How to test samba LDAP parameters with openldap tools, eg ldapsearch?

Wed Apr 12 13:25:21 UTC 2023

Hi everybody - thank you for helping and for all the good advice! I will 
certainly look into it and take on board as soon I get the chance to 
address the issues - at the moment it is simply a question of making 
this work at a basic level, regrettably.

As it turned out, there was a configuration mistake on the LDAP server, 
so the domain/workgroup smbd was looking for, was empty; the name was 
wrong on the server side. After fixing that things are now working and I 
can move towards persuading people about making sensible improvements.

Thanks again!

Jan

On 12/04/2023 14:04, Rowland Penny via samba-technical wrote:
> 
> 
> On 12/04/2023 13:58, Andrew Walker wrote:
>> On Wed, Apr 12, 2023 at 7:51 AM Rowland Penny via samba-technical
>> <samba-technical at lists.samba.org> wrote:
>>>
>>>
>>>
>>> On 12/04/2023 13:37, Jan Andersen wrote:
>>>> Hi Rowland,
>>>>
>>>> I noticed something odd about the logs: it seems smbd generates one 
>>>> both
>>>> for the workstation's name and one for its IP address - I didn't attach
>>>> the latter, so here it is. It seems to have more detail.
>>>>
>>>> Jan
>>>>
>>>> On 12/04/2023 12:06, Rowland Penny via samba-technical wrote:
>>>>>
>>>>>
>>>>> On 12/04/2023 11:39, Jan Andersen wrote:
>>>>>> Hi Rowland,
>>>>>>
>>>>>> Thank you for replying. I wiped the existing logs, changed the smbd
>>>>>> service to include '-d 10' and restarted, so I would have logs
>>>>>> without too much noise - please find them attached along with 
>>>>>> smb.conf
>>>>>>
>>>>>>
>>>>>
>>>>> You appear to be running Samba as a standalone server with an ldap
>>>>> backend, are you aware that such a setup is two parameters away from
>>>>> being a PDC ? If you comment out 'server role = standalone server' and
>>>>> add 'domain logons = yes', it becomes a PDC and a PDC (from 4.8.0)
>>>>> requires winbind to be running.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>
>>> Before Samba 4.8.0 , smbd could directly connect to the domain
>>> controller, from 4.8.0 smbd now needs to go via winbind.
>>> Now I know that you are not strictly running a PDC, but what you are
>>> running is the next thing to it, so I presume that you need to run
>>> winbind, you do not need to configure anything, just run winbind.
>>>
>>> Whatever happens, you should be aware that Samba is working to remove
>>> SMBv1 and things like PDC's with it.
>>>
>>> One thing I did notice from that last log, you are not using SMBv1, try
>>> adding these lines to the smb.conf:
>>>
>>> server min protocol = NT1
>>> client min protocol = NT1
>>>
>>> Rowland
>>>
>>
>> It's probably also worth noting that doing this requires your LDAP
>> schema to contain all the fields you need to generate a valid passbd
>> entry for users. Do note that using this schema requires storing an
>> MD4 of your users passwords _and_ having those accessible to the file
>> server (hence discussion of this being a de-facto PDC). My general
>> feeling is that this goes beyond my risk tolerance for a production /
>> business environment.
>>
>> Andrew
> 
> Totally agree with you Andrew, I wouldn't use it in production, but from 
> my understanding it did work and presumably the OP has upgraded and it 
> has stopped working.
> 
> If this isn't the case and it is a new setup, then I would suggest the 
> OP stops what he is trying and sets up a DC instead.
> 
> Rowland
> 