[Samba] Samba v3 works with LDAP, but not Samba v4

Junior Oliveira emersonjr.eng at gmail.com
Wed Oct 17 19:36:55 UTC 2018 

Hi, i'm new to this discussion here but i reading and remembered i've
solved almost the same problem you're having.

I was connecting a Samba 4 standalone server with an existent LDAP server
which was already being used as backend for a Samba 3. On the process of
connecting SMB4 i had that SID mismatch issue. To solve it, i used "net
setdomainsid" to set SMB4 domain SID to the one configure on LDAP, that
configuration was set in all users.

After this, SMB4 was logging with LDAP user credentials smoothly.

I know it worked but this work-around may be a problem on the future, so i
also suggest you do what Rowland is saying ( i got do this as well :D), but
if you're facing an urgency, like i was, it you help you for a while.

I feel glad to share it with you if it was an useful info.

Em qua, 17 de out de 2018 às 17:36, Andrew Bartlett via samba <
samba at lists.samba.org> escreveu:

> On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote:
> > HI Andrew!
> >
> > > The user 'johndoe' seems to be rejected because it has the wrong SID.
> > >
> > > It is the group in this case, we changed the rules to make them
> > > stricter a while back, the primary group needs a group mapping entry
> > > matching the SID of the standalone server.
> > >
> >
> > How would I match the Primary Group without breaking the existing Samba
> > server that connects to this LDAP server? That samba server does not
> belong
> > to me, and may stay at v3 for a while longer.
>
> G'Day Emil,
>
> I asked at the start of this if you had any other Samba servers talking
> to this LDAP backend.  Clearly we have miscommunicated.
>
> Your configuration is not supported.  One 'domain' per LDAP backend is
> the rule.
>
> Each standalone server is a domain of itself.  The only way to share a
> backend is to make all servers that use the backend be NT4-like DCs of
> the same domain.
>
> You will need to work with the owner of the other Samba server to
> resolve this.  Ideally you would upgrade to Samba's AD DC and make both
> file servers domain members, but as Rowland mentions this can a long
> and difficult process depending on what else depends on this LDAP
> server.
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list