[Samba] Samba v3 works with LDAP, but not Samba v4

Tue Oct 16 22:09:27 UTC 2018

Hi Andrew!

At the moment, there is only 1 Samba server that is working with this LDAP
backend that I know of. I just shutdown the smbd, and restarted it. I then
did a smbclient call, which failed. I am including the log.smbd as well.

Thanks.

On Tue, Oct 16, 2018 at 2:24 PM Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote:
> > On Tue, 16 Oct 2018 12:13:16 -0700
> > Emil Henry via samba <samba at lists.samba.org> wrote:
> >
> > > Hello!
> > >
> > > We have Samba v3 (3.5.10) working against an LDAP server, and need to
> > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
> > > configs of the smb.conf (including the old config) without success.
> > > Cleaned up smb.conf is below. Also, included is the output of a
> > > smbclient command on the SMBServer with debug option 10. Hoping that
> > > someone can point me in the right direction.
> > >
> > > Thanks
> > >
> > > [global]
> > >         security = user
> > >         ldap user suffix = ou=people
> > >         ldap group suffix = ou=groups
> > >         ldap ssl = off
> > >         ldap passwd sync = yes
> > >         ldap delete dn = no
> > >         workgroup = WORKGROUP
> > >         server string = "Samba Drives"
> > >         netbios name = SMBServer
> > >         log file = /var/log/samba/log.%m
> > >
> > > # For debugging enable the log level of 5
> > >         log level = 5
> > >         max log size = 50
> > >
> > > # LDAP Settings
> > >         ldap suffix = "o=EXAMPLE"
> > >         ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
> > >         passdb backend = ldapsam:ldap://ldapserver.example.com
> > >
> > > [homes]
> > >         valid users = %S
> > >         read only = No
> > >         writeable = yes
> > >         browseable = no
> > >         create mask = 0600
> > >         public = No
> > >         comment = %u's Z-Drive
> > >         nt acl support = no
> > >         inherit permissions = no
> > >         hide dot files = yes
> > >         directory mask = 0700
> > >         force create mode = 0700
> > >         valid users = MYDOMAIN\%S
> > >
> >
> > Hmm, I don't this is going to work:
> >
> > negotiated dialect[SMB3_11] against server[localhost]
> >
> > Try adding:
> >
> > server max protocol = NT1
> > client max protocol = NT1
> >
> > To smb.conf
> >
> > Check that Samba can contact the ldap server.
>
> G'Day Rowland,
>
> The client-side log shows smbclient contacting smbd fine and getting to
> the session setup, so it isn't the protocol version.
>
> Emil,
>
> The logs we need are from Samba on the server, not smbclient.
>
> The use of LDAP by Samba in this configuration is all 'behind' smbd,
> not related at all to the smbclient call.
>
> eg
>
> [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd]
>
> The use case here is for Samba as a standalone server using an LDAP
> server for the passdb.  This is a rare configuration, almost all users
> of this mode have Samba as DC so that multiple Samba servers can share
> the same LDAP backend (even if that functionality is unused).  This is
> because each server has an internal 'domain' if not a DC, and that has
> a SID, and each LDAP entry can only have one SID.
>
> Do you have multiple servers referring to this backend?
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>