Andrew Bartlett
2022-Sep-21 19:52 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
On Wed, 2022-09-21 at 11:57 +0200, Alexander Harm || ApfelQ via samba wrote:> Hi, > > I was wondering if anyone ran into the same issue and maybe has a > solution for me. In short: > > - we were running SLES 11 with Samba 3.6.3 as NT4 PDC and OpenLDAP > backend: working fine > - we upgraded to SLES 15 with Samba 4.13.13 as NT4 PDC and old > OpenLDAP backend: working fine > - now we migrated from OpenLDAP to 389 and things start to break > > LDAP seems to work in principle "pdbedit -L? is successful. However, > running ?pdbedit -Lv username? returns an error: ?Failed to find a > Unix account for username? and ?Primary Group SID: (NULL SID)?. > > So I guess the idmap is messed up?Looping back to the start, I think you a suggested elsewhere in the thread need to work on this one step at a time. I agree that getting OpenLDAP back, if a reverse migration is possible, at least in a lab, might be a good idea, and confirm that the issue really is with OpenLDAP and not something else. 'Clearly' something is different about the 389 LDAP server vs OpenLDAP. Do they both accept the same (non)authentication? You should be able to debug this with either a network capture, or LDAP comparison tools. (I don't know if Samba's samba-tool ldapcmp can do a good enough job, but try it using the --simple-bind-dn mode). Try dumping a sorted LDIF of each directory, and compare with diff even. Try turning up the log level and see what errors you see compared with your old OpenLDAP. Then finally, think about a migration to Samba AD, and how to have your other applications work with AD or synchronise with it. This is a much longer term project.> Actually I?m not sure how the idmap is stored in LDAP since both > idmap-OUs look the same to me (empty) on the old OpenLDAP and new > 389. > > Any hints/advice?Try not to change too much at once, particularly around idmap. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Alexander Harm || ApfelQ
2022-Sep-21 20:49 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
Thanks again and don?t worry. We did not blindly upgrade, we are testing this in a clone of our production environment. So rolling back etc. is not an issue right now. I will go through your suggestions. Thank you all for your input.> On Wednesday, Sep 21, 2022 at 9:52 PM, Andrew Bartlett <abartlet at samba.org (mailto:abartlet at samba.org)> wrote: > > On Wed, 2022-09-21 at 11:57 +0200, Alexander Harm || ApfelQ via samba > wrote: > > Hi, > > > > I was wondering if anyone ran into the same issue and maybe has a > > solution for me. In short: > > > > - we were running SLES 11 with Samba 3.6.3 as NT4 PDC and OpenLDAP > > backend: working fine > > - we upgraded to SLES 15 with Samba 4.13.13 as NT4 PDC and old > > OpenLDAP backend: working fine > > - now we migrated from OpenLDAP to 389 and things start to break > > > > LDAP seems to work in principle "pdbedit -L? is successful. However, > > running ?pdbedit -Lv username? returns an error: ?Failed to find a > > Unix account for username? and ?Primary Group SID: (NULL SID)?. > > > > So I guess the idmap is messed up? > > Looping back to the start, I think you a suggested elsewhere in the > thread need to work on this one step at a time. > > I agree that getting OpenLDAP back, if a reverse migration is possible, > at least in a lab, might be a good idea, and confirm that the issue > really is with OpenLDAP and not something else. > > 'Clearly' something is different about the 389 LDAP server vs > OpenLDAP. > > Do they both accept the same (non)authentication? > > You should be able to debug this with either a network capture, or LDAP > comparison tools. (I don't know if Samba's samba-tool ldapcmp can do a > good enough job, but try it using the --simple-bind-dn mode). > > Try dumping a sorted LDIF of each directory, and compare with diff > even. > > Try turning up the log level and see what errors you see compared with > your old OpenLDAP. > > Then finally, think about a migration to Samba AD, and how to have your > other applications work with AD or synchronise with it. This is a much > longer term project. > > > Actually I?m not sure how the idmap is stored in LDAP since both > > idmap-OUs look the same to me (empty) on the old OpenLDAP and new > > 389. > > > > Any hints/advice? > > Try not to change too much at once, particularly around idmap. > > Andrew Bartlett > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba > > Samba Development and Support, Catalyst IT - Expert Open Source > Solutions >