How to test samba LDAP parameters with openldap tools, eg ldapsearch?

Rowland Penny rpenny at samba.org
Wed Apr 12 13:04:42 UTC 2023 


On 12/04/2023 13:58, Andrew Walker wrote:
> On Wed, Apr 12, 2023 at 7:51 AM Rowland Penny via samba-technical
> <samba-technical at lists.samba.org> wrote:
>>
>>
>>
>> On 12/04/2023 13:37, Jan Andersen wrote:
>>> Hi Rowland,
>>>
>>> I noticed something odd about the logs: it seems smbd generates one both
>>> for the workstation's name and one for its IP address - I didn't attach
>>> the latter, so here it is. It seems to have more detail.
>>>
>>> Jan
>>>
>>> On 12/04/2023 12:06, Rowland Penny via samba-technical wrote:
>>>>
>>>>
>>>> On 12/04/2023 11:39, Jan Andersen wrote:
>>>>> Hi Rowland,
>>>>>
>>>>> Thank you for replying. I wiped the existing logs, changed the smbd
>>>>> service to include '-d 10' and restarted, so I would have logs
>>>>> without too much noise - please find them attached along with smb.conf
>>>>>
>>>>>
>>>>
>>>> You appear to be running Samba as a standalone server with an ldap
>>>> backend, are you aware that such a setup is two parameters away from
>>>> being a PDC ? If you comment out 'server role = standalone server' and
>>>> add 'domain logons = yes', it becomes a PDC and a PDC (from 4.8.0)
>>>> requires winbind to be running.
>>>>
>>>> Rowland
>>>>
>>>>
>>
>> Before Samba 4.8.0 , smbd could directly connect to the domain
>> controller, from 4.8.0 smbd now needs to go via winbind.
>> Now I know that you are not strictly running a PDC, but what you are
>> running is the next thing to it, so I presume that you need to run
>> winbind, you do not need to configure anything, just run winbind.
>>
>> Whatever happens, you should be aware that Samba is working to remove
>> SMBv1 and things like PDC's with it.
>>
>> One thing I did notice from that last log, you are not using SMBv1, try
>> adding these lines to the smb.conf:
>>
>> server min protocol = NT1
>> client min protocol = NT1
>>
>> Rowland
>>
> 
> It's probably also worth noting that doing this requires your LDAP
> schema to contain all the fields you need to generate a valid passbd
> entry for users. Do note that using this schema requires storing an
> MD4 of your users passwords _and_ having those accessible to the file
> server (hence discussion of this being a de-facto PDC). My general
> feeling is that this goes beyond my risk tolerance for a production /
> business environment.
> 
> Andrew

Totally agree with you Andrew, I wouldn't use it in production, but from 
my understanding it did work and presumably the OP has upgraded and it 
has stopped working.

If this isn't the case and it is a new setup, then I would suggest the 
OP stops what he is trying and sets up a DC instead.

Rowland

More information about the samba-technical mailing list