[Samba] Samba and LDAP authentication backend

srtt.be - Michel Lombart subs at srtt.be
Fri Sep 12 08:39:04 MDT 2014 

Right Rowland,

We will set up that solution.

Thank for your help.

Michel

Le 12/09/2014 16:29, Rowland Penny a écrit :
> On 12/09/14 14:48, Karel Lang AFD wrote:
>> Thanks for clarification,
>> i was interested in graspin it too.
>>
>> It is as i was afraid is, PDC+BDC as only logical solution, or awkward
>> replicating? user authentication data between 2 LDAP servers? Sound
>> not as easy setup as classic Domain Controller.
>
> You can have master & slave ldap servers, never done it myself, but I
> understand it is fairly easy to set up, but you still end up with
> virtually the same problem, the domain SID has to be the same on ALL
> computers and you can only do this by running a domain.
>
> If you are setting up a new domain, you might as well jump over the NT4
> style domain and go direct to an AD DC domain, in the end this will
> probably be easier to set up.
>
> Rowland
>
>>
>> On 09/12/2014 10:44 AM, Rowland Penny wrote:
>>> On 12/09/14 08:52, srtt.be - Michel Lombart wrote:
>>>> Thank for your fast reply Karel and thak at Rowland as well.
>>>>
>>>> I do not have any PDC in that network and any domain neither. All
>>>> follows the workgroup model.
>>>>
>>>> And yes, net getdomainsid in both servers are the same ... nothing !
>>>>
>>>> SID for local machine oldone is:
>>>> S-1-5-21-3641741432-4083152458-129815128
>>>> Could not fetch domain SID
>>>>
>>>>
>>>> SID for local machine newone is:
>>>> S-1-5-21-2324203820-3887545065-2044117837
>>>> Could not fetch domain SID
>>>>
>>>> Both SID are also in the LDAP under an object sambaDomainName and I
>>>> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
>>>> server. They came when the server tried to connect the first time at
>>>> the LDAP.
>>>>
>>>> Both config files are identical, server names shares definition
>>>> excepted. Here are the global section :
>>>>
>>>> [global]
>>>>         log file = /var/log/samba/log.%m
>>>>         passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>>         obey pam restrictions = yes
>>>>         posix locking = no
>>>>         dns proxy = no
>>>>         force group = nogroup
>>>>         encrypt passwords = true
>>>>         passdb backend = ldapsam:ldap://172.20.0.150
>>>>         passwd program = /usr/bin/passwd %u
>>>>         ldap ssl = off
>>>>         ldap user suffix = ou=users
>>>>         ldap machine suffix = ou=machines
>>>>         ldap group suffix = ou=groups
>>>>         netbios name = serverName
>>>>         server string = serverName
>>>>         ldap passwd sync = yes
>>>>         ldap suffix = dc=domain,dc=be
>>>>         workgroup = WORKGROUP
>>>>         os level = 20
>>>>         force user = nobody
>>>>         ldap admin dn = "cn=admin,dc=domain,dc=be"
>>>>         security = user
>>>>         syslog = 0
>>>>         panic action = /usr/share/samba/panic-action %d
>>>>         max log size = 1000
>>>>         pam password change = yes
>>>>
>>>> Thank for your help.
>>>>
>>>> Michel
>>>>
>>>> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>>>>> Hi,
>>>>> do you want it add like for what purpose?
>>>>>
>>>>> Like BDC to your existing PDC? If so, i think the  domain SID of
>>>>> PDC and
>>>>> BDC should be same.
>>>>>
>>>>> Rowland from list pointed to me not so long ago the differnce between:
>>>>> net getlocalsid
>>>>> and
>>>>> net getdomainsid
>>>>>
>>>>> I think the 'net getdomainsid' should be same on both servers.
>>>>> Can you check it out?
>>>>>
>>>>> cheers,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm facing a weird problem and I really do not know where I can find
>>>>>> how
>>>>>> to debug it.
>>>>>>
>>>>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP
>>>>>> 2.4.23 )
>>>>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They work pefectly
>>>>>> well
>>>>>> in a workgroup. The LDAP server is also used for some other
>>>>>> applications
>>>>>> like Squid, Zimbra, ...
>>>>>>
>>>>>> Now, we would to add a second Samba server ( Debian 7 and Samba
>>>>>> 3.6.6 ).
>>>>>> After having set up the server as I did for the other one, any
>>>>>> login is
>>>>>> allowed for LDAP users.
>>>>>>
>>>>>> On the console, getenv passwd works perfectly, but the users list in
>>>>>> the
>>>>>> Samba module of Webmin is empty while the group list is correct !
>>>>>> Both
>>>>>> are correct in the older Samba.
>>>>>>
>>>>>> In Samba's log, I see errors like :
>>>>>>
>>>>>> The primary group domain sid(S-.... ) does not match the domain
>>>>>> sid(S-... ) for username(S-...)
>>>>>>
>>>>>> and :
>>>>>>
>>>>>> [2014/09/11 15:07:29.548824,  2] auth/auth.c:319(check_ntlm_password)
>>>>>>    check_ntlm_password:  Authentication for user [username] ->
>>>>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> Where can I find more debugging info ? Do you have any idea of
>>>>>> what I'm
>>>>>> missing.
>>>>>>
>>>>>> Thank for your help.
>>>>>>
>>>>>> Michel
>>>>>
>>> Well, of course the SID's are different, in this instance the samba
>>> machines are acting as if they are standalone windows machines and if
>>> you went to two standalone windows machines you would get the same
>>> results.
>>>
>>> In a workgroup, you need to create the users on every machine with the
>>> same passwords, and the linux machines need to sync the passwords with
>>> users stored in ldap. If you do move to running a NT4 domain, you will
>>> still have the same problem, you will still need local unix users,
>>> whereas with an AD domain you only need users stored in AD.
>>>
>>> If you do want to go down this path of one ldap server, then you have no
>>> other option other than to set up a NT4 domain (PDC) and set the second
>>> machine as a BDC.
>>>
>>> Rowland
>>>
>>
>

More information about the samba mailing list