[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

Andrew Bartlett abartlet at samba.org
Wed Sep 21 20:59:37 UTC 2022 

Great, sounds like you are taking things carefully.  Also note that
Symas provides OpenLDAP packages:

https://repo.symas.com/soldap/

https://www.symas.com/symas-download-software

Andrew Bartlett

On Wed, 2022-09-21 at 22:49 +0200, Alexander Harm || ApfelQ via samba
wrote:
> Thanks again and don’t worry. We did not blindly upgrade, we are
> testing this in a clone of our production environment. So rolling
> back etc. is not an issue right now. I will go through your
> suggestions. Thank you all for your input.
> 
> > On Wednesday, Sep 21, 2022 at 9:52 PM, Andrew Bartlett <
> > abartlet at samba.org
> >  (mailto:
> > abartlet at samba.org
> > )> wrote:
> > 
> > On Wed, 2022-09-21 at 11:57 +0200, Alexander Harm || ApfelQ via
> > samba
> > wrote:
> > > Hi,
> > > 
> > > I was wondering if anyone ran into the same issue and maybe has a
> > > solution for me. In short:
> > > 
> > > - we were running SLES 11 with Samba 3.6.3 as NT4 PDC and
> > > OpenLDAP
> > > backend: working fine
> > > - we upgraded to SLES 15 with Samba 4.13.13 as NT4 PDC and old
> > > OpenLDAP backend: working fine
> > > - now we migrated from OpenLDAP to 389 and things start to break
> > > 
> > > LDAP seems to work in principle "pdbedit -L” is successful.
> > > However,
> > > running “pdbedit -Lv username” returns an error: “Failed to find
> > > a
> > > Unix account for username” and “Primary Group SID: (NULL SID)”.
> > > 
> > > So I guess the idmap is messed up?
> > 
> > Looping back to the start, I think you a suggested elsewhere in the
> > thread need to work on this one step at a time.
> > 
> > I agree that getting OpenLDAP back, if a reverse migration is
> > possible,
> > at least in a lab, might be a good idea, and confirm that the issue
> > really is with OpenLDAP and not something else.
> > 
> > 'Clearly' something is different about the 389 LDAP server vs
> > OpenLDAP.
> > 
> > Do they both accept the same (non)authentication?
> > 
> > You should be able to debug this with either a network capture, or
> > LDAP
> > comparison tools. (I don't know if Samba's samba-tool ldapcmp can
> > do a
> > good enough job, but try it using the --simple-bind-dn mode).
> > 
> > Try dumping a sorted LDIF of each directory, and compare with diff
> > even.
> > 
> > Try turning up the log level and see what errors you see compared
> > with
> > your old OpenLDAP.
> > 
> > Then finally, think about a migration to Samba AD, and how to have
> > your
> > other applications work with AD or synchronise with it. This is a
> > much
> > longer term project.
> > 
> > > Actually I’m not sure how the idmap is stored in LDAP since both
> > > idmap-OUs look the same to me (empty) on the old OpenLDAP and new
> > > 389.
> > > 
> > > Any hints/advice?
> > 
> > Try not to change too much at once, particularly around idmap.
> > 
> > Andrew Bartlett
> > 
> > --
> > Andrew Bartlett (he/him) 
> > https://samba.org/~abartlet/
> > 
> > Samba Team Member (since 2001) 
> > https://samba.org
> > 
> > Samba Team Lead, Catalyst IT 
> > https://catalyst.net.nz/services/samba
> > 
> > 
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list