[Samba] Samba and LDAP authentication backend

Fri Sep 12 01:52:34 MDT 2014

Thank for your fast reply Karel and thak at Rowland as well.

I do not have any PDC in that network and any domain neither. All 
follows the workgroup model.

And yes, net getdomainsid in both servers are the same ... nothing !

SID for local machine oldone is: S-1-5-21-3641741432-4083152458-129815128
Could not fetch domain SID

SID for local machine newone is: S-1-5-21-2324203820-3887545065-2044117837
Could not fetch domain SID

Both SID are also in the LDAP under an object sambaDomainName and I 
noticed that a SambaDomainName=WORKGROUP as the same SID as the old 
server. They came when the server tried to connect the first time at the 
LDAP.

Both config files are identical, server names shares definition 
excepted. Here are the global section :

[global]
         log file = /var/log/samba/log.%m
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         obey pam restrictions = yes
         posix locking = no
         dns proxy = no
         force group = nogroup
         encrypt passwords = true
         passdb backend = ldapsam:ldap://172.20.0.150
         passwd program = /usr/bin/passwd %u
         ldap ssl = off
         ldap user suffix = ou=users
         ldap machine suffix = ou=machines
         ldap group suffix = ou=groups
         netbios name = serverName
         server string = serverName
         ldap passwd sync = yes
         ldap suffix = dc=domain,dc=be
         workgroup = WORKGROUP
         os level = 20
         force user = nobody
         ldap admin dn = "cn=admin,dc=domain,dc=be"
         security = user
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         max log size = 1000
         pam password change = yes

Thank for your help.

Michel

Le 11/09/2014 17:26, Karel Lang AFD a écrit :
> Hi,
> do you want it add like for what purpose?
>
> Like BDC to your existing PDC? If so, i think the  domain SID of PDC and
> BDC should be same.
>
> Rowland from list pointed to me not so long ago the differnce between:
> net getlocalsid
> and
> net getdomainsid
>
> I think the 'net getdomainsid' should be same on both servers.
> Can you check it out?
>
> cheers,
>
>
>
>
>
>
>
>
>
>
> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>> Hello,
>>
>> I'm facing a weird problem and I really do not know where I can find how
>> to debug it.
>>
>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP 2.4.23 )
>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly well
>> in a workgroup. The LDAP server is also used for some other applications
>> like Squid, Zimbra, ...
>>
>> Now, we would to add a second Samba server ( Debian 7 and Samba 3.6.6 ).
>> After having set up the server as I did for the other one, any login is
>> allowed for LDAP users.
>>
>> On the console, getenv passwd works perfectly, but the users list in the
>> Samba module of Webmin is empty while the group list is correct ! Both
>> are correct in the older Samba.
>>
>> In Samba's log, I see errors like :
>>
>> The primary group domain sid(S-.... ) does not match the domain
>> sid(S-... ) for username(S-...)
>>
>> and :
>>
>> [2014/09/11 15:07:29.548824,  2] auth/auth.c:319(check_ntlm_password)
>>    check_ntlm_password:  Authentication for user [username] ->
>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>
>> Where can I find more debugging info ? Do you have any idea of what I'm
>> missing.
>>
>> Thank for your help.
>>
>> Michel
>