Web lists-archives.com

Re: [Samba] Samba v3 works with LDAP, but not Samba v4




On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote:
> On Tue, 16 Oct 2018 12:13:16 -0700
> Emil Henry via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > Hello!
> > 
> > We have Samba v3 (3.5.10) working against an LDAP server, and need to
> > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
> > configs of the smb.conf (including the old config) without success.
> > Cleaned up smb.conf is below. Also, included is the output of a
> > smbclient command on the SMBServer with debug option 10. Hoping that
> > someone can point me in the right direction.
> > 
> > Thanks
> > 
> > [global]
> >         security = user
> >         ldap user suffix = ou=people
> >         ldap group suffix = ou=groups
> >         ldap ssl = off
> >         ldap passwd sync = yes
> >         ldap delete dn = no
> >         workgroup = WORKGROUP
> >         server string = "Samba Drives"
> >         netbios name = SMBServer
> >         log file = /var/log/samba/log.%m
> > 
> > # For debugging enable the log level of 5
> >         log level = 5
> >         max log size = 50
> > 
> > # LDAP Settings
> >         ldap suffix = "o=EXAMPLE"
> >         ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
> >         passdb backend = ldapsam:ldap://ldapserver.example.com
> > 
> > [homes]
> >         valid users = %S
> >         read only = No
> >         writeable = yes
> >         browseable = no
> >         create mask = 0600
> >         public = No
> >         comment = %u's Z-Drive
> >         nt acl support = no
> >         inherit permissions = no
> >         hide dot files = yes
> >         directory mask = 0700
> >         force create mode = 0700
> >         valid users = MYDOMAIN\%S
> > 
> 
> Hmm, I don't this is going to work:
> 
> negotiated dialect[SMB3_11] against server[localhost]
> 
> Try adding:
> 
> server max protocol = NT1
> client max protocol = NT1
> 
> To smb.conf
> 
> Check that Samba can contact the ldap server.

G'Day Rowland,

The client-side log shows smbclient contacting smbd fine and getting to
the session setup, so it isn't the protocol version.  

Emil,

The logs we need are from Samba on the server, not smbclient.

The use of LDAP by Samba in this configuration is all 'behind' smbd,
not related at all to the smbclient call.

eg

[smbclient] <- SMB -> [smbd] <- LDAP -> [slapd]

The use case here is for Samba as a standalone server using an LDAP
server for the passdb.  This is a rare configuration, almost all users
of this mode have Samba as DC so that multiple Samba servers can share
the same LDAP backend (even if that functionality is unused).  This is
because each server has an internal 'domain' if not a DC, and that has
a SID, and each LDAP entry can only have one SID.

Do you have multiple servers referring to this backend?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba