[Samba] Please adwise on classicupgrade process

Andrey Repin anrdaemon at yandex.ru
Sun Feb 22 13:25:17 MST 2015 

Greetings, All!

I'm still on the topic, but probably I read too much stuff lately and can't
have my head set straight.

Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04.
The machine is also a network gateway and access (VPN/ssh) server.

Target goals:
1. Upgrade to Samba4 (4.1 seems possible).
2. Convert to ADS.
3. Get rid of PAM-LDAP.
4. Retain ability for domain users to login locally (VPN/ssh) to the system.

I've done some experimentation in the virtualized copy of the environment,
first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then
upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba)
classicupgrade seems to be working, so as the bind_dlz and client workstation
domain logins.

Now, there's a problem:
getent passwd doesn't list domain users. Even though winbind is listed in
pam-auth-update as part of the authentication stack.
Domain users can't connect to SSH - "access denied".

Relevant auth.log is this:
Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from 192.168.56.1
Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth]
Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown
Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388)
Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password
Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from 192.168.56.1 port 51422 ssh2

However,
# wbinfo -u | grep natali && echo Found.
natali
Found.


On top of that, I've been stuck in Microsoft article
https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering,
how it is applicable to Samba ADS?

Could it be worthwhile to, let's say, run Samba in LXC container?

P.S.
The page
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
is outdated/incomplete - there's no "slaps.conf" file for late releases of
OpenLDAP. On systems with schema storage based configuration, it is need to
add
olcSizeLimit: unlimited
to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken).


-- 
WBR,
Andrey Repin (anrdaemon at yandex.ru) 22.02.2015, <21:29>

Sorry for my terrible english...

More information about the samba mailing list