ERIC PEYREMORTE
2020-Jul-07 09:46 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
Hi, I still have an old samba 4 (not AD) NT4 domain controller. I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) I have two file servers as domain members. When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : "MYDOMAIN\User" But when i connect to a share on a domain member, right click / security tabs under Windows, i get: "Unix User\User" (User gets mapped to local user, but ACL not displayed properly) It makes some applications checking for user permissions fail (Eclipse 2020 for example) ---- I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok. But it adds a sambaDomainName entry in my ldap. I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member :>https://lists.samba.org/archive/samba/2012-January/165972.html>This is the why the entry is created. You have pointed your member >server at the LDAP backend of the DC. The member server started to >write it's own information there. Simply remove this line and use a >local passdb for the local users - communication between Samba member >servers and Samba3 DCs is not over LDAP.So i don't understand how i should configure properly the domain member. I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. Any ideas ?
Rowland penny
2020-Jul-07 10:02 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:> Hi, > > I still have an old samba 4 (not AD) NT4 domain controller. > > I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) > > I have two file servers as domain members. > > When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : > "MYDOMAIN\User" > > But when i connect to a share on a domain member, right click / security tabs under Windows, i get: > "Unix User\User" > > (User gets mapped to local user, but ACL not displayed properly) > > It makes some applications checking for user permissions fail (Eclipse 2020 for example) > > ---- > > I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok. > > But it adds a sambaDomainName entry in my ldap. > > I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member : > >> https://lists.samba.org/archive/samba/2012-January/165972.html >> This is the why the entry is created. You have pointed your member >> server at the LDAP backend of the DC. The member server started to >> write it's own information there. Simply remove this line and use a >> local passdb for the local users - communication between Samba member >> servers and Samba3 DCs is not over LDAP. > > So i don't understand how i should configure properly the domain member. > > I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. > > I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. > > Any ideas ?Yes, do what Andrew said, use winbind, in fact, if you are using Samba >= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longer contact the PDC directly, it must use winbind. From the release notes for 4.8.0: Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. Can I also suggest that you consider upgrading to AD, before it stops working again (Microsoft has twice broken NT4-style domains by accident, they fixed them, next time they might not). Rowland
ERIC PEYREMORTE
2020-Jul-07 10:39 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
Hi, thanks for your answer. We are migrating on AD, but the legacy domain will stay for few a months. I still use samba 4.2 (before upgrading every file server). I don't understand how winbind will be used. I don't need an ou=Idmap as user entry in uid=login already contains the association between uid and sambaSID in the openldap passdb backend (on the DC). I just need the domain member to use that information, it seems that winbind is unable to do that : it's going to make it's own uid <> sid mapping and store it in ldap ou=idmap. Maybe it's not possible to correctly use domain member with a samba 3 + openldap pdc ? I didn't find any winbind doc covering that case... Cheers De: "sambalist" <samba at lists.samba.org> ?: "sambalist" <samba at lists.samba.org> Envoy?: Mardi 7 Juillet 2020 12:02:51 Objet: Re: [Samba] NT4 Domain PDC with Ldap backend and domain members On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:> Hi, > > I still have an old samba 4 (not AD) NT4 domain controller. > > I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) > > I have two file servers as domain members. > > When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : > "MYDOMAIN\User" > > But when i connect to a share on a domain member, right click / security tabs under Windows, i get: > "Unix User\User" > > (User gets mapped to local user, but ACL not displayed properly) > > It makes some applications checking for user permissions fail (Eclipse 2020 for example) > > ---- > > I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok. > > But it adds a sambaDomainName entry in my ldap. > > I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member : > >> https://lists.samba.org/archive/samba/2012-January/165972.html >> This is the why the entry is created. You have pointed your member >> server at the LDAP backend of the DC. The member server started to >> write it's own information there. Simply remove this line and use a >> local passdb for the local users - communication between Samba member >> servers and Samba3 DCs is not over LDAP. > > So i don't understand how i should configure properly the domain member. > > I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. > > I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. > > Any ideas ?Yes, do what Andrew said, use winbind, in fact, if you are using Samba>= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longercontact the PDC directly, it must use winbind.>From the release notes for 4.8.0:Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. Can I also suggest that you consider upgrading to AD, before it stops working again (Microsoft has twice broken NT4-style domains by accident, they fixed them, next time they might not). Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba