[Samba] Samba and LDAP authentication backend

Karel Lang AFD lang at afd.cz
Fri Sep 12 07:48:51 MDT 2014 

Thanks for clarification,
i was interested in graspin it too.

It is as i was afraid is, PDC+BDC as only logical solution, or awkward 
replicating? user authentication data between 2 LDAP servers? Sound not 
as easy setup as classic Domain Controller.

On 09/12/2014 10:44 AM, Rowland Penny wrote:
> On 12/09/14 08:52, srtt.be - Michel Lombart wrote:
>> Thank for your fast reply Karel and thak at Rowland as well.
>>
>> I do not have any PDC in that network and any domain neither. All
>> follows the workgroup model.
>>
>> And yes, net getdomainsid in both servers are the same ... nothing !
>>
>> SID for local machine oldone is: S-1-5-21-3641741432-4083152458-129815128
>> Could not fetch domain SID
>>
>>
>> SID for local machine newone is:
>> S-1-5-21-2324203820-3887545065-2044117837
>> Could not fetch domain SID
>>
>> Both SID are also in the LDAP under an object sambaDomainName and I
>> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
>> server. They came when the server tried to connect the first time at
>> the LDAP.
>>
>> Both config files are identical, server names shares definition
>> excepted. Here are the global section :
>>
>> [global]
>>         log file = /var/log/samba/log.%m
>>         passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>         obey pam restrictions = yes
>>         posix locking = no
>>         dns proxy = no
>>         force group = nogroup
>>         encrypt passwords = true
>>         passdb backend = ldapsam:ldap://172.20.0.150
>>         passwd program = /usr/bin/passwd %u
>>         ldap ssl = off
>>         ldap user suffix = ou=users
>>         ldap machine suffix = ou=machines
>>         ldap group suffix = ou=groups
>>         netbios name = serverName
>>         server string = serverName
>>         ldap passwd sync = yes
>>         ldap suffix = dc=domain,dc=be
>>         workgroup = WORKGROUP
>>         os level = 20
>>         force user = nobody
>>         ldap admin dn = "cn=admin,dc=domain,dc=be"
>>         security = user
>>         syslog = 0
>>         panic action = /usr/share/samba/panic-action %d
>>         max log size = 1000
>>         pam password change = yes
>>
>> Thank for your help.
>>
>> Michel
>>
>> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>>> Hi,
>>> do you want it add like for what purpose?
>>>
>>> Like BDC to your existing PDC? If so, i think the  domain SID of PDC and
>>> BDC should be same.
>>>
>>> Rowland from list pointed to me not so long ago the differnce between:
>>> net getlocalsid
>>> and
>>> net getdomainsid
>>>
>>> I think the 'net getdomainsid' should be same on both servers.
>>> Can you check it out?
>>>
>>> cheers,
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>>> Hello,
>>>>
>>>> I'm facing a weird problem and I really do not know where I can find
>>>> how
>>>> to debug it.
>>>>
>>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP
>>>> 2.4.23 )
>>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly
>>>> well
>>>> in a workgroup. The LDAP server is also used for some other
>>>> applications
>>>> like Squid, Zimbra, ...
>>>>
>>>> Now, we would to add a second Samba server ( Debian 7 and Samba
>>>> 3.6.6 ).
>>>> After having set up the server as I did for the other one, any login is
>>>> allowed for LDAP users.
>>>>
>>>> On the console, getenv passwd works perfectly, but the users list in
>>>> the
>>>> Samba module of Webmin is empty while the group list is correct ! Both
>>>> are correct in the older Samba.
>>>>
>>>> In Samba's log, I see errors like :
>>>>
>>>> The primary group domain sid(S-.... ) does not match the domain
>>>> sid(S-... ) for username(S-...)
>>>>
>>>> and :
>>>>
>>>> [2014/09/11 15:07:29.548824,  2] auth/auth.c:319(check_ntlm_password)
>>>>    check_ntlm_password:  Authentication for user [username] ->
>>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>>
>>>> Where can I find more debugging info ? Do you have any idea of what I'm
>>>> missing.
>>>>
>>>> Thank for your help.
>>>>
>>>> Michel
>>>
> Well, of course the SID's are different, in this instance the samba
> machines are acting as if they are standalone windows machines and if
> you went to two standalone windows machines you would get the same results.
>
> In a workgroup, you need to create the users on every machine with the
> same passwords, and the linux machines need to sync the passwords with
> users stored in ldap. If you do move to running a NT4 domain, you will
> still have the same problem, you will still need local unix users,
> whereas with an AD domain you only need users stored in AD.
>
> If you do want to go down this path of one ldap server, then you have no
> other option other than to set up a NT4 domain (PDC) and set the second
> machine as a BDC.
>
> Rowland
>

More information about the samba mailing list