I'm trying to get my new samba server running for days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup:
OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix and a samba password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server.
Now I want to use several samba servers to use the LDAP server to authenticate users.
The samba server is a linux configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Now here's the smb.conf:
[global]
workgroup = XXXXX
security = user
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = start tls
The ldap connection works, as pdbedit -L
shows
pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base => [dc=mydomain,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
and then the last message repeats for all uids.
Using smbclient -L localhost -U someid
the log file says:
check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface
check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: someid
Home server: SAMBAHOST
Home server: SAMBAHOST
init_group_from_ldap: Entry found for group: 1011
init_group_from_ldap: Entry found for group: 1011
Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for someid
ntlm_password_check: Checking NTLMv2 password with domain [CIN]
sam_account_ok: Checking SMB password for user someid
The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password: Authentication for user [someid] -> [someid] FAILED with error NT_STATUS_UNSUCCESSFUL
What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local "Domain Users" group which then obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a different underlying problem?
What I tried so far:
Changing the SID of the samba server to the SID of the LDAP server, but net setlocalsid S-...
did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID.
Setting the domainsid of the samba server to the SID of the ldap server. net setdomainsid S-...
was successful but the samba server still refuses to authenticate the users.
Tried adding the server to the domain with net join XXX
but the answer was just "standalone server cannot join domain".
I tried to run smbpasswd -a
to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change.
How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID?
Best Answer
I had a similar issue. What I had to do was edit the sambaSID entries for the domain, user and group in LDAP so they would match with what my server had. If not you will get the following error message in the Samba log in your server. To see this log be sure
log level = 2
in yoursmb.conf
.:On your server run
net getdomainsid
. This will return thelocalsid
anddomainsid
. These values should match. If they do not runnet setdomainsid
to the value ofSID for local machine
.Now on your LDAP server take the value of
SID for domain
and make sure this is the value for attributesambaSID
forsambaDomainName=THISDOMAIN
.Also make sure
sambaSID
andsambaPrimaryGroupID
of the users, andsambaSID
of the group are composed of theSID for domain
and a unique value for attribute.For example the
sambaSID
forsomeuser
would beS-1-5-21-748580849-194208185-3916830000-99999
and their sambaPrimaryGroupID would beS-1-5-21-748580849-194208185-3916830000-555
. ThesambaSID
for the group would beS-1-5-21-748580849-194208185-3916830000-77777
Hope this helps!!!