-   Linux - Server (
-   -   Samba and LDAP, but without Domain Controller (

lefty.crupps 05-02-2012 12:54 PM

Samba and LDAP, but without Domain Controller
I don't want a Domain Controller, which authenticates Windows desktops. All I want is Samba to function with our LDAP backend, so network share (smb) access is authenticated (ldap).

This seems to work on some of our servers running Samba but not others and I'm having a hard time narrowing down the cause. A common error on RHEL5 is:

User lefty.crupps with invalid SID S-1-5-21-3136767649-2139676719-1908905554-11344 in passdb
Another error on RHEL5 is often:

[2012/05/02 10:23:56, 0] smbd/server.c:main(958)
smbd version 3.0.33-3.29.el5_7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2008

[2012/05/02 10:23:56, 1] lib/smbldap_util.c:add_new_domain_info(216)
add_new_domain_info: failed to add domain dn= sambaDomainName=TEST,dc=ournetwork,dc=net with: Server is unwilling to perform
shadow context; no update referral

[2012/05/02 10:23:56, 0] lib/smbldap_util.c:smbldap_search_domain_info(286)
smbldap_search_domain_info: Adding domain info for TEST failed with NT_STATUS_UNSUCCESSFUL
And a login attempt will also give:

[2012/05/02 12:32:17, 0] passdb/passdb.c:pdb_increment_bad_password_count(1477)
pdb_increment_bad_password_count: pdb_get_account_policy failed.

My Global config for the RHEL5 setup with the above errors is:

        workgroup = WORKGRP
        server string = Samba Server Version %v
        netbios name = SMBLDAP

        security = user
        #passdb backend = tdbsam
        passdb backend = ldapsam:"ldaps:// ldaps://"

ldap admin dn = uid=authuser,dc=ournetwork,dc=net
        ldap suffix = dc=ournetwork,dc=net
        ldap group suffix = ou=Group
        ldap user suffix = ou=People
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=People
        unix password sync = no
        ldap passwd sync = yes

passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

What can I change to make this function, and to stop all the baloney about Domain Controller stuff and Microsoft's networking concepts? Do I need to populate the Samba database with user/pass info? (This step isn't needed on Debian servers per my experience but RHEL is a different OS.)

rch 05-03-2012 10:55 PM

Are you running a 389 server? One thing I must say is that there appears to be no way of synchronizing password changes in LDAP with that of samba. I recommend reading the ldapsam editposix help page

You must add your LDAP admin password as

smbpasswd -w <password>
Here is our smb.conf


        security = user
        passdb backend = ldapsam
        ldap admin dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
        ldap delete dn = yes
        ldap suffix = dc=xxxxxx, dc=local
        ldap user suffix= ou=groups, ou=auto.home
        ldap machine suffix= ou=Computers, ou=auto.home
        ldap group suffix = ou=groups, ou=auto.home
        ldap idmap suffix = ou=idmap, ou=auto.home
        idmap backend = ldap:ldap://
        idmap alloc backend = ldap
        ldap ssl = start tls
        encrypt passwords = true
        #add machine script = /usr/sbin/useradd -c Computers -s /bin/false %m$
        ldap password sync = yes
        #unix password sync = yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        idmap config xxxxxx:range = 800-500000
        idmap config xxxxxx:ldap_url = ldap://
        idmap config xxxxxx:ldap_user_dn = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
        idmap config xxxxxx:ldap_base_dn = ou=idmap,ou=auto.home, dc=xxxxxx,dc=local
        idmap config xxxxxx:default = yes
        idmap config xxxxxx:readonly = no
        idmap config xxxxxx:backend = ldap

Then if everything is fine, start importing ldap passwords using pdbedit

pdbedit -i ldapsam

lefty.crupps 05-04-2012 09:35 AM


Thanks for the suggestions, I'll look into the 'idmap' settings that you're using and the rest of the ldapsam entry that you've linked, thanks.

The 'import' thing isn't needed on Debian, would that be needed on each RHEL box every time we have a new user in LDAP? The import worked:

shell# pdbedit -i ldapsam:ldaps://
but that didn't change the behaviour; login is still NT_STATUS_ACCESS_DENIED. This step isn't mentioned at all on the Red Hat page where they give the needed steps for this setup, here.

Other info that may be helpful, or not:

1, Yesterday, running "pdbedit -Lv" , my entries all read, "pdb_get_group_sid: Failed to find Unix account for ____". Today, this works due to a change in /etc/nsswitch.conf file of adding ldap to these top three lines:

passwd: files compat ldap
shadow: files compat ldap
group: files compat ldap

passwd_compat: ldap
shadow_compat: ldap
group_compat: ldap
2, if I have an LDAP group, I can allow that via a line in a [Share] section which reads, "valid users = @groupname", and those people are allowed in (the login succeeds, which is what I am still trying to solve but i want it to succeed without groups)

3, Adding the following lines to smb.conf doesn't help at all but it changes the error message on the client side, from NT_STATUS_ACCESS_DENIED without these lines, to NT_STATUS_UNSUCCESSFUL with them:

ldapsam:trusted = yes
ldapsam:editposix = yes
I'll read more from rch's link tho, thanks again.

4, SSH login with LDAP auth works

5, Other errors on the Samba logs include this Auth Success and then Access Deny for a dir owned by this user's group and permissions set to 777:

[2012/05/04 08:58:38, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user [WORKGRP]\[username]@[DESKTOP-PC] with the new password interface
[2012/05/04 08:58:38, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [SMBLDAP]\[username]@[DESKTOP-PC]
[2012/05/04 08:58:38, 3] lib/smbldap.c:smbldap_connect_system(997)
ldap_connect_system: successful connection to the LDAP server
[2012/05/04 08:58:38, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: username
[2012/05/04 08:58:38, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: sam authentication for user [username] succeeded
[2012/05/04 08:58:38, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [username] -> [username] -> [username] succeeded
[2012/05/04 08:58:38, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-21-4137344349-2139758319-1908905789-10030]
[2012/05/04 08:58:38, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-4137344349-2139758319-1908905789-10030
se_access_check: also S-1-22-2-32768
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-22-2-33072
[2012/05/04 08:58:38, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (10030, 32768) - sec_ctx_stack_ndx = 0
[2012/05/04 08:58:38, 3] smbd/service.c:make_connection_snum(1085)
desktop-pc ( connect to service IPC$ initially as user username (uid=10030, gid=32768) (pid 30708)
[2012/05/04 08:58:38, 0] passdb/passdb.c:lookup_global_sam_name(596)
User username with invalid SID S-1-5-21-4137344349-2139758319-1908905789-10030 in passdb
[2012/05/04 08:58:38, 2] smbd/service.c:make_connection_snum(617)
user 'username' (from session setup) not permitted to access this share (vweb2)
[2012/05/04 08:58:38, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2012/05/04 08:58:38, 3] smbd/process.c:timeout_processing(1382)
timeout_processing: End of file from client (client has disconnected).

rch 05-04-2012 11:15 AM

Couple of questions- Is winbind running? If you are using editposix- have you done

# net sam provision
Also, did you import the LDIF tree (that is mentioned on the editposix wiki page) into your LDAP server. What LDAP server are you running?

lefty.crupps 05-08-2012 06:46 AM

> Couple of questions- Is winbind running?
No, should it be? I started it for one reason or another during my troubleshooting, but something else I did stopped the service, and I don't recall what that was.

> If you are using editposix— have you done
> # net sam provision
Again, no, should have I?

> Also, did you import the LDIF tree (that is mentioned on the editposix wiki page) into your LDAP server.
Yet again, no. None of this stuff is mentioned anywhere I've seen when setting up Samba, LDAP, or troubleshooting my current issues, until I saw the link for the Editposix wiki. I'm a bit hesitant to start adding in accounts though, especially from one of many Samba servers, into our production LDAP.

> What LDAP server are you running?
We are running OpenLDAP, Debian slapd 2.4.23-7.2, on the backend.

rch 05-08-2012 04:05 PM

Thanks lefty.crupps,
You need identity mapping between your LDAP server and samba but that does not have to be winbind- I was just showing you our configuration (based on CentOS 5.8)- where we do our identity matching using winbind and idmap. I find it much easier than other configurations- but our Samba is also a PDC.

Your system logins for LDAP is probably configured through PAM. You definitely need to populate your LDAP with an LDIF tree. You did mention Debian, so I am going to assume that your server distribution is Debian. I found a how-to for integrating Debian and OpenLDAP. The LDIF for the user tree is given in the how-to. Please let me know if you have any more questions.

lefty.crupps 05-09-2012 11:12 AM

@rch, thanks again for the info.

> You did mention Debian, so I am going to assume that your server distribution is Debian
We have dozens of servers, some are Debian 5 and Debian 6 and those all work great; others are RHEL5 and CentOS5 and those are the ones having these issues that I'm trying to resolve.

> You need identity mapping between your LDAP server and samba
I wonder how Debian does it, we don't have these settings there and it functions very well.

Turning on these two options on the RHEL box, Samba logins fail:
> ldapsam:trusted = yes
> ldapsam:editposix = yes

> You definitely need to populate your LDAP with an LDIF tree
Our LDAP is populated. It works on many systems for SSH logins, FreeRadius WPA2-Enterprise authentication, and more, just not Samba on RHEL5 and CentOS5.

I'll check more on the idmap stuff (not had the chance), but as I said, I've never seen that mentioned until you came along to help!

rch 05-11-2012 07:56 PM

Hello lefty.crupps,
Let me know if it works using idmap and winbind- samba has a good documentation about what idmap is. Have you also tried setting it up using smbldap-tools (yum install smbldap-tools) tools?

lefty.crupps 05-24-2012 03:17 PM

Getting nowhere.

TL;DR is that the 'idmap' stuff didn't work; reading about this, it would appear that isn't needed to accomplish my goal:

On the "Stand Alone Server" settings, it reads,

The term standalone server means that it will provide local authentication and access control for all resources that are available from it. In general this means that there will be a local user database. In more technical terms, it means resources on the machine will be made available in either share mode or in user mode.

No special action is needed other than to create user accounts. Standalone servers do not provide network logon services. This means that machines that use this server do not perform a domain logon to it. Whatever logon facility the workstations are subject to is independent of this machine. It is, however, necessary to accommodate any network user so the logon name he or she uses will be translated (mapped) locally on the standalone server to a locally known user name. There are several ways this can be done.

Samba tends to blur the distinction a little in defining a standalone server. This is because the authentication database may be local or on a remote server, even if from the SMB protocol perspective the Samba server is not a member of a domain security context.

Through the use of Pluggable Authentication Modules (PAM) (see the chapter on PAM) and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may reside on another server. We would be inclined to call this the authentication server. This means that the Samba server may use the local UNIX/Linux system password database (/etc/passwd or /etc/shadow), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM and Winbind another CIFS/SMB server for authentication.

On the "Identity Mapping" page it reads,

A standalone Samba server is an implementation that is not a member of a Windows NT4 domain, a Windows 200X Active Directory domain, or a Samba domain.

By definition, this means that users and groups will be created and controlled locally, and the identity of a network user must match a local UNIX/Linux user login. The IDMAP facility is therefore of little to no interest, winbind will not be necessary, and the IDMAP facility will not be relevant or of interest.

Regardless, I've tried the IDMAP, no go; I got errors when trying to follow the bottom half of the HowTo that you linked:

[root@test ~]# net sam createbuiltingroup Administrators
Creating Administrators failed with NT_STATUS_ACCESS_DENIED

Trying to follow the Samba documentation here, I have the same issues as always, specifically that the login only works with group membership such as being in the LDAP group 'workingGroup' in this example:


  comment = Test Web files
  path = /var/www
  public = yes
  writable = yes
  printable = no
  create mask = 0775
  create mode = 0775
  group = staff
  valid users = failUser1,failUser2,@workingGroup

If my smb.conf has

#      #ldapsam:trusted = yes
#      #ldapsam:editposix = yes

I get:

$ smbclient -Ulefty \\\\\\web
Connection to failed (Error NT_STATUS_CONNECTION_REFUSED)

And with this in my smb.conf

ldapsam:trusted = yes
ldapsam:editposix = yes

I get a different error (like i was before):


$ smbclient -Ulefty \\\\\\web
Connection to failed (Error NT_STATUS_LOGON_FAILURE)

lefty.crupps 06-22-2012 03:11 PM

sad bump.

rch 06-22-2012 03:35 PM

Hi lefty.crupps,
Could you please tell me what is the output of

pdbedit -L
Then try the following two queries

pdbedit -L -b tdbsam
pdbedit -L -b ldapsam

What do you get? Do you get the list of users from ldapsam?

All times are GMT -5. The time now is 11:40 AM.