[Samba] Big problems with samba 4.17.7 with classic domain (NT4) and LDAP
Roland Schwingel
Roland.Schwingel at onevision.com
Tue Apr 18 12:29:29 UTC 2023
Hi...
We are still using NT4 classic domain with a couple of samba server but
want to upgrade step by step to AD as a distant goal.
We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP
for now but fail as we could not find a suitable
example for id mapping. Hope someone can help!
Previously we did run samba 4.7 on CentOS 7 without problems as domain
controller and member servers.
Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer
compile so we need to use a
newer version. So we decided to use 4.17.7. With 4.7 we did not need to
use winbind - now we have to.
We have a domain controller which connects to an ldap server for accounts
and everything containing
all users, groups, hosts, dns,dhcp infos.
Domain Controller smb conf:
[global]
server role = classic primary domain controller
unix charset = UTF-8
workgroup = MYDOM
server string = MYDOM domaincontroller
passdb backend = ldapsam:"ldap://localhost"
log file = /usr/local/samba/var/log.%m
name resolve order = host bcast
logon path = \\%N\profiles\%U
logon home =
domain logons = Yes
os level = 66
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=computers,ou=samba
ldap passwd sync = yes
ldap suffix = dc=onevision,dc=com
ldap user suffix = ou=people
hide dot files = No
csc policy = disable
strict locking = No
idmap config * : backend = tdb
idmap config * : range = 101-999
idmap config * : backend = tdb
idmap config * : range = 101-999
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 1000-999999
winbind use default domain = true
winbind offline logon = false
idmap backend = ldap:"ldap://localhost"
idmap uid = 1000-10000
idmap gid = 1000-10000
allow nt4 crypto = Yes
max protocol = NT1
client min protocol = NT1
server min protocol = NT1
This seems to work I can login here with my ldap account and see and use
shares from the PDC.
We limit the protocol to NT1 as we did always. Maybe this is no longer
needed? We have
to investigate this later. So far so good.
But the problems arise on member servers. Config of one of it:
[global]
server role = member server
unix charset = UTF-8
workgroup = MYDOM
server string = Fileserver
security = domain
map to guest = Never
name resolve order = host bcast
client min protocol=NT1
server min protocol=NT1
unix extensions = No
hide dot files = No
csc policy = disable
strict locking = No
wide links = Yes
acl allow execute always = True
idmap config * : backend = tdb
idmap config * : range = 101-999
idmap config ONEVISION : backend = rid
idmap config ONEVISION : range = 1000-999999
winbind use default domain = true
winbind offline logon = false
I cannot open the member server from my windows machine with my
useraccount (which works for the domain controller).
On the member server I see these errors:
Apr 18 17:46:12 host winbindd[143640]: saf_store: refusing to store 0
length domain or servername!
I don't know whether this is a problem but wanted to show it
Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040, 0]
../../source3/auth/auth_util.c:1933(check_account)
Apr 18 17:46:31 host smbd[143656]: check_account: Failed to find local
account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
This is for sure a problem. Why does samba wants to map to uid 2000?
For us we need a simple straight mapping:
SID S-1-5-21-X-Y-Z-1000 == Unix ID 1000
SID S-1-5-21-X-Y-Z-5555 == Unix ID 5555
For us the last part of the SID is the userid of the user on linux. The
linux system also knows about the users as it is connected the ldap
natively.
I believe I just need to convince samba to use the last part of the SID as
linux id - as it did in the past. How can this be done?
Hope someone can urgently help!
Thank you very much
Roland
More information about the samba
mailing list