[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
Rowland Penny
rpenny at samba.org
Wed Sep 21 12:19:49 UTC 2022
On 21/09/2022 12:10, Alexander Harm || ApfelQ wrote:
> Hi Rowland,
>
> I guess mainly for historical reasons and using LDAP-backend for
> phletora of other applications which rely on “userPassword”. OpenLDAP
> and support was unfortunately removed from SLES.
I knew that red-hat had removed openldap, but wasn't aware that SLES had
as well, didn't this tell you anything ?
>
> Our smb.conf:
>
> [global]
> workgroup = EXAMPLE
> server string = Samba (PDC) auf Brazilia
> passdb backend = ldapsam:ldap://ldap1.example.com
> ldap admin dn = cn=samba,ou=DSA,dc=example,dc=com
> ldap ssl = start tls
> ldap suffix = dc=example,dc=com
> ldap user suffix = ou=people
> ldap group suffix = ou=group
> ldap machine suffix = ou=Computers
> ldap idmap suffix = ou=Idmap
> idmap uid = 15000-20000
> idmap gid = 15000-20000
> idmap backend = ldap:ldap://ldap1.example.com
> wins support = Yes
> name resolve order = host bcast
> domain logons = Yes
> domain master = Yes
> local master = Yes
> os level = 65
> preferred master = Yes
> security = user
> server schannel = Yes
> client ipc signing = auto
> ldap passwd sync = Only
> unix password sync = No
> logon path =
> logon drive = E:
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> syslog = 0
> log file = /var/log/samba/%m
> include = /etc/samba/smb.conf.%m
> encrypt passwords = yes
> ldap delete dn = no
> passwd program = /usr/sbin/smbldap-passwd -u %u
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> rename user script = /usr/sbin/smbldap-usermod -r "%unew" "%uold"
> add group script = /usr/sbin/smbldap-groupadd '%g'
> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> netbios name = brazilia
> ntlm auth = no
>
> [netlogon]
> comment = Netlogon Scripts
> path = /server/data/samba/netlogon
> read only = No
> inherit acls = Yes
> browseable = yes
> guest ok = yes
> printable = no
> map archive = no
> map read only = no
> store dos attributes = yes
There are quite a few default settings there, but they will not change
anything, but there is a major change that I think will be affecting
you. Remember what I said about an NT4-style domain requiring SMBv1,
well, Samba turned it off by default at 4.11.0, so try adding these two
lines:
server min protocol = NT1
client min protocol = NT1
I should also point out that smbldap-tools is DEAD, someone did fork it
a couple of years ago, but there have been no real changes for approx 10
years.
If you do get your PDC working again, I suggest you start planning to
upgrade to Samba AD.
Rowland
More information about the samba
mailing list