How to test samba LDAP parameters with openldap tools, eg ldapsearch?

Andrew Walker awalker at ixsystems.com
Wed Apr 12 12:58:26 UTC 2023 

On Wed, Apr 12, 2023 at 7:51 AM Rowland Penny via samba-technical
<samba-technical at lists.samba.org> wrote:
>
>
>
> On 12/04/2023 13:37, Jan Andersen wrote:
> > Hi Rowland,
> >
> > I noticed something odd about the logs: it seems smbd generates one both
> > for the workstation's name and one for its IP address - I didn't attach
> > the latter, so here it is. It seems to have more detail.
> >
> > Jan
> >
> > On 12/04/2023 12:06, Rowland Penny via samba-technical wrote:
> >>
> >>
> >> On 12/04/2023 11:39, Jan Andersen wrote:
> >>> Hi Rowland,
> >>>
> >>> Thank you for replying. I wiped the existing logs, changed the smbd
> >>> service to include '-d 10' and restarted, so I would have logs
> >>> without too much noise - please find them attached along with smb.conf
> >>>
> >>>
> >>
> >> You appear to be running Samba as a standalone server with an ldap
> >> backend, are you aware that such a setup is two parameters away from
> >> being a PDC ? If you comment out 'server role = standalone server' and
> >> add 'domain logons = yes', it becomes a PDC and a PDC (from 4.8.0)
> >> requires winbind to be running.
> >>
> >> Rowland
> >>
> >>
>
> Before Samba 4.8.0 , smbd could directly connect to the domain
> controller, from 4.8.0 smbd now needs to go via winbind.
> Now I know that you are not strictly running a PDC, but what you are
> running is the next thing to it, so I presume that you need to run
> winbind, you do not need to configure anything, just run winbind.
>
> Whatever happens, you should be aware that Samba is working to remove
> SMBv1 and things like PDC's with it.
>
> One thing I did notice from that last log, you are not using SMBv1, try
> adding these lines to the smb.conf:
>
> server min protocol = NT1
> client min protocol = NT1
>
> Rowland
>

It's probably also worth noting that doing this requires your LDAP
schema to contain all the fields you need to generate a valid passbd
entry for users. Do note that using this schema requires storing an
MD4 of your users passwords _and_ having those accessible to the file
server (hence discussion of this being a de-facto PDC). My general
feeling is that this goes beyond my risk tolerance for a production /
business environment.

Andrew

More information about the samba-technical mailing list