[Samba] Samba and LDAP authentication backend

L.P.H. van Belle belle at bazuin.nl
Fri Sep 12 08:43:49 MDT 2014 

more logical would by a samba4 ad-ad setup. 
more easy is the pdc+bdc with ldap syncrepl setup. 

I would go with the ad-dc setup, since it also has ldap in it which you can use on you other servers also. 
and your more ready for the future.. 

both has its cons and pros.. 

 and in the setup below im missing things like: 
#    ldap idmap suffix = ou=Users
#    idmap backend = ldap://ldap.toyourserver.tld
#    idmap uid = 10000-199999
#    idmap gid = 10000-199999

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: subs at srtt.be [mailto:samba-bounces at lists.samba.org] 
>Namens srtt.be - Michel Lombart
>Verzonden: vrijdag 12 september 2014 16:38
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba and LDAP authentication backend
>
>Thank for your reply Karel,
>
>Indeed, we will build a solution based on a PDC and BDC. More logical 
>and robust I think.
>
>Best regards
>
>Le 12/09/2014 15:48, Karel Lang AFD a écrit :
>> Thanks for clarification,
>> i was interested in graspin it too.
>>
>> It is as i was afraid is, PDC+BDC as only logical solution, 
>or awkward
>> replicating? user authentication data between 2 LDAP 
>servers? Sound not
>> as easy setup as classic Domain Controller.
>>
>> On 09/12/2014 10:44 AM, Rowland Penny wrote:
>>> On 12/09/14 08:52, srtt.be - Michel Lombart wrote:
>>>> Thank for your fast reply Karel and thak at Rowland as well.
>>>>
>>>> I do not have any PDC in that network and any domain neither. All
>>>> follows the workgroup model.
>>>>
>>>> And yes, net getdomainsid in both servers are the same ... 
>nothing !
>>>>
>>>> SID for local machine oldone is:
>>>> S-1-5-21-3641741432-4083152458-129815128
>>>> Could not fetch domain SID
>>>>
>>>>
>>>> SID for local machine newone is:
>>>> S-1-5-21-2324203820-3887545065-2044117837
>>>> Could not fetch domain SID
>>>>
>>>> Both SID are also in the LDAP under an object sambaDomainName and I
>>>> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
>>>> server. They came when the server tried to connect the 
>first time at
>>>> the LDAP.
>>>>
>>>> Both config files are identical, server names shares definition
>>>> excepted. Here are the global section :
>>>>
>>>> [global]
>>>>         log file = /var/log/samba/log.%m
>>>>         passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>> *Retype\snew\s*\spassword:* %n\n 
>*password\supdated\ssuccessfully* .
>>>>         obey pam restrictions = yes
>>>>         posix locking = no
>>>>         dns proxy = no
>>>>         force group = nogroup
>>>>         encrypt passwords = true
>>>>         passdb backend = ldapsam:ldap://172.20.0.150
>>>>         passwd program = /usr/bin/passwd %u
>>>>         ldap ssl = off
>>>>         ldap user suffix = ou=users
>>>>         ldap machine suffix = ou=machines
>>>>         ldap group suffix = ou=groups
>>>>         netbios name = serverName
>>>>         server string = serverName
>>>>         ldap passwd sync = yes
>>>>         ldap suffix = dc=domain,dc=be
>>>>         workgroup = WORKGROUP
>>>>         os level = 20
>>>>         force user = nobody
>>>>         ldap admin dn = "cn=admin,dc=domain,dc=be"
>>>>         security = user
>>>>         syslog = 0
>>>>         panic action = /usr/share/samba/panic-action %d
>>>>         max log size = 1000
>>>>         pam password change = yes
>>>>
>>>> Thank for your help.
>>>>
>>>> Michel
>>>>
>>>> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>>>>> Hi,
>>>>> do you want it add like for what purpose?
>>>>>
>>>>> Like BDC to your existing PDC? If so, i think the  domain 
>SID of PDC
>>>>> and
>>>>> BDC should be same.
>>>>>
>>>>> Rowland from list pointed to me not so long ago the 
>differnce between:
>>>>> net getlocalsid
>>>>> and
>>>>> net getdomainsid
>>>>>
>>>>> I think the 'net getdomainsid' should be same on both servers.
>>>>> Can you check it out?
>>>>>
>>>>> cheers,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I'm facing a weird problem and I really do not know 
>where I can find
>>>>>> how
>>>>>> to debug it.
>>>>>>
>>>>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP
>>>>>> 2.4.23 )
>>>>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They 
>work pefectly
>>>>>> well
>>>>>> in a workgroup. The LDAP server is also used for some other
>>>>>> applications
>>>>>> like Squid, Zimbra, ...
>>>>>>
>>>>>> Now, we would to add a second Samba server ( Debian 7 and Samba
>>>>>> 3.6.6 ).
>>>>>> After having set up the server as I did for the other one, any
>>>>>> login is
>>>>>> allowed for LDAP users.
>>>>>>
>>>>>> On the console, getenv passwd works perfectly, but the 
>users list in
>>>>>> the
>>>>>> Samba module of Webmin is empty while the group list is 
>correct ! Both
>>>>>> are correct in the older Samba.
>>>>>>
>>>>>> In Samba's log, I see errors like :
>>>>>>
>>>>>> The primary group domain sid(S-.... ) does not match the domain
>>>>>> sid(S-... ) for username(S-...)
>>>>>>
>>>>>> and :
>>>>>>
>>>>>> [2014/09/11 15:07:29.548824,  2] 
>auth/auth.c:319(check_ntlm_password)
>>>>>>    check_ntlm_password:  Authentication for user [username] ->
>>>>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> Where can I find more debugging info ? Do you have any 
>idea of what
>>>>>> I'm
>>>>>> missing.
>>>>>>
>>>>>> Thank for your help.
>>>>>>
>>>>>> Michel
>>>>>
>>> Well, of course the SID's are different, in this instance the samba
>>> machines are acting as if they are standalone windows 
>machines and if
>>> you went to two standalone windows machines you would get the same
>>> results.
>>>
>>> In a workgroup, you need to create the users on every 
>machine with the
>>> same passwords, and the linux machines need to sync the 
>passwords with
>>> users stored in ldap. If you do move to running a NT4 
>domain, you will
>>> still have the same problem, you will still need local unix users,
>>> whereas with an AD domain you only need users stored in AD.
>>>
>>> If you do want to go down this path of one ldap server, 
>then you have no
>>> other option other than to set up a NT4 domain (PDC) and 
>set the second
>>> machine as a BDC.
>>>
>>> Rowland
>>>
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list