Hi Guys,
Have some issues with winbind and nss-ldap in LDAP based NT4 BDC/fileserver
The DC has the LDAP server role and the BDC connects to it for
authentication.
smb.conf of the BDC
netbios name = TRAC5
local master = no
domain master = no
preferred master = no
domain logons = no
passdb backend = ldapsam:ldap://trac15.ste.com
ldap admin dn = cn=admin,dc=ste,d=com
ldap suffix = dc=ste
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap backend = ldap
ldap idmap suffix = ou=idmap
idmap config * : ldap_url = ldap://trac15.ste
idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com
idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com
ldap delete dn = no
ldap ssl = start tls
We've setup libnss-ldap in the servers (both trac15 and trac5)
When we enable winbind service, we get the following error
user 'asmith' (from session setup) not permitted to access this share
(dataldap). In the actual client when you open the share, it prompts for
the login creds again and again
When the winbind is disabled,
The user is able to login and access the shares. The issue seems to be with
the folder permissions. The /home drive is setup with 700 as the mask and
the folder permission in smb.conf. The user can create folders but not
rename them. They can create a text file but not rename them. It comes with
the You need permission from a the following user to make changes. The SID
presented is the SID of the user in LDAP
We have removed and added back the user in the /etc/passwd file in the
fileserver. If we remove it the getent passwd doesn't recoginse the user.
Our nsswitch.conf has files ldap
So basically at this stage we are disabling winbind to get LDAP working
Thank you,
RT
On Wed, 3 Oct 2018 16:01:29 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = no > passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=com > ldap suffix = dc=ste > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldap > ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.ste > idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tls > > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to > be with the folder permissions. The /home drive is setup with 700 as > the mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RTThe 'smbd' deamon used to be able to carry out some authentication it self, but now it needs to go through winbind or another agent. It looks like winbind doesn't like ldap any more. All of the current developer focus seems to be aimed at AD, so it looks like something has got broken accidentally. Will it get fixed, possibly, but only if you provide level 10 logs and/or network traces that show just where the problem is and open a bugreport. This type of thing is not just happening on Samba, Microsoft is having similar problems, but their problems may be on purpose, they declared NT4-style domains EOL over 10 years ago. Your best choice would be to upgrade to AD as soon as possible, this is where all the developer focus is aimed at. Rowland
Hi Rowland, We are caught in a similar situation. The question is if the users and groups are defined in /etc/passwd and /etc/group, shouldn't the server auth them using these first? As nsswitch directs the server to look at "files" first . Shouldn't this be the default regardlessof winbind/ldap configs? Regards, Praveen Ghimire -------- Original message -------- From: Rowland Penny via samba <samba at lists.samba.org> Date: 3/10/2018 5:33 PM (GMT+10:00) To: samba at lists.samba.org Subject: Re: [Samba] Winbind and nss-ldap On Wed, 3 Oct 2018 16:01:29 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = no > passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=com > ldap suffix = dc=ste > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldap > ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.ste > idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tls > > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to > be with the folder permissions. The /home drive is setup with 700 as > the mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RTThe 'smbd' deamon used to be able to carry out some authentication it self, but now it needs to go through winbind or another agent. It looks like winbind doesn't like ldap any more. All of the current developer focus seems to be aimed at AD, so it looks like something has got broken accidentally. Will it get fixed, possibly, but only if you provide level 10 logs and/or network traces that show just where the problem is and open a bugreport. This type of thing is not just happening on Samba, Microsoft is having similar problems, but their problems may be on purpose, they declared NT4-style domains EOL over 10 years ago. Your best choice would be to upgrade to AD as soon as possible, this is where all the developer focus is aimed at. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Am Mittwoch, 3. Oktober 2018, 16:01:29 CEST schrieb Rob Thoman via samba:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = noMUST be yes. Read: man smb.conf> passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=comInvalid, should be: ldap admin dn = cn=admin,dc=ste,dc=com> ldap suffix = dc=steInvalid, should be: ldap suffix = dc=ste,d=com> ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldapDeprecated, rtm> ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.steInvalid, should be: idmap config * : ldap_url = ldap://trac15.ste,dc=com/> idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tlsDefault> > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to be > with the folder permissions. The /home drive is setup with 700 as the > mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RT-- Gruss Harry Jede