I have four SLES 10 servers working as Samba servers on the same domain
with an LDAP account backend. Relevant smb.conf entries are:
[global]
workgroup = UNIX
realm = UNIX.UIB.NO
server string = ukl-samba
netbios name = ukl-samba
security = user
allow trusted domains = yes
domain master = yes
local master = yes
encrypt passwords = yes
Only one of the servers is set as domain and local master, server string
and netbios name obviously differ while workgroup and realm are set to
the same. When I first set them up (smbpasswd -w, etc.) they created
seperate sambaDomain entries in the LDAP root, with separate SIDs. the
sambaDomain entries are named after each server. The user SIDs we
simply set to be based on the SID of the first server we set up. It all
worked, so I never questioned it.
Then just before the weekend I took the first server up to SLES 10 SP1,
which brought Samba up from 3.0.21 to 3.0.24, and this server was
effectively broken. On startup, every single user (all 35.0000 of
them...) would get a line in /var/log/messages:
ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in
passdb
Nobody could get at the Samba shares until I edited the LDAP tree to
switch the SIDs between this server and the server with the SID the user
SIDs were based on.
Clearly, I need to clean something up before upgrading the next server
to SLES 10 SP1, or things will be really, really broken. Either a
setting to switch of the SID validation, or Someting(tm) to clean up the
LDAP tree. The latter is probably better, but I have no idea where to
start. I was hoping someone here had an answer which saved me the
trouble of setting up a full test domain with LDAP and Samba-servers...
Can I just set the same SID on all four domains? Or delete three of the
four domains and rename the one with the correct SID to the _domain_
name in sted of the server name?
Thanks,
Bj?rn
--
Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
Bj?rn Tore Sund wrote: > > I have four SLES 10 servers working as Samba servers on the same domain > with an LDAP account backend. Relevant smb.conf entries are: > [global] > workgroup = UNIX > realm = UNIX.UIB.NO > server string = ukl-samba > netbios name = ukl-samba > security = user > allow trusted domains = yes > domain master = yes > local master = yes > encrypt passwords = yes > > > Only one of the servers is set as domain and local master, server string > and netbios name obviously differ while workgroup and realm are set to > the same. When I first set them up (smbpasswd -w, etc.) they created > seperate sambaDomain entries in the LDAP root, with separate SIDs. the > sambaDomain entries are named after each server. The user SIDs we > simply set to be based on the SID of the first server we set up. > effectively broken. On startup, every single user (all 35.0000 of > them...) would get a line in /var/log/messages: > ukl-samba smbd[16336]: User <SNIP> with invalid SID <SNIP> in passdb > > Nobody could get at the Samba shares until I edited the LDAP tree to > switch the SIDs between this server and the server with the SID the user > SIDs were based on. > > start. I was hoping someone here had an answer which saved me the > trouble of setting up a full test domain with LDAP and Samba-servers... > Can I just set the same SID on all four domains? Or delete three of the > four domains and rename the one with the correct SID to the _domain_ > name in sted of the server name? > > Thanks, > > Bj?rn > Hi Bj?rn, From what you mention here it sounds like you have four sambaDomainName=UNIX entries (objectClass: sambaDomain) with different sambaSID attributes. Effectively 4 different domains, on 4 different servers all with the same name. Users have a sambaSID entry in their LDAP record, and the first portion of this needs to be the same as the sambaSID for the *domain* they are logging on to. If it's not then it wont work. In answer to your point at the end, yes you can do this and it is what you are "supposed" to do, as far as I know. If you do "net getlocalsid" on each of your SLES machines, the SID that is returned should be the same for all of them if you want them all to be controllers on your domain. If it's not, pick the SID you want - i.e. the sambaSID all your users have in their LDAP records - then "net setlocalsid MYDOMAINSID" on the servers you wish to change to that SID. (NB: On a domain, "net getlocalsid" and "net getlocalsid MYDOMAIN" should return the same.) Then go into your LDAP directory and delete all but one of the sambaDomainName=UNIX entries, and ensure the remaining one has sambaSID set to MYDOMAINSID. That is probably all you need to do. HTH, Phil