[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

Wed Sep 21 12:38:06 UTC 2022

Thanks for your advice. Unfortunately this is not in my hands… I will pass your advice on.

Setting the parameters didn’t change anything unfortunately but I won’t waste your time anylonger.

Thanks again.

> On Wednesday, Sep 21, 2022 at 2:20 PM, Rowland Penny via samba <samba at lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>
>
> On 21/09/2022 12:10, Alexander Harm || ApfelQ wrote:
> > Hi Rowland,
> >
> > I guess mainly for historical reasons and using LDAP-backend for
> > phletora of other applications which rely on “userPassword”. OpenLDAP
> > and support was unfortunately removed from SLES.
>
> I knew that red-hat had removed openldap, but wasn't aware that SLES had
> as well, didn't this tell you anything ?
>
> >
> > Our smb.conf:
> >
> > [global]
> > workgroup = EXAMPLE
> > server string = Samba (PDC) auf Brazilia
> > passdb backend = ldapsam:ldap://ldap1.example.com
> > ldap admin dn = cn=samba,ou=DSA,dc=example,dc=com
> > ldap ssl = start tls
> > ldap suffix = dc=example,dc=com
> > ldap user suffix = ou=people
> > ldap group suffix = ou=group
> > ldap machine suffix = ou=Computers
> > ldap idmap suffix = ou=Idmap
> > idmap uid = 15000-20000
> > idmap gid = 15000-20000
> > idmap backend = ldap:ldap://ldap1.example.com
> > wins support = Yes
> > name resolve order = host bcast
> > domain logons = Yes
> > domain master = Yes
> > local master = Yes
> > os level = 65
> > preferred master = Yes
> > security = user
> > server schannel = Yes
> > client ipc signing = auto
> > ldap passwd sync = Only
> > unix password sync = No
> > logon path =
> > logon drive = E:
> > printing = cups
> > printcap name = cups
> > printcap cache time = 750
> > cups options = raw
> > map to guest = Bad User
> > syslog = 0
> > log file = /var/log/samba/%m
> > include = /etc/samba/smb.conf.%m
> > encrypt passwords = yes
> > ldap delete dn = no
> > passwd program = /usr/sbin/smbldap-passwd -u %u
> > add user script = /usr/sbin/smbldap-useradd -m "%u"
> > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> > delete user from group script = /usr/sbin/smbldap-groupmod -x
> > "%u" "%g"
> > delete user script = /usr/sbin/smbldap-userdel "%u"
> > rename user script = /usr/sbin/smbldap-usermod -r "%unew" "%uold"
> > add group script = /usr/sbin/smbldap-groupadd '%g'
> > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
> > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> > netbios name = brazilia
> > ntlm auth = no
> >
> > [netlogon]
> > comment = Netlogon Scripts
> > path = /server/data/samba/netlogon
> > read only = No
> > inherit acls = Yes
> > browseable = yes
> > guest ok = yes
> > printable = no
> > map archive = no
> > map read only = no
> > store dos attributes = yes
>
> There are quite a few default settings there, but they will not change
> anything, but there is a major change that I think will be affecting
> you. Remember what I said about an NT4-style domain requiring SMBv1,
> well, Samba turned it off by default at 4.11.0, so try adding these two
> lines:
>
> server min protocol = NT1
> client min protocol = NT1
>
> I should also point out that smbldap-tools is DEAD, someone did fork it
> a couple of years ago, but there have been no real changes for approx 10
> years.
>
> If you do get your PDC working again, I suggest you start planning to
> upgrade to Samba AD.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba