[Samba] Big problems with samba 4.17.7 with classic domain (NT4) and LDAP

Stefan Kania stefan at kania-online.de
Tue Apr 25 07:45:45 UTC 2023 

Hi Roland,

I would not touch the old NT-Style stuff at all. Leave it as it is and 
mirgrste to Samba-AD you can do it on the fly, so you don't have any 
downtime during mirgration. It takes a bit of time and thinking ;-) but 
it works. I did thids several times.

Doing the step to first update to a new Samba-Version and NT-Style 
domain is mostly much more work then migrating to AD.


Am 18.04.23 um 14:29 schrieb Roland Schwingel via samba:
> Hi...
> 
> We are still using NT4 classic domain with a couple of samba server but
> want to upgrade step by step to AD as a distant goal.
> We tried to upgrade to samba 4.17.7 as in intermediate step and keep LDAP
> for now but fail as we could not find a suitable
> example for id mapping. Hope someone can help!
> 
> Previously we did run samba 4.7 on CentOS 7 without problems as domain
> controller and member servers.
> Now we want to switch to Oracle Linux 9. But here samba 4.7 does no longer
> compile so we need to use a
> newer version. So we decided to use 4.17.7. With 4.7 we did not need to
> use winbind - now we have to.
> 
> We have a domain controller which connects to an ldap server for accounts
> and everything containing
> all users, groups, hosts, dns,dhcp infos.
> 
> Domain Controller smb conf:
> 
> [global]
>          server role = classic primary domain controller
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = MYDOM domaincontroller
>          passdb backend = ldapsam:"ldap://localhost"
>          log file = /usr/local/samba/var/log.%m
>          name resolve order = host bcast
>          logon path = \\%N\profiles\%U
>          logon home =
>          domain logons = Yes
>          os level = 66
>          preferred master = Yes
>          domain master = Yes
>          dns proxy = No
>          ldap admin dn = cn=Directory Manager
>          ldap group suffix = ou=groups
>          ldap idmap suffix = ou=idmap,ou=samba
>          ldap machine suffix = ou=computers,ou=samba
>          ldap passwd sync = yes
>          ldap suffix = dc=onevision,dc=com
>          ldap user suffix = ou=people
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config MYDOM : backend = rid
>          idmap config MYDOM : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
>          idmap backend = ldap:"ldap://localhost"
>          idmap uid = 1000-10000
>          idmap gid = 1000-10000
>          allow nt4 crypto = Yes
>          max protocol = NT1
>          client min protocol = NT1
>          server min protocol = NT1
> 
> This seems to work I can login here with my ldap account and see and use
> shares from the PDC.
> We limit the protocol to NT1 as we did always. Maybe this is no longer
> needed? We have
> to investigate this later. So far so good.
> 
> But the problems arise on member servers. Config of one of it:
> [global]
>          server role = member server
>          unix charset = UTF-8
>          workgroup = MYDOM
>          server string = Fileserver
>          security = domain
>          map to guest = Never
>          name resolve order = host bcast
>          client min protocol=NT1
>          server min protocol=NT1
>          unix extensions = No
>          hide dot files = No
>          csc policy = disable
>          strict locking = No
>          wide links = Yes
>          acl allow execute always = True
>          idmap config * : backend = tdb
>          idmap config * : range = 101-999
>          idmap config ONEVISION : backend = rid
>          idmap config ONEVISION : range = 1000-999999
>          winbind use default domain = true
>          winbind offline logon = false
> 
> I cannot open the member server from my windows machine with my
> useraccount (which works for the domain controller).
> On the member server I see these errors:
> 
> Apr 18 17:46:12 host winbindd[143640]:   saf_store: refusing to store 0
> length domain or servername!
> 
> I don't know whether this is a problem but wanted to show it
> 
> Apr 18 17:46:31 host smbd[143656]: [2023/04/18 17:46:31.153040,  0]
> ../../source3/auth/auth_util.c:1933(check_account)
> Apr 18 17:46:31 host smbd[143656]:   check_account: Failed to find local
> account with UID 2000 for SID S-1-5-21-X-Y-Z-1000 (dom_user[MYDOM\roland])
> 
> This is for sure a problem. Why does samba wants to map to uid 2000?
> 
> For us we need a simple straight mapping:
> SID S-1-5-21-X-Y-Z-1000 == Unix  ID 1000
> SID S-1-5-21-X-Y-Z-5555 == Unix  ID 5555
> 
> For us the last part of the SID is the userid of the user on linux. The
> linux system also knows about the users as it is connected the ldap
> natively.
> I believe I just need to convince samba to use the last part of the SID as
> linux id - as it did in the past. How can this be done?
> 
> Hope someone can urgently help!
> 
> Thank you very much
> 
> Roland
>

More information about the samba mailing list