Web lists-archives.com

Re: [Samba] Samba v3 works with LDAP, but not Samba v4




Hi Kris!

Sadly, I have done it too many times. :-(

Thanks.

On Tue, Oct 16, 2018 at 3:03 PM Kris Lou via samba <samba@xxxxxxxxxxxxxxx>
wrote:

> Just because it hasn't yet been mentioned, did you run 'smbpasswd -w
> <ldap-secret>' to pass samba the admin dn passwords?
>
> https://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP
>
>
> Kris Lou
> klou@xxxxxxxxxxxxxxxx
>
> On Tue, Oct 16, 2018 at 2:24 PM, Andrew Bartlett via samba <
> samba@xxxxxxxxxxxxxxx> wrote:
>
> > On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote:
> > > On Tue, 16 Oct 2018 12:13:16 -0700
> > > Emil Henry via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > Hello!
> > > >
> > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to
> > > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
> > > > configs of the smb.conf (including the old config) without success.
> > > > Cleaned up smb.conf is below. Also, included is the output of a
> > > > smbclient command on the SMBServer with debug option 10. Hoping that
> > > > someone can point me in the right direction.
> > > >
> > > > Thanks
> > > >
> > > > [global]
> > > >         security = user
> > > >         ldap user suffix = ou=people
> > > >         ldap group suffix = ou=groups
> > > >         ldap ssl = off
> > > >         ldap passwd sync = yes
> > > >         ldap delete dn = no
> > > >         workgroup = WORKGROUP
> > > >         server string = "Samba Drives"
> > > >         netbios name = SMBServer
> > > >         log file = /var/log/samba/log.%m
> > > >
> > > > # For debugging enable the log level of 5
> > > >         log level = 5
> > > >         max log size = 50
> > > >
> > > > # LDAP Settings
> > > >         ldap suffix = "o=EXAMPLE"
> > > >         ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
> > > >         passdb backend = ldapsam:ldap://ldapserver.example.com
> > > >
> > > > [homes]
> > > >         valid users = %S
> > > >         read only = No
> > > >         writeable = yes
> > > >         browseable = no
> > > >         create mask = 0600
> > > >         public = No
> > > >         comment = %u's Z-Drive
> > > >         nt acl support = no
> > > >         inherit permissions = no
> > > >         hide dot files = yes
> > > >         directory mask = 0700
> > > >         force create mode = 0700
> > > >         valid users = MYDOMAIN\%S
> > > >
> > >
> > > Hmm, I don't this is going to work:
> > >
> > > negotiated dialect[SMB3_11] against server[localhost]
> > >
> > > Try adding:
> > >
> > > server max protocol = NT1
> > > client max protocol = NT1
> > >
> > > To smb.conf
> > >
> > > Check that Samba can contact the ldap server.
> >
> > G'Day Rowland,
> >
> > The client-side log shows smbclient contacting smbd fine and getting to
> > the session setup, so it isn't the protocol version.
> >
> > Emil,
> >
> > The logs we need are from Samba on the server, not smbclient.
> >
> > The use of LDAP by Samba in this configuration is all 'behind' smbd,
> > not related at all to the smbclient call.
> >
> > eg
> >
> > [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd]
> >
> > The use case here is for Samba as a standalone server using an LDAP
> > server for the passdb.  This is a rare configuration, almost all users
> > of this mode have Samba as DC so that multiple Samba servers can share
> > the same LDAP backend (even if that functionality is unused).  This is
> > because each server has an internal 'domain' if not a DC, and that has
> > a SID, and each LDAP entry can only have one SID.
> >
> > Do you have multiple servers referring to this backend?
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett
> > https://samba.org/~abartlet/
> > Authentication Developer, Samba Team         https://samba.org
> > Samba Development and Support, Catalyst IT
> > https://catalyst.net.nz/services/samba
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba