[Samba] (no subject)

Rowland penny rpenny at samba.org
Thu Jul 2 18:45:49 UTC 2020

On 02/07/2020 18:27, jmpatagonia via samba wrote:
> 1) Does 'getent passwd policia\gafranchello' produce output when run on a
> Unix client ?
> If try to logon on unis console
> --> auth.log
> Jul  2 14:13:59 samba-cliente sshd[11654]: Invalid user
> POLICIA+gafranchello from

Try adding these lines to all of your Unix machines:

client max protocol = NT1
server max protocol = NT1

They will force your Samba machines to use SMBv1 and you need it for an 
NT4-style domain (so yet another reason to upgrade)

I take it that the machine is running headless, so can you log in via 
ssh as a Unix user and run the getent command ?

Until your users are known via 'getent' or 'id', then you will not get 
Samba to work correctly.

> The think is very complex because we have various products authenticating
> whith ldap squid/git/syspass/moodle/openfire/zentyal/etc  and we are
> modified and adapted the ldap schema with some ldap entries for this
> products, the samba schema in the same schema (we have only one lsap
> schema), and we interactive with this via a ad hoc developed interface.
> Change or update samba to samba 4 AD implies that we have change the unis
> schema, receding the interface, proves, etc it is to much time.
Not half as much time as you will spend if your domain totally stops 
working. Take smbldap-tools for instance, this isn't just EOL, it is 
dead and disappeared, you cannot find the source code repository 
anywhere on the internet, it is no longer maintained, so sooner or later 
it will be removed by the distro's.
> We try once to implemente samba 4 AD and notice that the ldap schema are
> very different that we have, so many changes, that implies to many
> development on the interface.
Yes AD uses its own schema and must be extended differently from 
openldap etc, but it can be extended.
> Know I thinking that is posible to make another ldap schema just for samba
> 4 AD and continue using the other for rest of products, but this implies to
> redising the interface to update users, groups on both schemas.
That is the problem with trying to maintain two ldap versions
> Another question: Thinking on samba 4 AD, when a user logon on desktop
> client, it can map o access direct to resources shared on samba server or
> need to authenticate almost at once ? Because actually on windows clients
> this is not needed, when a user logon on domain can map or access shared
> folders whitout authentication again.

In this instance, a Samba AD client or server should work like a Windows 
client or server.

 From the list of programs you listed above, I can not see one that 
cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD.

If you require help in upgrading, we are here to help you.


More information about the samba mailing list