[Samba] samba 4 authenticate with samba 3 ldap schema

Andrea Zagli azagli at libero.it
Thu Jun 26 07:16:23 UTC 2025 

Rowland Penny via samba <samba at lists.samba.org> writes:

> On Wed, 18 Jun 2025 20:49:31 +0200
> Andrea Zagli <azagli at libero.it> wrote:
>
>> Rowland Penny via samba <samba at lists.samba.org> writes:
>>
>> > On Wed, 18 Jun 2025 15:39:43 +0200
>> > Andrea Zagli via samba <samba at lists.samba.org> wrote:
>> >
>> >>
>> >> Hi
>> >>
>> >> as the object: i have a samba 4 standalone server and i want to
>> >> authenticate it using the openldap created for the samba 3 domain
>> >> controller
>> >>
>> >> is it possible?
>> >>
>> >
>> > Yes, it is still possible to set up Samba as an NT4-style PDC, but I
>> > suggest you do not, that requires NetBIOS which requires SMBv1 and
>> > that isn't secure. I suggest you investigate setting up a Samba AD
>> > domain instead.
>> >
>> > Rowland
>>
>>
>> sorry, i think i explained myself badly
>>
>> i don't want to have a samba 4 PDC NT4 (and neither an AD domain)
>
> What you are describing, while it might not be a PDC, is nearly the
> same thing and as such, is subject to the same problems. You will
> need to use SMBv1
>


not a problem to use SMB1


>>
>> but i already have a samba 3 pdc nt4 with openldap as passdb backend
>>
>> then i have a new samba 4 standalone server (not in domain), to simply
>> share some directory, and i want to use the same openldap as passdb
>> backend to authenticate users
>
> Then join your standalone server to your NT4-style domain.
>


i have other old standalone servers (samba 3) that work with the same
config; so i don't want to join the domain


>>
>> i set the same options in smb.conf but when i try to login i get the
>> error invalid sid
>
> Well you would, even a standalone server has a SID.
>


i set log level to 5, and i find some other info

the user is founded

[2025/06/26 08:28:51.325533,  5] ../../source3/lib/smbldap.c:1314(smbldap_search_ext)
  smbldap_search_ext: base => [dc=xxx,dc=xxx,dc=it], filter => [(&(uid=a.zagli)(objectclass=sambaSamAccount))], scope => [2]
[2025/06/26 08:28:51.326551,  2] ../../source3/passdb/pdb_ldap.c:532(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: a.zagli

the primary group is founded in ldap

[2025/06/26 08:28:51.326652,  5] ../../source3/lib/smbldap.c:1314(smbldap_search_ext)
  smbldap_search_ext: base => [dc=xxx,dc=xxx,dc=it], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=513))], scope => [2]
[2025/06/26 08:28:51.328172,  2] ../../source3/passdb/pdb_ldap.c:2415(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 513

but

[2025/06/26 08:28:51.328219,  3] ../../source3/passdb/lookup_sid.c:1710(get_primary_group_sid)
  Primary group S-1-5-21-726227932-2052316878-829958588-513 for user
  a.zagli is a UNKNOWN and not a domain group

S-1-5-21-726227932-2052316878-829958588 is the domain sid (i set
the "local" domain sid to this value manually with "net setdomainsid")

and then

[2025/06/26 08:28:51.328351,  1] ../../source3/auth/server_info.c:482(SamInfo3_handle_sids)
  The primary group domain sid(S-1-5-21-4026109030-3917296603-2932571111-513) does not match the domain sid(S-1-5-21-726227932-2052316878-829958588) for a.zagli(S-1-5-21-726227932-2052316878-829958588-21002)

S-1-5-21-4026109030-3917296603-2932571111 is the local sid

a.zagli is only an ldap user; the server authenticate unix users with the
same ldap server with nslcd (and libpam)

[2025/06/26 09:14:13.779943,  5] ../../source3/auth/auth.c:259(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [a.zagli] FAILED with error NT_STATUS_INVALID_SID, authoritative=1
[2025/06/26 09:14:13.779951,  2] ../../source3/auth/auth.c:345(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [a.zagli] -> [a.zagli] FAILED with error NT_STATUS_INVALID_SID, authoritative=1
[2025/06/26 09:14:13.779973,  2] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB,(null)] user [COMSCAND]\[a.zagli] at [gio, 26 giu 2025 09:14:13.779959 CEST] with [NTLMv2] status [NT_STATUS_INVALID_SID] workstation [ANDREAZ] remote host [ipv4:10.3.4.201:45926] mapped to [COMSCAND]\[a.zagli]. local host [ipv4:10.101.101.77:445]
  {"timestamp": "2025-06-26T09:14:13.780022+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_INVALID_SID", "localAddress": "ipv4:10.101.101.77:445", "remoteAddress": "ipv4:10.3.4.201:45926", "serviceDescription": "SMB", "authDescription": null, "clientDomain": "COMSCAND", "clientAccount": "a.zagli", "workstation": "ANDREAZ", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "a.zagli", "mappedDomain": "COMSCAND", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 3623029}}


do you have some hint to try? do you need other info?


>>
>> maybe samba 4 requires an ldap schema no more compatible with the one
>> required by samba 3?
>
> No, a Samba 4 NT4-style domain (or anything like it) uses the same
> schema as a Samba 3 NT4-style domain
>
> NT4-style domains are yesterdays methods (Microsoft stopped supporting
> them over 20 years ago), I really urge you to upgrade to AD.
>


i cannot upgrade to AD

More information about the samba mailing list