[Samba] ldapsam cannot find NT password hash

Rowland penny rpenny at samba.org
Mon May 27 07:15:06 UTC 2019

On 27/05/2019 00:42, David Kowis via samba wrote:
> On 5/26/19 10:14 AM, Rowland penny via samba wrote:
>>> Just curious, since I appear to be running a PDC, is there a way to have
>>> a standalone samba server, and just get the user/password information
>>> from LDAP without doing all the domain stuff? That's actually what I'd
>>> like to do. I don't need a domain controller.
>> I sort of thought you didn't
>> Try this:
>> remove 'security = user' which will make it 'security = auto'
>> Change these:
>>      domain logons = yes
>>      server role = member server
>> To:
>>      domain logons = no
>>      server role = standalone server
>> This should get you a standalone server with users in LDAP.
>> I must point out that I have never tried the above, but it should work.
> Sadly, it doesn't seem to, or it's a combination of how I must configure
> things in FreeNAS land. `testparm` shows the expected output with a few
> exceptions. Fortunately, I'm able to override settings in the smb4.conf
> by specifying them again, and last-one-in-wins:
> https://termbin.com/ausk
> It is showing up as a ROLE_STANDALONE server, but I do see during the
> startup of smbd:
> https://pastebin.com/Fgd8PPXb
> I assume that's from the lines, but I don't know.
> ```
>          idmap config nosgoth: ldap_url = ldap://pione.dark.kow.is
>          idmap config nosgoth: ldap_user_dn =
> cn=sambaadmin,dc=dark,dc=kow,dc=is
>          idmap config nosgoth: ldap_base_dn = ou=idmap,dc=dark,dc=kow,dc=is
>          idmap config nosgoth: range = 10000-90000000
>          idmap config nosgoth: backend = ldap
> ```
> Is there a way to specify things by setting them to empty? I can't
> delete the entries, because FreeNAS auto-generates this file on boot
> from it's configuration database, but I can append to the end and
> include stuff that overrides the existing setup....
> Thanks again!
> -- David
I showed you how I got a PDC to work, forget the PDC bit, I could only 
get the LDAP part to work by putting everything into the default domain 
(*). I tried the way that works on a Unix domain member, separate 
'DOMAIN' and '*' lines, but I could not get this to work. I rapidly came 
to the point that setting up a new PDC was a bad idea, but in your case, 
you don't really have much choice, because of the ACLs used on freenas.


More information about the samba mailing list