samba - Feb 2018 - Migration from 3.6.25-0ubuntu0.12.04.10 to 4.x with passdb backend = ldapsam

On Tue, 20 Feb 2018 13:29:56 +0300
Vladimir Skubriev via samba <samba at lists.samba.org> wrote:
> > ```
> > [global]
> >
> >    workgroup = EXAMPLE
> >    server string > >    dns proxy = no
> >
> >    interfaces = eth0
> >    bind interfaces only = yes
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >
> > # new options
> >    log level = 5
> >    netbios name = FILES
> >    #panic action = /usr/share/samba/panic-action %d
> >    server role = STANDALONE SERVER
> >
> >    local master = no
> >
> >    security = user
> >    encrypt passwords = true
> >
> >    #passdb backend = tdbsam
> >    #obey pam restrictions = yes
> >    passdb backend = ldapsam:"ldap://ldap/"
> >    ldapsam:trusted=yes
> >    ldapsam:editposix=yes
> >
OK, took a bit of time, but I think I understand what your problem is,
you want a standalone server with an ldap backend, BUT you have these
lines in smb.conf:

  ldapsam:editposix = yes
  ldapsam:trusted = yes

These lines make Samba expect ldap to be set up as a PDC, it expects
'Domain Users' etc to exist, which they wont be on a standalone server.

see here for an ldap/standalone server:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/

Rowland

You a sure. I have already configured openldap, which is workd as expected
with old smb server.

net getlocalsid & net getdomainsid returns the same SID.
LDAP sambaDomainName=EXAMPLE has the same SID in attribute sambaSID.

Also DIT has windows groups like Domain Users' etc ...

Unfortunately I can not find the reason for the unexpected exit of child
smbd process.

Do your mean that I must remove all samba's data from ldap except dn:
sambaDomainName=FILESERVER,dc=domain,dc=ltd (as described to tune in
article)

2018-02-20 14:25 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 20 Feb 2018 13:29:56 +0300
> Vladimir Skubriev via samba <samba at lists.samba.org> wrote:
>
> > > ```
> > > [global]
> > >
> > >    workgroup = EXAMPLE
> > >    server string > > >    dns proxy = no
> > >
> > >    interfaces = eth0
> > >    bind interfaces only = yes
> > >
> > >    log file = /var/log/samba/log.%m
> > >    max log size = 1000
> > >
> > > # new options
> > >    log level = 5
> > >    netbios name = FILES
> > >    #panic action = /usr/share/samba/panic-action %d
> > >    server role = STANDALONE SERVER
> > >
> > >    local master = no
> > >
> > >    security = user
> > >    encrypt passwords = true
> > >
> > >    #passdb backend = tdbsam
> > >    #obey pam restrictions = yes
> > >    passdb backend = ldapsam:"ldap://ldap/"
> > >    ldapsam:trusted=yes
> > >    ldapsam:editposix=yes
> > >
>
> OK, took a bit of time, but I think I understand what your problem is,
> you want a standalone server with an ldap backend, BUT you have these
> lines in smb.conf:
>
>   ldapsam:editposix = yes
>   ldapsam:trusted = yes
>
> These lines make Samba expect ldap to be set up as a PDC, it expects
> 'Domain Users' etc to exist, which they wont be on a standalone
server.
>
> see here for an ldap/standalone server:
> http://lapsz.eu/blog/2013/09/04/standalone-samba-server-
> with-ldap-authentication/
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Faithfully yours,

CVision Lab System Administrator
Vladimir Skubriev

On Wed, 21 Feb 2018 15:26:26 +0300
Vladimir Skubriev <skubriev at cvisionlab.com> wrote:
> You a sure. I have already configured openldap, which is workd as
> expected with old smb server.
> 
> net getlocalsid & net getdomainsid returns the same SID.
> LDAP sambaDomainName=EXAMPLE has the same SID in attribute sambaSID.
> 
> Also DIT has windows groups like Domain Users' etc ...
> 
> Unfortunately I can not find the reason for the unexpected exit of
> child smbd process.
> 
> Do your mean that I must remove all samba's data from ldap except dn:
> sambaDomainName=FILESERVER,dc=domain,dc=ltd (as described to tune in
> article)
> 
I am not saying that at all, what I am saying is, for all intents and
purposes, your smb.conf is for a PDC, yet you have :

server role = STANDALONE SERVER

in smb.conf.

I think you need to consider just what you require, a PDC or a
standalone server and then set up Samba & ldap accordingly.

If you want/need a standalone server, then you do not need things like
'Domain Users' etc, because your server will not be part of a domain.

Rowland