[Samba] Samba and LDAP authentication backend

srtt.be - Michel Lombart subs at srtt.be
Fri Sep 12 08:37:57 MDT 2014


Thank for your reply Karel,

Indeed, we will build a solution based on a PDC and BDC. More logical 
and robust I think.

Best regards

Le 12/09/2014 15:48, Karel Lang AFD a écrit :
> Thanks for clarification,
> i was interested in graspin it too.
>
> It is as i was afraid is, PDC+BDC as only logical solution, or awkward
> replicating? user authentication data between 2 LDAP servers? Sound not
> as easy setup as classic Domain Controller.
>
> On 09/12/2014 10:44 AM, Rowland Penny wrote:
>> On 12/09/14 08:52, srtt.be - Michel Lombart wrote:
>>> Thank for your fast reply Karel and thak at Rowland as well.
>>>
>>> I do not have any PDC in that network and any domain neither. All
>>> follows the workgroup model.
>>>
>>> And yes, net getdomainsid in both servers are the same ... nothing !
>>>
>>> SID for local machine oldone is:
>>> S-1-5-21-3641741432-4083152458-129815128
>>> Could not fetch domain SID
>>>
>>>
>>> SID for local machine newone is:
>>> S-1-5-21-2324203820-3887545065-2044117837
>>> Could not fetch domain SID
>>>
>>> Both SID are also in the LDAP under an object sambaDomainName and I
>>> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
>>> server. They came when the server tried to connect the first time at
>>> the LDAP.
>>>
>>> Both config files are identical, server names shares definition
>>> excepted. Here are the global section :
>>>
>>> [global]
>>>         log file = /var/log/samba/log.%m
>>>         passwd chat = *Enter\snew\s*\spassword:* %n\n
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>         obey pam restrictions = yes
>>>         posix locking = no
>>>         dns proxy = no
>>>         force group = nogroup
>>>         encrypt passwords = true
>>>         passdb backend = ldapsam:ldap://172.20.0.150
>>>         passwd program = /usr/bin/passwd %u
>>>         ldap ssl = off
>>>         ldap user suffix = ou=users
>>>         ldap machine suffix = ou=machines
>>>         ldap group suffix = ou=groups
>>>         netbios name = serverName
>>>         server string = serverName
>>>         ldap passwd sync = yes
>>>         ldap suffix = dc=domain,dc=be
>>>         workgroup = WORKGROUP
>>>         os level = 20
>>>         force user = nobody
>>>         ldap admin dn = "cn=admin,dc=domain,dc=be"
>>>         security = user
>>>         syslog = 0
>>>         panic action = /usr/share/samba/panic-action %d
>>>         max log size = 1000
>>>         pam password change = yes
>>>
>>> Thank for your help.
>>>
>>> Michel
>>>
>>> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>>>> Hi,
>>>> do you want it add like for what purpose?
>>>>
>>>> Like BDC to your existing PDC? If so, i think the  domain SID of PDC
>>>> and
>>>> BDC should be same.
>>>>
>>>> Rowland from list pointed to me not so long ago the differnce between:
>>>> net getlocalsid
>>>> and
>>>> net getdomainsid
>>>>
>>>> I think the 'net getdomainsid' should be same on both servers.
>>>> Can you check it out?
>>>>
>>>> cheers,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>>>> Hello,
>>>>>
>>>>> I'm facing a weird problem and I really do not know where I can find
>>>>> how
>>>>> to debug it.
>>>>>
>>>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP
>>>>> 2.4.23 )
>>>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly
>>>>> well
>>>>> in a workgroup. The LDAP server is also used for some other
>>>>> applications
>>>>> like Squid, Zimbra, ...
>>>>>
>>>>> Now, we would to add a second Samba server ( Debian 7 and Samba
>>>>> 3.6.6 ).
>>>>> After having set up the server as I did for the other one, any
>>>>> login is
>>>>> allowed for LDAP users.
>>>>>
>>>>> On the console, getenv passwd works perfectly, but the users list in
>>>>> the
>>>>> Samba module of Webmin is empty while the group list is correct ! Both
>>>>> are correct in the older Samba.
>>>>>
>>>>> In Samba's log, I see errors like :
>>>>>
>>>>> The primary group domain sid(S-.... ) does not match the domain
>>>>> sid(S-... ) for username(S-...)
>>>>>
>>>>> and :
>>>>>
>>>>> [2014/09/11 15:07:29.548824,  2] auth/auth.c:319(check_ntlm_password)
>>>>>    check_ntlm_password:  Authentication for user [username] ->
>>>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>>>
>>>>> Where can I find more debugging info ? Do you have any idea of what
>>>>> I'm
>>>>> missing.
>>>>>
>>>>> Thank for your help.
>>>>>
>>>>> Michel
>>>>
>> Well, of course the SID's are different, in this instance the samba
>> machines are acting as if they are standalone windows machines and if
>> you went to two standalone windows machines you would get the same
>> results.
>>
>> In a workgroup, you need to create the users on every machine with the
>> same passwords, and the linux machines need to sync the passwords with
>> users stored in ldap. If you do move to running a NT4 domain, you will
>> still have the same problem, you will still need local unix users,
>> whereas with an AD domain you only need users stored in AD.
>>
>> If you do want to go down this path of one ldap server, then you have no
>> other option other than to set up a NT4 domain (PDC) and set the second
>> machine as a BDC.
>>
>> Rowland
>>
>


More information about the samba mailing list