[Samba] Samba 4.19 and OpenLDAPs

Rowland Penny rpenny at samba.org
Tue May 6 16:14:12 UTC 2025 

On Tue, 6 May 2025 15:39:34 +0000
Shannon Price <pricesw at auburn.edu> wrote:

> 
> 
> Hello all,
> 
> We have been working on the idmap_rfc2307 solution for this.  Packet
> traces on the Samba server and the LDAP server don't show any
> communication between Samba and the LDAP server at any point.
> (Configuration below).

Well there wouldn't be.

> Samba logs are set at 10 and the error message
> is consistent:
> 
> ../../source3/auth/auth_util.c:1946(check_account) check_account:
> Failed to convert SID
> S-1-5-21-2286752186-3697686403-1823448917-102506 to a UID
> (dom_user[UNIV\someusername])
> 
> >>>  smb.conf  <<<
> 
> [global]
>         # workgroup and naming
>         workgroup = UNIV
>         server string = Samba Server Version %v
> 
>         # server settings
>         interfaces = 127.0.0.1, xxx.xxx.xxx.xxx
>         bind interfaces only = yes
>         deadtime = 15
>         strict locking = no
>         lock directory = /var/spool/locks/samba
> 
>         # logging
>         log file = /var/log/samba/log.smbd
>         log level = 10
>         max log size = 51200
> 
>         client max protocol = SMB3
> 
>         security = ads

Your smb.conf would be good to here, provided you were connecting to
active directory.

>         password server = KERBEROS.univ.edu

While you technically can set the 'password server' parameter, you
should leave it up to Samba to find the best AD DC to use.

>         client signing = yes
>         ## client use spnego = yes
>         kerberos method = secrets and keytab
>         realm = UNIV.EDU
> 
>         idmap config * : backend = tdb
>         idmap config * : range   = 20000001-20001000
> 
>         idmap config AUBURN : backend = rfc2307
>         idmap config AUBURN.EDU:range = 200-20000000
>         idmap config AUBURN : ldap_server = stand-alone
>         idmap config AUBURN : ldap_url =
> ldap://ldaptest.subdom.univ.edu/ idmap config AUBURN :
> ldap_search_base = dc=univ,dc=edu idmap config AUBURN : realm =
> univ.edu idmap config AUBURN : ldap_user_dn =
> cn=readonly,ou=system,dc=univ,dc=edu

Here is where it really falls apart, your workgroup is 'UNIV', but you
are using 'AUBURN' (and AUBURN.EDU) in the 'idmap config' lines.
Because you have 'security = ads', the backend for 'AUBURN' (which
should be 'UNIV') should be 'ad' and the rest of the 'idmap config'
lines have nothing to do with 'ad' backend (see 'man idmap_ad' for
available parameters) and to use them you would have to use 'security =
user' and SMBv1.

I did say that idmap_ad only works with Active Directory.

Rowland
PS: Please do not 'CC' me, it breaks my mail flow.

More information about the samba mailing list