[Samba] Samba and LDAP authentication backend

Rowland Penny rowlandpenny at googlemail.com
Fri Sep 12 09:02:47 MDT 2014 

On 12/09/14 15:43, L.P.H. van Belle wrote:
> more logical would by a samba4 ad-ad setup.
> more easy is the pdc+bdc with ldap syncrepl setup.
>
> I would go with the ad-dc setup, since it also has ldap in it which you can use on you other servers also.
> and your more ready for the future..
Which is basically what I said, there is no real reason now to setup a 
new NT4 style domain on linux, much better to go for an AD DC. Once you 
have your first DC, adding a second DC is childs play.

Rowland

>
> both has its cons and pros..
>
>   and in the setup below im missing things like:
> #    ldap idmap suffix = ou=Users
> #    idmap backend = ldap://ldap.toyourserver.tld
> #    idmap uid = 10000-199999
> #    idmap gid = 10000-199999
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: subs at srtt.be [mailto:samba-bounces at lists.samba.org]
>> Namens srtt.be - Michel Lombart
>> Verzonden: vrijdag 12 september 2014 16:38
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Samba and LDAP authentication backend
>>
>> Thank for your reply Karel,
>>
>> Indeed, we will build a solution based on a PDC and BDC. More logical
>> and robust I think.
>>
>> Best regards
>>
>> Le 12/09/2014 15:48, Karel Lang AFD a écrit :
>>> Thanks for clarification,
>>> i was interested in graspin it too.
>>>
>>> It is as i was afraid is, PDC+BDC as only logical solution,
>> or awkward
>>> replicating? user authentication data between 2 LDAP
>> servers? Sound not
>>> as easy setup as classic Domain Controller.
>>>
>>> On 09/12/2014 10:44 AM, Rowland Penny wrote:
>>>> On 12/09/14 08:52, srtt.be - Michel Lombart wrote:
>>>>> Thank for your fast reply Karel and thak at Rowland as well.
>>>>>
>>>>> I do not have any PDC in that network and any domain neither. All
>>>>> follows the workgroup model.
>>>>>
>>>>> And yes, net getdomainsid in both servers are the same ...
>> nothing !
>>>>> SID for local machine oldone is:
>>>>> S-1-5-21-3641741432-4083152458-129815128
>>>>> Could not fetch domain SID
>>>>>
>>>>>
>>>>> SID for local machine newone is:
>>>>> S-1-5-21-2324203820-3887545065-2044117837
>>>>> Could not fetch domain SID
>>>>>
>>>>> Both SID are also in the LDAP under an object sambaDomainName and I
>>>>> noticed that a SambaDomainName=WORKGROUP as the same SID as the old
>>>>> server. They came when the server tried to connect the
>> first time at
>>>>> the LDAP.
>>>>>
>>>>> Both config files are identical, server names shares definition
>>>>> excepted. Here are the global section :
>>>>>
>>>>> [global]
>>>>>          log file = /var/log/samba/log.%m
>>>>>          passwd chat = *Enter\snew\s*\spassword:* %n\n
>>>>> *Retype\snew\s*\spassword:* %n\n
>> *password\supdated\ssuccessfully* .
>>>>>          obey pam restrictions = yes
>>>>>          posix locking = no
>>>>>          dns proxy = no
>>>>>          force group = nogroup
>>>>>          encrypt passwords = true
>>>>>          passdb backend = ldapsam:ldap://172.20.0.150
>>>>>          passwd program = /usr/bin/passwd %u
>>>>>          ldap ssl = off
>>>>>          ldap user suffix = ou=users
>>>>>          ldap machine suffix = ou=machines
>>>>>          ldap group suffix = ou=groups
>>>>>          netbios name = serverName
>>>>>          server string = serverName
>>>>>          ldap passwd sync = yes
>>>>>          ldap suffix = dc=domain,dc=be
>>>>>          workgroup = WORKGROUP
>>>>>          os level = 20
>>>>>          force user = nobody
>>>>>          ldap admin dn = "cn=admin,dc=domain,dc=be"
>>>>>          security = user
>>>>>          syslog = 0
>>>>>          panic action = /usr/share/samba/panic-action %d
>>>>>          max log size = 1000
>>>>>          pam password change = yes
>>>>>
>>>>> Thank for your help.
>>>>>
>>>>> Michel
>>>>>
>>>>> Le 11/09/2014 17:26, Karel Lang AFD a écrit :
>>>>>> Hi,
>>>>>> do you want it add like for what purpose?
>>>>>>
>>>>>> Like BDC to your existing PDC? If so, i think the  domain
>> SID of PDC
>>>>>> and
>>>>>> BDC should be same.
>>>>>>
>>>>>> Rowland from list pointed to me not so long ago the
>> differnce between:
>>>>>> net getlocalsid
>>>>>> and
>>>>>> net getdomainsid
>>>>>>
>>>>>> I think the 'net getdomainsid' should be same on both servers.
>>>>>> Can you check it out?
>>>>>>
>>>>>> cheers,
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 09/11/2014 04:42 PM, srtt.be - Michel Lombart wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm facing a weird problem and I really do not know
>> where I can find
>>>>>>> how
>>>>>>> to debug it.
>>>>>>>
>>>>>>> Since some years, we have a LDAP server ( Debian 6 and OpenLDAP
>>>>>>> 2.4.23 )
>>>>>>> and a Samba server ( Debian 6 and Samba 3.5.6 ). They
>> work pefectly
>>>>>>> well
>>>>>>> in a workgroup. The LDAP server is also used for some other
>>>>>>> applications
>>>>>>> like Squid, Zimbra, ...
>>>>>>>
>>>>>>> Now, we would to add a second Samba server ( Debian 7 and Samba
>>>>>>> 3.6.6 ).
>>>>>>> After having set up the server as I did for the other one, any
>>>>>>> login is
>>>>>>> allowed for LDAP users.
>>>>>>>
>>>>>>> On the console, getenv passwd works perfectly, but the
>> users list in
>>>>>>> the
>>>>>>> Samba module of Webmin is empty while the group list is
>> correct ! Both
>>>>>>> are correct in the older Samba.
>>>>>>>
>>>>>>> In Samba's log, I see errors like :
>>>>>>>
>>>>>>> The primary group domain sid(S-.... ) does not match the domain
>>>>>>> sid(S-... ) for username(S-...)
>>>>>>>
>>>>>>> and :
>>>>>>>
>>>>>>> [2014/09/11 15:07:29.548824,  2]
>> auth/auth.c:319(check_ntlm_password)
>>>>>>>     check_ntlm_password:  Authentication for user [username] ->
>>>>>>> [username] FAILED with error NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> Where can I find more debugging info ? Do you have any
>> idea of what
>>>>>>> I'm
>>>>>>> missing.
>>>>>>>
>>>>>>> Thank for your help.
>>>>>>>
>>>>>>> Michel
>>>> Well, of course the SID's are different, in this instance the samba
>>>> machines are acting as if they are standalone windows
>> machines and if
>>>> you went to two standalone windows machines you would get the same
>>>> results.
>>>>
>>>> In a workgroup, you need to create the users on every
>> machine with the
>>>> same passwords, and the linux machines need to sync the
>> passwords with
>>>> users stored in ldap. If you do move to running a NT4
>> domain, you will
>>>> still have the same problem, you will still need local unix users,
>>>> whereas with an AD domain you only need users stored in AD.
>>>>
>>>> If you do want to go down this path of one ldap server,
>> then you have no
>>>> other option other than to set up a NT4 domain (PDC) and
>> set the second
>>>> machine as a BDC.
>>>>
>>>> Rowland
>>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list