[Samba] Big problems with samba 4.17.7 with classic domain (NT4) and LDAP
Rowland Penny
rpenny at samba.org
Tue Apr 18 19:47:45 UTC 2023
On 18/04/2023 19:46, Roland Schwingel via samba wrote:
> Hello Rowland and Christian
>
> Thanks for your replies...
>
> Yes ONEVISION and MYDOM are the very same here. Copy/Paste.
>
> "Christian Naumer" <christian.naumer at greyfish.net> wrote on 18.04.2023
> 20:12:35:
>
>> Am 18. April 2023 14:29:29 MESZ schrieb Roland Schwingel via samba
>> <samba at lists.samba.org>:
>>> Hi...
>>>
>>> We are still using NT4 classic domain with a couple of samba server but
>
>>> want to upgrade step by step to AD as a distant goal.
>>> We tried to upgrade to samba 4.17.7 as in intermediate step and keep
> LDAP
>>> for now but fail as we could not find a suitable
>>> example for id mapping. Hope someone can help!
>>>
>>> Previously we did run samba 4.7 on CentOS 7 without problems as domain
>>> controller and member servers.
>>> Now we want to switch to Oracle Linux 9. But here samba 4.7 does no
> longer
>>> compile so we need to use a
>>> newer version. So we decided to use 4.17.7. With 4.7 we did not need to
>
>>> use winbind - now we have to.
>>>
>>> We have a domain controller which connects to an ldap server for
> accounts
>>> and everything containing
>>> all users, groups, hosts, dns,dhcp infos.
>>>
>>> Domain Controller smb conf:
>>>
>>> [global]
>>> server role = classic primary domain controller
>>> unix charset = UTF-8
>>> workgroup = MYDOM
>>> server string = MYDOM domaincontroller
>>> passdb backend = ldapsam:"ldap://localhost"
>>> log file = /usr/local/samba/var/log.%m
>>> name resolve order = host bcast
>>> logon path = \\%N\profiles\%U
>>> logon home =
>>> domain logons = Yes
>>> os level = 66
>>> preferred master = Yes
>>> domain master = Yes
>>> dns proxy = No
>>> ldap admin dn = cn=Directory Manager
>>> ldap group suffix = ou=groups
>>> ldap idmap suffix = ou=idmap,ou=samba
>>> ldap machine suffix = ou=computers,ou=samba
>>> ldap passwd sync = yes
>>> ldap suffix = dc=onevision,dc=com
>>> ldap user suffix = ou=people
>>> hide dot files = No
>>> csc policy = disable
>>> strict locking = No
>>> idmap config * : backend = tdb
>>> idmap config * : range = 101-999
>>> idmap config * : backend = tdb
>>> idmap config * : range = 101-999
>>> idmap config MYDOM : backend = rid
>>> idmap config MYDOM : range = 1000-999999
>>> winbind use default domain = true
>>> winbind offline logon = false
>>> idmap backend = ldap:"ldap://localhost"
>>> idmap uid = 1000-10000
>>> idmap gid = 1000-10000
>>> allow nt4 crypto = Yes
>>> max protocol = NT1
>>> client min protocol = NT1
>>> server min protocol = NT1
>>>
>>> This seems to work I can login here with my ldap account and see and
> use
>>> shares from the PDC.
>>> We limit the protocol to NT1 as we did always. Maybe this is no longer
>>> needed? We have
>>> to investigate this later. So far so good.
>>>
>>> But the problems arise on member servers. Config of one of it:
>>> [global]
>>> server role = member server
>>> unix charset = UTF-8
>>> workgroup = MYDOM
>>> server string = Fileserver
>>> security = domain
>>> map to guest = Never
>>> name resolve order = host bcast
>>> client min protocol=NT1
>>> server min protocol=NT1
>>> unix extensions = No
>>> hide dot files = No
>>> csc policy = disable
>>> strict locking = No
>>> wide links = Yes
>>> acl allow execute always = True
>>> idmap config * : backend = tdb
>>> idmap config * : range = 101-999
>>> idmap config ONEVISION : backend = rid
>>> idmap config ONEVISION : range = 1000-999999
>>> winbind use default domain = true
>>> winbind offline logon = false
>>>
>>> I cannot open the member server from my windows machine with my
>>> useraccount (which works for the domain controller).
>>> On the member server I see these errors:
>>>
>>> Apr 18 17:46:12 host winbindd[143640]: saf_store: refusing to store 0
>
>>> length domain or servername!
>>>
>>> I don't know whether this is a problem but wanted to show it
>>>
>>> Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040, 0]
>>> ../../source3/auth/auth_util.c:1933(check_account)
>>> Apr 18 17:46:31 host smbd[143656]: check_account: Failed to find
> local
>>> account with UID 2000 for SID S-1-5-21-X-Y-Z-1000
> (dom_user[MYDOM\roland])
>>>
>>> This is for sure a problem. Why does samba wants to map to uid 2000?
>>
>> Because you configured it that way:
>>
>> idmap config ONEVISION : range = 1000-999999
>>
>> As Rowland explained how the rid backend works you should have:
>>
>> idmap config ONEVISION : range = 0-999999
>>
>> Most of the things Rowland wrote about your other settings also applies.
>>
>> But if this works we can work from there.
>
> So on the PDC I need the
> ldap xxxx
> lines for ldap connectivity
>
> and the passdb backend line for the ldap hostname
>
> and the
> idmap config *
> idmap config ONEVISION
> stuff
>
> On the member server I also need the same
> idmap config *
> idmap config ONEVISION
> stuff.
>
> Right?
Yes, to stand any chance of getting it work.
>
> The linux servers serving the samba shares also serve the same folders via
> NFS. We
> have concurrent use of windows, linux and mac users via SMB and NFS so ids
> must
> be correct on all OSes. Our central brain is here our LDAP providing the
> exact infos
You would probably find it easier to move to AD instead of the old
NT4-style domain you have now.
A real big plus would be dns and kerberos.
>
> I will try this tomorrow morning.
If you have any questions, please ask, I will try to help, but as I
said, it has been years since I ran a PDC.
Rowland
More information about the samba
mailing list