[Samba] Samba and LDAP authentication backend

Karel Lang AFD lang at afd.cz
Fri Sep 12 02:25:44 MDT 2014 

Hi,
i'm not quite familiar with your scenario (never tried it out myself), 
so someone with more years of Samba wrestling might step in :]

That being said, what i'd do:

- as you said, getent returns ID as stated in your LDAP backend - good, 
but what about Samba stats, because 'getent passwd' will query the posix 
part of LDAP user entry (and ofc the /etc/passwd file - depending on 
what is stated on /etc/nsswitch.conf  and in what order)

- what about pdbedit? try:
'pdbedit -Lv | grep -A15 username' on both servers to query User Samba 
infromation from LDAP

- what the 'ldapsearch says on both servers? i'd try to use ldapsearch 
to see both - posix and samba information from LDAP from both servers

- also you said in samba logs you see complaints about grp SID .. what 
is your unix <-> windows grp mapping on both servers? 'net groupmap 
list' returns on both servers?

- as i said - in this scenario i'm not sure about things - but question 
for someone else - shouldn't the Samba local SID be same on both servers 
too?

- how about turning the first server to PDC and second to BDC? even if 
you do, it doesn't mean that you'll have to add windows clients to 
domain, they can happily sit in a workgroup untached but your 
authentication process would get more clear ..

happy hunting :]



On 09/12/2014 09:52 AM, srtt.be - Michel Lombart wrote:
> Thank for your fast reply Karel and thak at Rowland as well.
>
> I do not have any PDC in that network and any domain neither. All
> follows the workgroup model.
>
> And yes, net getdomainsid in both servers are the same ... nothing !
>
> SID for local machine oldone is: S-1-5-21-3641741432-4083152458-129815128
> Could not fetch domain SID
>
>
> SID for local machine newone is: S-1-5-21-2324203820-3887545065-2044117837
> Could not fetch domain SID
>
> Both SID are also in the LDAP under an object sambaDomainName and I
> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
> server. They came when the server tried to connect the first time at the
> LDAP.
>
> Both config files are identical, server names shares definition
> excepted. Here are the global section :
>
> [global]
>          log file = /var/log/samba/log.%m
>          passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>          obey pam restrictions = yes
>          posix locking = no
>          dns proxy = no
>          force group = nogroup
>          encrypt passwords = true
>          passdb backend = ldapsam:ldap://172.20.0.150
>          passwd program = /usr/bin/passwd %u
>          ldap ssl = off
>          ldap user suffix = ou=users
>          ldap machine suffix = ou=machines
>          ldap group suffix = ou=groups
>          netbios name = serverName
>          server string = serverName
>          ldap passwd sync = yes
>          ldap suffix = dc=domain,dc=be
>          workgroup = WORKGROUP
>          os level = 20
>          force user = nobody
>          ldap admin dn = "cn=admin,dc=domain,dc=be"
>          security = user
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
>          max log size = 1000
>          pam password change = yes
>
> Thank for your help.
>
> Michel
>
> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>> Hi,
>> do you want it add like for what purpose?
>>
>> Like BDC to your existing PDC? If so, i think the  domain SID of PDC and
>> BDC should be same.
>>
>> Rowland from list pointed to me not so long ago the differnce between:
>> net getlocalsid
>> and
>> net getdomainsid
>>
>> I think the 'net getdomainsid' should be same on both servers.
>> Can you check it out?
>>
>> cheers,
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>> Hello,
>>>
>>> I'm facing a weird problem and I really do not know where I can find how
>>> to debug it.
>>>
>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP 2.4.23 )
>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly well
>>> in a workgroup. The LDAP server is also used for some other applications
>>> like Squid, Zimbra, ...
>>>
>>> Now, we would to add a second Samba server ( Debian 7 and Samba 3.6.6 ).
>>> After having set up the server as I did for the other one, any login is
>>> allowed for LDAP users.
>>>
>>> On the console, getenv passwd works perfectly, but the users list in the
>>> Samba module of Webmin is empty while the group list is correct ! Both
>>> are correct in the older Samba.
>>>
>>> In Samba's log, I see errors like :
>>>
>>> The primary group domain sid(S-.... ) does not match the domain
>>> sid(S-... ) for username(S-...)
>>>
>>> and :
>>>
>>> [2014/09/11 15:07:29.548824,  2] auth/auth.c:319(check_ntlm_password)
>>>    check_ntlm_password:  Authentication for user [username] ->
>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>
>>> Where can I find more debugging info ? Do you have any idea of what I'm
>>> missing.
>>>
>>> Thank for your help.
>>>
>>> Michel
>>

More information about the samba mailing list