[Samba] Samba and LDAP authentication backend
srtt.be - Michel Lombart
subs at srtt.be
Fri Sep 12 01:52:34 MDT 2014
Thank for your fast reply Karel and thak at Rowland as well.
I do not have any PDC in that network and any domain neither. All
follows the workgroup model.
And yes, net getdomainsid in both servers are the same ... nothing !
SID for local machine oldone is: S-1-5-21-3641741432-4083152458-129815128
Could not fetch domain SID
SID for local machine newone is: S-1-5-21-2324203820-3887545065-2044117837
Could not fetch domain SID
Both SID are also in the LDAP under an object sambaDomainName and I
noticed that a SambaDomainName=WORKGROUP as the same SID as the old
server. They came when the server tried to connect the first time at the
LDAP.
Both config files are identical, server names shares definition
excepted. Here are the global section :
[global]
log file = /var/log/samba/log.%m
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
posix locking = no
dns proxy = no
force group = nogroup
encrypt passwords = true
passdb backend = ldapsam:ldap://172.20.0.150
passwd program = /usr/bin/passwd %u
ldap ssl = off
ldap user suffix = ou=users
ldap machine suffix = ou=machines
ldap group suffix = ou=groups
netbios name = serverName
server string = serverName
ldap passwd sync = yes
ldap suffix = dc=domain,dc=be
workgroup = WORKGROUP
os level = 20
force user = nobody
ldap admin dn = "cn=admin,dc=domain,dc=be"
security = user
syslog = 0
panic action = /usr/share/samba/panic-action %d
max log size = 1000
pam password change = yes
Thank for your help.
Michel
Le 11/09/2014 17:26, Karel Lang AFD a écrit :
> Hi,
> do you want it add like for what purpose?
>
> Like BDC to your existing PDC? If so, i think the domain SID of PDC and
> BDC should be same.
>
> Rowland from list pointed to me not so long ago the differnce between:
> net getlocalsid
> and
> net getdomainsid
>
> I think the 'net getdomainsid' should be same on both servers.
> Can you check it out?
>
> cheers,
>
>
>
>
>
>
>
>
>
>
> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>> Hello,
>>
>> I'm facing a weird problem and I really do not know where I can find how
>> to debug it.
>>
>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP 2.4.23 )
>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly well
>> in a workgroup. The LDAP server is also used for some other applications
>> like Squid, Zimbra, ...
>>
>> Now, we would to add a second Samba server ( Debian 7 and Samba 3.6.6 ).
>> After having set up the server as I did for the other one, any login is
>> allowed for LDAP users.
>>
>> On the console, getenv passwd works perfectly, but the users list in the
>> Samba module of Webmin is empty while the group list is correct ! Both
>> are correct in the older Samba.
>>
>> In Samba's log, I see errors like :
>>
>> The primary group domain sid(S-.... ) does not match the domain
>> sid(S-... ) for username(S-...)
>>
>> and :
>>
>> [2014/09/11 15:07:29.548824, 2] auth/auth.c:319(check_ntlm_password)
>> check_ntlm_password: Authentication for user [username] ->
>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>
>> Where can I find more debugging info ? Do you have any idea of what I'm
>> missing.
>>
>> Thank for your help.
>>
>> Michel
>
More information about the samba
mailing list