I'm trying to get my new samba server running for days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup:
OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix and a samba password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server.
Now I want to use several samba servers to use the LDAP server to authenticate users. The samba server is a linux configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Now here's the smb.conf:
[global] workgroup = XXXXX security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as pdbedit -L shows
pm_process() returned Yes smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base => [dc=mydomain,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using smbclient -L localhost -U someid the log file says:
check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] -> [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local "Domain Users" group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem?
What I tried so far:
Changing the SID of the samba server to the SID of the LDAP server, but net setlocalsid S-... did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID.
Setting the domainsid of the samba server to the SID of the ldap server. net setdomainsid S-... was successful but the samba server still refuses to authenticate the users.
Tried adding the server to the domain with net join XXX but the answer was just "standalone server cannot join domain".
I tried to run smbpasswd -a to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change.
How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID?
