info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
1,501 views
Skip to first unread message
Philipp Lies
Jun 20, 2013, 4:26:57 AM6/20/13
to
Hi,
I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:
OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.
Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):
[global]
workgroup = XXXXX
security = user
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = start tls
The ldap connection works, as `pdbedit -L` shows
pm_process() returned Yes
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:
check_ntlm_password: Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: someid
Home server: SAMBAHOST
Home server: SAMBAHOST
init_group_from_ldap: Entry found for group: 1011
init_group_from_ldap: Entry found for group: 1011
Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
Forcing Primary Group to 'Domain Users' for someid
ntlm_password_check: Checking NTLMv2 password with domain [CIN]
sam_account_ok: Checking SMB password for user someid
The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password: Authentication for user [someid] -> [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL
What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP) and therefor
maps the primary group to its local "Domain Users" group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?
What I tried so far:
Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.
Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.
Tried adding the server to the domain with `net join XXX` but the answer
was just "standalone server cannot join domain".
I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.
How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause other
problems if ~10 Samba Server and the LDAP in the end all have the exact
same SID?
Strangely I have debian/ubuntu servers where I have the same
configuration but there it works. The difference I see is that in the
debian system after the "Primary Group ... is UNKNOWN" there is no
forcing to "Domain Users" as group and samba just checks the password of
the user and doesn't care about the primary group SID.
Any ideas what I'm missing there?
Philipp
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:
OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.
Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):
[global]
workgroup = XXXXX
security = user
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = start tls
The ldap connection works, as `pdbedit -L` shows
pm_process() returned Yes
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:
check_ntlm_password: Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: someid
Home server: SAMBAHOST
Home server: SAMBAHOST
init_group_from_ldap: Entry found for group: 1011
init_group_from_ldap: Entry found for group: 1011
Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
Forcing Primary Group to 'Domain Users' for someid
ntlm_password_check: Checking NTLMv2 password with domain [CIN]
sam_account_ok: Checking SMB password for user someid
The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password: Authentication for user [someid] -> [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL
What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP) and therefor
maps the primary group to its local "Domain Users" group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?
What I tried so far:
Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.
Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.
Tried adding the server to the domain with `net join XXX` but the answer
was just "standalone server cannot join domain".
I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.
How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause other
problems if ~10 Samba Server and the LDAP in the end all have the exact
same SID?
Strangely I have debian/ubuntu servers where I have the same
configuration but there it works. The difference I see is that in the
debian system after the "Primary Group ... is UNKNOWN" there is no
forcing to "Domain Users" as group and samba just checks the password of
the user and doesn't care about the primary group SID.
Any ideas what I'm missing there?
Philipp
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Gaiseric Vandal
Jun 20, 2013, 9:04:43 AM6/20/13
to
If I follow correctly the LDAP server is NOT in the domain? The Samba
accounts should be using the SID of the Samba PDC not the SID of the
LDAP server. This of course means that a Samba member server can't
use the same LDAP back end (at least for Samba authentication.)
Long and short - I found it easiest to have LDAP server on the same
machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.)
Each PDC uses its own ldap server and the ldap servers are configure for
replication.
The simplest solution may be to set the local and domain sid of the LDAP
server to the same sid as the DC, and join the LDAP server to the domain
as a DC.
accounts should be using the SID of the Samba PDC not the SID of the
LDAP server. This of course means that a Samba member server can't
use the same LDAP back end (at least for Samba authentication.)
Long and short - I found it easiest to have LDAP server on the same
machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.)
Each PDC uses its own ldap server and the ldap servers are configure for
replication.
The simplest solution may be to set the local and domain sid of the LDAP
server to the same sid as the DC, and join the LDAP server to the domain
as a DC.
Ricky Nance
Jun 20, 2013, 9:43:05 AM6/20/13
to
You might look into net getlocalsid, net getdomainsid, net setlocalsid and
net setdomainsid commands, you may be able to set the samba servers the
same as your ldap sid... just a though. Remember, messing around with SID's
can cause major issues, so export all sids to file and be ready set them
back if everything goes wrong. (net getdomainsid > sidbackup.txt to export
them on the samba side of things)
Ricky
On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal
<gaiseri...@gmail.com>wrote:
>> ldap admin dn = cn=replicator,dc=mydomain,dc=**com
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
net setdomainsid commands, you may be able to set the samba servers the
same as your ldap sid... just a though. Remember, messing around with SID's
can cause major issues, so export all sids to file and be ready set them
back if everything goes wrong. (net getdomainsid > sidbackup.txt to export
them on the samba side of things)
Ricky
On Thu, Jun 20, 2013 at 8:04 AM, Gaiseric Vandal
<gaiseri...@gmail.com>wrote:
>> ldap user suffix = ou=users
>> ldap group suffix = ou=groups
>> ldap machine suffix = ou=computers
>> ldap ssl = start tls
>>
>> The ldap connection works, as `pdbedit -L` shows
>>
>> pm_process() returned Yes
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=**sambaDomain)(sambaDomainName=**SAMBAHOSTNAME))]
>> ldap group suffix = ou=groups
>> ldap machine suffix = ou=computers
>> ldap ssl = start tls
>>
>> The ldap connection works, as `pdbedit -L` shows
>>
>> pm_process() returned Yes
>> smbldap_search_domain_info: Searching
>> StartTLS issued: using a TLS connection
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
>> [(&(uid=*)(objectclass=**sambaSamAccount))],scope => [2], pagesize =>
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
>> [1024]
>> smbldap_search_paged: search was successful
>> sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
>>
>> and then the last message repeats for all uids.
>> Using `smbclient -L localhost -U someid` the log file says:
>>
>> check_ntlm_password: Checking password for unmapped user
>> [XXX]\[someid]@[SAMBAHOST] with the new password interface
>> check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[**
>> smbldap_search_paged: search was successful
>> sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
>>
>> and then the last message repeats for all uids.
>> Using `smbclient -L localhost -U someid` the log file says:
>>
>> check_ntlm_password: Checking password for unmapped user
>> [XXX]\[someid]@[SAMBAHOST] with the new password interface
>> SAMBAHOST]
>> StartTLS issued: using a TLS connection
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> init_sam_from_ldap: Entry found for user: someid
>> Home server: SAMBAHOST
>> Home server: SAMBAHOST
>> init_group_from_ldap: Entry found for group: 1011
>> init_group_from_ldap: Entry found for group: 1011
>> Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
>> and not a domain group
>> Forcing Primary Group to 'Domain Users' for someid
>> ntlm_password_check: Checking NTLMv2 password with domain [CIN]
>> sam_account_ok: Checking SMB password for user someid
>> The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
>> the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-**5708)
>> StartTLS issued: using a TLS connection
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> init_sam_from_ldap: Entry found for user: someid
>> Home server: SAMBAHOST
>> Home server: SAMBAHOST
>> init_group_from_ldap: Entry found for group: 1011
>> init_group_from_ldap: Entry found for group: 1011
>> Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
>> and not a domain group
>> Forcing Primary Group to 'Domain Users' for someid
>> ntlm_password_check: Checking NTLMv2 password with domain [CIN]
>> sam_account_ok: Checking SMB password for user someid
>> The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
Gaiseric Vandal
Jun 20, 2013, 11:12:16 AM6/20/13
to
OK. I understand (at least a little better.)
So the correct behaviour would be for the standalone workgroup machines
to say "I don't know who DOMAIN/user1 is, so I will map to local
user1." The standalone servers should be using LDAP for unix
accounts put I don't think you really should use the common LDAP backend
for samba accounts. You would need to use smbpasswd or pdbedit to
create local samba users on each member server, which means the member
server would each use a local tdb database not ldap for samba.
If you want to centralize the samba accounts I think the proper way
would be to use member servers.
That being said, if the current set up is working on some machines but
not others, I would run "testparm -v" on each domain member and see if
there are differences on mapping behavior. Different os's may have
slightly different versions of samba and the default smb.conf paramaters
may have changed. Also run "net groupmap list
" on each member server. You may need to explicitly set group mappings
for key windows groups. (i.e. the group sid maps to a unix group.)
e.g.
# net groupmap list
...
Administrators (S-1-5-32-544) -> Builtin Admins
Users (S-1-5-32-545) -> Builtin Users
getent group "Builtin Admins"
Builtin Admins::544:
# getent group "Builtin Admins"
On 06/20/13 10:40, Philipp Lies wrote:
> my samba servers are standalone servers which are not domain members.
> This seems to work nicely with my debian machines but not the centos
> ones.
instructions: https://lists.samba.org/mailman/options/samba
So the correct behaviour would be for the standalone workgroup machines
to say "I don't know who DOMAIN/user1 is, so I will map to local
user1." The standalone servers should be using LDAP for unix
accounts put I don't think you really should use the common LDAP backend
for samba accounts. You would need to use smbpasswd or pdbedit to
create local samba users on each member server, which means the member
server would each use a local tdb database not ldap for samba.
If you want to centralize the samba accounts I think the proper way
would be to use member servers.
That being said, if the current set up is working on some machines but
not others, I would run "testparm -v" on each domain member and see if
there are differences on mapping behavior. Different os's may have
slightly different versions of samba and the default smb.conf paramaters
may have changed. Also run "net groupmap list
" on each member server. You may need to explicitly set group mappings
for key windows groups. (i.e. the group sid maps to a unix group.)
e.g.
# net groupmap list
...
Administrators (S-1-5-32-544) -> Builtin Admins
Users (S-1-5-32-545) -> Builtin Users
getent group "Builtin Admins"
Builtin Admins::544:
# getent group "Builtin Admins"
On 06/20/13 10:40, Philipp Lies wrote:
> On 20.06.2013 15:04, Gaiseric Vandal wrote:
>> If I follow correctly the LDAP server is NOT in the domain? The
>> Samba accounts should be using the SID of the Samba PDC not the SID
>> of the LDAP server. This of course means that a Samba member
>> server can't use the same LDAP back end (at least for Samba
>> authentication.)
> The LDAP server is the PDC, however, there are no domain members. All
>> If I follow correctly the LDAP server is NOT in the domain? The
>> Samba accounts should be using the SID of the Samba PDC not the SID
>> of the LDAP server. This of course means that a Samba member
>> server can't use the same LDAP back end (at least for Samba
>> authentication.)
> my samba servers are standalone servers which are not domain members.
> This seems to work nicely with my debian machines but not the centos
> ones.
>
>
>>
>>
>>
>>
>>
>> On 06/20/13 04:26, Philipp Lies wrote:
>>> Hi,
>>>
>>> I'm trying to get my new samba server running for a few days now and I
>>> start losing my mind over not figuring out what I'm doing wrong. Here's
>>> my setup:
>>>
>>> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a
>>> unix
>>> and a samba NT password stored in the LDAP as well as a User SID and
>>> Primary Group SID assigned and stored in the LDAP, derived from the SID
>>> of the LDAP Server.
>>>
>>> Now I want several samba servers to use the LDAP server to authenticate
>>> users.
>>> One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
>>> server. getent passwd/group returns all users and ssh to the samba
>>> machine works for all users. Samba is v3.6.9-151.el6. Now here's the
>>> smb.conf (I removed the shares):
>>>
>>> [global]
>>> workgroup = XXXXX
>>> security = user
>>> passdb backend = ldapsam:ldap://myldapserver
>>> ldap suffix = dc=mydomain,dc=com
>>> ldap admin dn = cn=replicator,dc=mydomain,dc=com
>
>>
>>
>>
>>
>>
>> On 06/20/13 04:26, Philipp Lies wrote:
>>> Hi,
>>>
>>> I'm trying to get my new samba server running for a few days now and I
>>> start losing my mind over not figuring out what I'm doing wrong. Here's
>>> my setup:
>>>
>>> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a
>>> unix
>>> and a samba NT password stored in the LDAP as well as a User SID and
>>> Primary Group SID assigned and stored in the LDAP, derived from the SID
>>> of the LDAP Server.
>>>
>>> Now I want several samba servers to use the LDAP server to authenticate
>>> users.
>>> One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
>>> server. getent passwd/group returns all users and ssh to the samba
>>> machine works for all users. Samba is v3.6.9-151.el6. Now here's the
>>> smb.conf (I removed the shares):
>>>
>>> [global]
>>> workgroup = XXXXX
>>> security = user
>>> passdb backend = ldapsam:ldap://myldapserver
>>> ldap suffix = dc=mydomain,dc=com
>>> ldap user suffix = ou=users
>>> ldap group suffix = ou=groups
>>> ldap machine suffix = ou=computers
>>> ldap ssl = start tls
>>>
>>> The ldap connection works, as `pdbedit -L` shows
>>>
>>> pm_process() returned Yes
>>> smbldap_search_domain_info: Searching
>>> for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
>>> ldap group suffix = ou=groups
>>> ldap machine suffix = ou=computers
>>> ldap ssl = start tls
>>>
>>> The ldap connection works, as `pdbedit -L` shows
>>>
>>> pm_process() returned Yes
>>> smbldap_search_domain_info: Searching
>>> StartTLS issued: using a TLS connection
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> The LDAP server is successfully connected
>>> smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
>>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> The LDAP server is successfully connected
>>> smbldap_search_paged: base => [dc=mydomain,dc=com], filter =>
>>> [1024]
>>> smbldap_search_paged: search was successful
>>> sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
>>>
>>> and then the last message repeats for all uids.
>>> Using `smbclient -L localhost -U someid` the log file says:
>>>
>>> check_ntlm_password: Checking password for unmapped user
>>> [XXX]\[someid]@[SAMBAHOST] with the new password interface
>>> check_ntlm_password: mapped user is:
>>> [SAMBAHOST]\[someid]@[SAMBAHOST]
>>> smbldap_search_paged: search was successful
>>> sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
>>>
>>> and then the last message repeats for all uids.
>>> Using `smbclient -L localhost -U someid` the log file says:
>>>
>>> check_ntlm_password: Checking password for unmapped user
>>> [XXX]\[someid]@[SAMBAHOST] with the new password interface
>>> check_ntlm_password: mapped user is:
>>> StartTLS issued: using a TLS connection
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> The LDAP server is successfully connected
>>> init_sam_from_ldap: Entry found for user: someid
>>> Home server: SAMBAHOST
>>> Home server: SAMBAHOST
>>> init_group_from_ldap: Entry found for group: 1011
>>> init_group_from_ldap: Entry found for group: 1011
>>> Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
>>> and not a domain group
>>> Forcing Primary Group to 'Domain Users' for someid
>>> ntlm_password_check: Checking NTLMv2 password with domain [CIN]
>>> sam_account_ok: Checking SMB password for user someid
>>> The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not
>>> match
>>> the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
>>> smbldap_open_connection: connection opened
>>> ldap_connect_system: successful connection to the LDAP server
>>> The LDAP server is successfully connected
>>> init_sam_from_ldap: Entry found for user: someid
>>> Home server: SAMBAHOST
>>> Home server: SAMBAHOST
>>> init_group_from_ldap: Entry found for group: 1011
>>> init_group_from_ldap: Entry found for group: 1011
>>> Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
>>> and not a domain group
>>> Forcing Primary Group to 'Domain Users' for someid
>>> ntlm_password_check: Checking NTLMv2 password with domain [CIN]
>>> sam_account_ok: Checking SMB password for user someid
>>> The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not
>>> match
Andrew Bartlett
Jun 21, 2013, 3:58:20 AM6/21/13
to
On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote:
> Hi,
>
> I'm trying to get my new samba server running for a few days now and I
> start losing my mind over not figuring out what I'm doing wrong. Here's
> my setup:
>
> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
> and a samba NT password stored in the LDAP as well as a User SID and
> Primary Group SID assigned and stored in the LDAP, derived from the SID
> of the LDAP Server.
>
> Now I want several samba servers to use the LDAP server to authenticate
> users.
If you want multiple samba servers to use the same LDAP backend, they
> Hi,
>
> I'm trying to get my new samba server running for a few days now and I
> start losing my mind over not figuring out what I'm doing wrong. Here's
> my setup:
>
> OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix
> and a samba NT password stored in the LDAP as well as a User SID and
> Primary Group SID assigned and stored in the LDAP, derived from the SID
> of the LDAP Server.
>
> Now I want several samba servers to use the LDAP server to authenticate
> users.
essentially all need to be domain controllers of the same domain. This
is the supported way to have a single backend shared between multiple
servers.
You don't need to ever use the DC function from windows clients, but the
servers need to think they are a DC.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Daniel Müller
Jun 21, 2013, 4:23:37 AM6/21/13
to
For me the better way would be, to run serveral openldap servers in master
master replication on your
DC and several BDC. And no headache about anything.
Or just point your BSCs to authenticate against the DCs openldap. But when
your DC is down your authentication is gone.
Greetings
Daniel
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Andrew Bartlett
Gesendet: Freitag, 21. Juni 2013 09:58
An: Philipp Lies
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary
group SID mismatch
master replication on your
DC and several BDC. And no headache about anything.
Or just point your BSCs to authenticate against the DCs openldap. But when
your DC is down your authentication is gone.
Greetings
Daniel
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Andrew Bartlett
Gesendet: Freitag, 21. Juni 2013 09:58
An: Philipp Lies
Cc: sa...@lists.samba.org
Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary
group SID mismatch
Philipp Lies
Jun 21, 2013, 4:38:04 PM6/21/13
to
Thanks for the recommendations! I was hoping that there'd be a simple
solution/config parameter to force the samba server trust the LDAP (it's
still puzzling me why the other machines I have do work like that).
I'll try to set up my new servers as DCs and see how this goes. The idea
with using the samba servers for LDAP replication as well sounds
interesting. I'll look into that as well.
Thanks!
Philipp
solution/config parameter to force the samba server trust the LDAP (it's
still puzzling me why the other machines I have do work like that).
I'll try to set up my new servers as DCs and see how this goes. The idea
with using the samba servers for LDAP replication as well sounds
interesting. I'll look into that as well.
Thanks!
Philipp
Luca Olivetti
Jun 22, 2013, 9:46:49 AM6/22/13
to
Al 20/06/13 17:12, En/na Gaiseric Vandal ha escrit:
> If you want to centralize the samba accounts I think the proper way
> would be to use member servers.
Just yesterday I had the same problem with a member server (running
samba 3.6.15), pointing to the ldap server on the domain controller (3.5.2).
No matter what I did, "net setlocalsid" seemed to do nothing.
I don't remember what I did to finally solve it, I only know that I
deleted secrets.tdb (and/or the rest of the tdb files) a million times,
deleting the domain for the new server in ldap, and trying to set the
localsid before joining the domain, and finally the member server got
the same sid as the domain (also stored in ldap).
I'm not convinced it's 100% working yet, (e.g. smbclient -L shows the
workgroup but not the master) but at least it doesn't complain and I can
see its shares.
The funny thing is, I have another member server, which has been working
fine (samba 3.5.6) for a while, yet yesterday, while trying to debug the
new server, I discovered it complained about the same sid mismatch.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
> If you want to centralize the samba accounts I think the proper way
> would be to use member servers.
samba 3.6.15), pointing to the ldap server on the domain controller (3.5.2).
No matter what I did, "net setlocalsid" seemed to do nothing.
I don't remember what I did to finally solve it, I only know that I
deleted secrets.tdb (and/or the rest of the tdb files) a million times,
deleting the domain for the new server in ldap, and trying to set the
localsid before joining the domain, and finally the member server got
the same sid as the domain (also stored in ldap).
I'm not convinced it's 100% working yet, (e.g. smbclient -L shows the
workgroup but not the master) but at least it doesn't complain and I can
see its shares.
The funny thing is, I have another member server, which has been working
fine (samba 3.5.6) for a while, yet yesterday, while trying to debug the
new server, I discovered it complained about the same sid mismatch.
Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004 Fax +34 935883007
info.thomas...@gmail.com
Aug 5, 2014, 4:01:56 AM8/5/14
to
We had several samba 3 servers running - all using the same ldap server.
Then we tried to use one samba 4 in this setup, and encountered the promlems Luca Olivetti described.
What was the final solution - can you remember?
Thamks for your help!
Then we tried to use one samba 4 in this setup, and encountered the promlems Luca Olivetti described.
What was the final solution - can you remember?
Thamks for your help!
0 new messages