Web lists-archives.com

Re: [Samba] Samba v3 works with LDAP, but not Samba v4

Hi Junior!

Great info. I had set the DomainSID to the SID from the LDAP server a week
or so ago, and that did not help. After your pointer, I then tried to set
the LocalSID to the LDAP SID, but it did not hold. Did a Google search, and
one suggestion was to add

server role = classic backup domain controller

to the smb.conf. This allowed me to do a "net SetLocalSID" to the SID from
the LDAP server. and now everything seems to work. Now, I need to check,
test and cleanup. Thank you for the details.


On Wed, Oct 17, 2018 at 12:37 PM Junior Oliveira <emersonjr.eng@xxxxxxxxx>

> Hi, i'm new to this discussion here but i reading and remembered i've
> solved almost the same problem you're having.
> I was connecting a Samba 4 standalone server with an existent LDAP server
> which was already being used as backend for a Samba 3. On the process of
> connecting SMB4 i had that SID mismatch issue. To solve it, i used "net
> setdomainsid" to set SMB4 domain SID to the one configure on LDAP, that
> configuration was set in all users.
> After this, SMB4 was logging with LDAP user credentials smoothly.
> I know it worked but this work-around may be a problem on the future, so i
> also suggest you do what Rowland is saying ( i got do this as well :D), but
> if you're facing an urgency, like i was, it you help you for a while.
> I feel glad to share it with you if it was an useful info.
> Em qua, 17 de out de 2018 às 17:36, Andrew Bartlett via samba <
> samba@xxxxxxxxxxxxxxx> escreveu:
>> On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote:
>> > HI Andrew!
>> >
>> > > The user 'johndoe' seems to be rejected because it has the wrong SID.
>> > >
>> > > It is the group in this case, we changed the rules to make them
>> > > stricter a while back, the primary group needs a group mapping entry
>> > > matching the SID of the standalone server.
>> > >
>> >
>> > How would I match the Primary Group without breaking the existing Samba
>> > server that connects to this LDAP server? That samba server does not
>> belong
>> > to me, and may stay at v3 for a while longer.
>> G'Day Emil,
>> I asked at the start of this if you had any other Samba servers talking
>> to this LDAP backend.  Clearly we have miscommunicated.
>> Your configuration is not supported.  One 'domain' per LDAP backend is
>> the rule.
>> Each standalone server is a domain of itself.  The only way to share a
>> backend is to make all servers that use the backend be NT4-like DCs of
>> the same domain.
>> You will need to work with the owner of the other Samba server to
>> resolve this.  Ideally you would upgrade to Samba's AD DC and make both
>> file servers domain members, but as Rowland mentions this can a long
>> and difficult process depending on what else depends on this LDAP
>> server.
>> Sorry,
>> Andrew Bartlett
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba