You might look into net getlocalsid, net getdomainsid, net setlocalsid and net setdomainsid commands, you may be able to set the samba servers the same as your ldap sid... just a though. Remember, messing around with SID's can cause major issues, so export all sids to file and be ready set them back if everything goes wrong. (net getdomainsid > sidbackup.txt to export them on the samba side of things)
Ricky On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal <gaiseric.van...@gmail.com>wrote: > If I follow correctly the LDAP server is NOT in the domain? The Samba > accounts should be using the SID of the Samba PDC not the SID of the LDAP > server. This of course means that a Samba member server can't use the > same LDAP back end (at least for Samba authentication.) > > > > Long and short - I found it easiest to have LDAP server on the same > machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each > PDC uses its own ldap server and the ldap servers are configure for > replication. > > The simplest solution may be to set the local and domain sid of the LDAP > server to the same sid as the DC, and join the LDAP server to the domain as > a DC. > > > > > > > On 06/20/13 04:26, Philipp Lies wrote: > >> Hi, >> >> I'm trying to get my new samba server running for a few days now and I >> start losing my mind over not figuring out what I'm doing wrong. Here's >> my setup: >> >> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix >> and a samba NT password stored in the LDAP as well as a User SID and >> Primary Group SID assigned and stored in the LDAP, derived from the SID >> of the LDAP Server. >> >> Now I want several samba servers to use the LDAP server to authenticate >> users. >> One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap >> server. getent passwd/group returns all users and ssh to the samba >> machine works for all users. Samba is v3.6.9-151.el6. Now here's the >> smb.conf (I removed the shares): >> >> [global] >> workgroup = XXXXX >> security = user >> passdb backend = ldapsam:ldap://myldapserver >> ldap suffix = dc=mydomain,dc=com >> ldap admin dn = cn=replicator,dc=mydomain,dc=**com >> ldap user suffix = ou=users >> ldap group suffix = ou=groups >> ldap machine suffix = ou=computers >> ldap ssl = start tls >> >> The ldap connection works, as `pdbedit -L` shows >> >> pm_process() returned Yes >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))] >> StartTLS issued: using a TLS connection >> smbldap_open_connection: connection opened >> ldap_connect_system: successful connection to the LDAP server >> The LDAP server is successfully connected >> smbldap_search_paged: base => [dc=mydomain,dc=com], filter => >> [(&(uid=*)(objectclass=**sambaSamAccount))],scope => [2], pagesize => >> [1024] >> smbldap_search_paged: search was successful >> sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain >> >> and then the last message repeats for all uids. >> Using `smbclient -L localhost -U someid` the log file says: >> >> check_ntlm_password: Checking password for unmapped user >> [XXX]\[someid]@[SAMBAHOST] with the new password interface >> check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[** >> SAMBAHOST] >> StartTLS issued: using a TLS connection >> smbldap_open_connection: connection opened >> ldap_connect_system: successful connection to the LDAP server >> The LDAP server is successfully connected >> init_sam_from_ldap: Entry found for user: someid >> Home server: SAMBAHOST >> Home server: SAMBAHOST >> init_group_from_ldap: Entry found for group: 1011 >> init_group_from_ldap: Entry found for group: 1011 >> Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN >> and not a domain group >> Forcing Primary Group to 'Domain Users' for someid >> ntlm_password_check: Checking NTLMv2 password with domain [CIN] >> sam_account_ok: Checking SMB password for user someid >> The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match >> the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708) >> check_sam_security: make_server_info_sam() failed with >> 'NT_STATUS_UNSUCCESSFUL' >> check_ntlm_password: Authentication for user [someid] -> [someid] >> FAILED with error NT_STATUS_UNSUCCESSFUL >> >> What I see here is that the samba server does not recognize the primary >> group of the user (which is an existing group in the LDAP) and therefor >> maps the primary group to its local "Domain Users" group which then >> obviously does not match the domainSID of the userid. >> But why doesn't the samba server recognize the group? Or is there a >> different underlying problem? >> >> >> What I tried so far: >> >> Changing the SID of the samba server to the SID of the LDAP server, but >> `net setlocalsid S-...` did not change the local SID. No error message, >> just executed successfully but getlocalsid returned the old SID. >> >> Setting the domainsid of the samba server to the SID of the ldap server. >> `net setdomainsid S-...` was successful but the samba server still >> refuses to authenticate the users. >> >> Tried adding the server to the domain with `net join XXX` but the answer >> was just "standalone server cannot join domain". >> >> I tried to run `smbpasswd -a` to add the user to the local samba db >> (even though this would not be an option for the final solution, but >> that's what other users recommended), but the error didn't change. >> >> How can I either tell samba to ignore the domain SID mismatch or force >> samba to have the same SID as the LDAP? Or would this cause other >> problems if ~10 Samba Server and the LDAP in the end all have the exact >> same SID? >> >> Strangely I have debian/ubuntu servers where I have the same >> configuration but there it works. The difference I see is that in the >> debian system after the "Primary Group ... is UNKNOWN" there is no >> forcing to "Domain Users" as group and samba just checks the password of >> the user and doesn't care about the primary group SID. >> >> Any ideas what I'm missing there? >> >> Philipp >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: > https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
