[Samba] Please adwise on classicupgrade process

Denis Cardon denis.cardon at tranquil-it-systems.fr
Sun Feb 22 15:29:25 MST 2015

Hi Andrey
> Greetings, All!
> I'm still on the topic, but probably I read too much stuff lately and can't
> have my head set straight.
> Situation: NT4 domain, LDAP+Samba 3.6, running under Ubuntu 12.04.
> The machine is also a network gateway and access (VPN/ssh) server.
> Target goals:
> 1. Upgrade to Samba4 (4.1 seems possible).
> 2. Convert to ADS.
> 3. Get rid of PAM-LDAP.
> 4. Retain ability for domain users to login locally (VPN/ssh) to the system.
> I've done some experimentation in the virtualized copy of the environment,
> first with 12.04 and Samba 4.1 from PPA (backport from 14.04 dist), then
> upgraded to 14.04 due to some conflicting dependencies. (Same 4.1 Samba)
> classicupgrade seems to be working, so as the bind_dlz and client workstation
> domain logins.
> Now, there's a problem:
> getent passwd doesn't list domain users. Even though winbind is listed in
> pam-auth-update as part of the authentication stack.
> Domain users can't connect to SSH - "access denied".
are you trying to setup pam/nss winbind directly on the samba4 DC? From 
reading your samba3 setup, it looks like you want to have everything on 
the same machine. You should better try to set up all the non DC 
services on a separate member server and see if you get the expected 
result. Winbind is kinda special on a DC in 4.0 and 4.1. I guess it will 
be easier to make your kind of setup on samba 4.2, but anyway, it won't 
be such a great idea, in the time of virtualisation and container, it is 
easier to split up the things.



> Relevant auth.log is this:
> Feb 22 23:23:34 userl sshd[2576]: Invalid user natali from
> Feb 22 23:23:34 userl sshd[2576]: input_userauth_request: invalid user natali [preauth]
> Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): check pass; user unknown
> Feb 22 23:23:44 userl sshd[2576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
> Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): getting password (0x00000388)
> Feb 22 23:23:44 userl sshd[2576]: pam_winbind(sshd:auth): pam_get_item returned a password
> Feb 22 23:23:46 userl sshd[2576]: Failed password for invalid user natali from port 51422 ssh2
> However,
> # wbinfo -u | grep natali && echo Found.
> natali
> Found.
> On top of that, I've been stuck in Microsoft article
> https://technet.microsoft.com/en-us/library/cc726016.aspx and I'm wondering,
> how it is applicable to Samba ADS?
> Could it be worthwhile to, let's say, run Samba in LXC container?
> P.S.
> The page
> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
> is outdated/incomplete - there's no "slaps.conf" file for late releases of
> OpenLDAP. On systems with schema storage based configuration, it is need to
> add
> olcSizeLimit: unlimited
> to /etc/ldap/slapd.d/cn=config.ldif (if i'm not mistaken).

More information about the samba mailing list