[Samba] LDAP SSL

Rowland Penny rpenny at samba.org
Sat Aug 11 13:34:13 UTC 2018 

On Sat, 11 Aug 2018 12:47:19 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> 
> Thank you for that.
> 
> As mentioned we have some other issues, would appreciate your input
> for these
> 
> Server02: Samba 3.x: old PDC now file server
> Server01: Samba 4.x , new PDC and LDAP
> 
> We're using libnss_ldap(both Server02 and Server01) with (files ldap)
> in nsswitch.conf. What we found that is if we have winbind running in
> Server02 , the client machines are not able to access the shares. It
> prompts them for user and password. If we stop winbind there are no
> issues accessing the share. This is in the Server02
> 
> When we moved the DC role from Server02 to Server01, we purged the
> the non-system users as these users are in LDAP. We then removed the
> *.tdb files from the /var/lib/samba folder. The issue we are having
> is that using getent passwd for these users doesn’t work from
> Server02. Any new users added in LDAP shows up via getent passwd.
> It's just the users who were once in the local database (either
> tbd /etc/passwd). As mentioned we are using files ldap in
> nsswitch.conf . The issue is that the users are able to authenticate
> via LDAP (Server01) but not access shares (Server02). Comes up with
> user cannot be found.

I 'think' in the work to get AD clients working correctly, something
got broken for NT4-style Unix clients. I say this because winbind
does not seem able (using 'security = domain') to obtain users via
getent or wbinfo. I know this because I spent sometime on Thursday
trying to get this to work and couldn't. For some reason, even though
the join was okay, Samba couldn't find the PDC.

I wouldn't worry too much about your problems, just make sure the PDC
can be upgraded in your test environment, without problems, then move
to carrying out the upgrade for real, at this point, you will no longer
need nss-ldapd on the fileserver, winbind will work.
 
You seem to be fixated on getting Samba 4 to work with your PDC, rather
than ironing out any problems in the classic upgrade.

As I said earlier, clone your PDC into a test environment, but use
Samba 4 instead of Samba 3. Then attempt the classicupgrade, fix any
problems found (making notes as you go). Once you are sure, it works,
do it again, but follow your notes, once you are 100% it works
correctly, repeatedly, do it for real. I would ensure that all the
clients are turned off before you do it for real, just in case. You can
start and turn the clients on again, when you are sure the AD DC is
running correctly.

Rowland

More information about the samba mailing list