[Samba] Please adwise on classicupgrade process

Rowland Penny rowlandpenny at googlemail.com
Sun Feb 22 15:19:16 MST 2015


On 22/02/15 20:25, Andrey Repin wrote:
> Greetings, All!
>
> I'm still on the topic, but probably I read too much stuff lately and can't
> have my head set straight.
>
> Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04.
> The machine is also a network gateway and access (VPN/ssh) server.
>
> Target goals:
> 1. Upgrade to Samba4 (4.1 seems possible).
> 2. Convert to ADS.
> 3. Get rid of PAM-LDAP.
> 4. Retain ability for domain users to login locally (VPN/ssh) to the system.
>
> I've done some experimentation in the virtualized copy of the environment,
> first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then
> upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba)
> classicupgrade seems to be working, so as the bind_dlz and client workstation
> domain logins.
>
> Now, there's a problem:
> getent passwd doesn't list domain users. Even though winbind is listed in
> pam-auth-update as part of the authentication stack.
> Domain users can't connect to SSH - "access denied".
>
> Relevant auth.log is this:
> Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from 192.168.56.1
> Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth]
> Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown
> Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
> Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388)
> Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password
> Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from 192.168.56.1 port 51422 ssh2
>
> However,
> # wbinfo -u | grep natali && echo Found.
> natali
> Found.
>
>
> On top of that, I've been stuck in Microsoft article
> https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering,
> how it is applicable to Samba ADS?
>
> Could it be worthwhile to, let's say, run Samba in LXC container?
>
> P.S.
> The page
> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
> is outdated/incomplete - there's no "slaps.conf" file for late releases of
> OpenLDAP. On systems with schema storage based configuration, it is need to
> add
> olcSizeLimit: unlimited
> to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken).
>
>

You probably don't have winbind setup correctly, start by having a look 
here:

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland




More information about the samba mailing list