be from here ?? just what
> are you trying to attain ??
>
> Rowland
>
>> It's clear that I've done something incorrectly here. Hopefully it's obvious to someone on this list.
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>> Sent: Friday, July 18, 2014 11:56 AM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Question(s) about user mapping
>>
>> On 18/07/14 19:47, Jon Yeargers wrote:
>>> (apologies)
>>> # Global parameters
>>> [global]
>>>            workgroup = BME
>>>            realm = DOMAIN.EDU
>>>            netbios name = BEANBAG
>>>
>>>            encrypt passwords = yes
>>>            log level = 5
>>>
>>>            server role = active directory domain controller
>>>            dns forwarder = 137.10.10.10
>>>            idmap_ldb:use rfc2307 = yes
>>>
>>>            map untrusted to domain = Yes
>>>
>>> [netlogon]
>>>            path = /usr/local/samba/var/locks/sysvol/domain.edu/scripts
>>>            read only = No
>>>
>>> [sysvol]
>>>            path = /usr/local/samba/var/locks/sysvol
>>>            read only = No
>>>
>>>
>>> What other configs are relevant here?
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
>>> Sent: Friday, July 18, 2014 9:49 AM
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] Question(s) about user mapping
>>>
>>> On 18/07/14 17:14, Jon Yeargers wrote:
>>>> I've setup samba4 to authenticate against a separate LDAP server. I can ssh to my server but attempts to login to a windows7 member server using the ldap domain are not working.
>>>>
>>>> Relevant errors:
>>>>
>>>> [2014/07/18 06:46:28.177400,  3] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)     auth_check_password_send: Checking password for unmapped user [ldapdom]\[user]@[win7host]    auth_check_password_send: mapped user is: [sambadom]\[user]@[win7host]
>>>>
>>>> [2014/07/18 06:46:28.178098,  3] ../source4/auth/ntlm/auth_sam.c:61(authsam_search_account)      sam_search_user: Couldn't find user [user] in samdb, under C=dom,DC=server,DC=edu
>>>>
>>>> [2014/07/18 06:46:28.178184,  2] ../source4/auth/ntlm/auth.c:420(auth_check_password_recv)      auth_check_password_recv: sam_ignoredomain authentication for user [sambadom\user]    FAILED with error NT_STATUS_NO_SUCH_USER
>>>>
>>>>
>>>> It appears that some manner of user id mapping is being searched for. What I really want is for it to preserve and use the domain that was passed in rather than substituting it.
>>>>
>>>> CentOS 6.4 x64
>>>> Samba 4.1.0
>>>> Sssd 1.9.2
>>> Hi, I think that you are going to have to give us some more info here,
>>> smb.conf etc
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> You posted 'I've setup samba4 to authenticate against a separate LDAP server' yet now you post that your samba4 server is running as an AD DC, I was expecting that you were running samba4 as an NT style PDC.
>>
>> Have you joined the windows machines to your AD DC ??
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list