Hi Guys, Have some issues with winbind and nss-ldap in LDAP based NT4 BDC/fileserver The DC has the LDAP server role and the BDC connects to it for authentication. smb.conf of the BDC netbios name = TRAC5 local master = no domain master = no preferred master = no domain logons = no passdb backend = ldapsam:ldap://trac15.ste.com ldap admin dn = cn=admin,dc=ste,d=com ldap suffix = dc=ste ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users idmap backend = ldap ldap idmap suffix = ou=idmap idmap config * : ldap_url = ldap://trac15.ste idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com ldap delete dn = no ldap ssl = start tls We've setup libnss-ldap in the servers (both trac15 and trac5) When we enable winbind service, we get the following error user 'asmith' (from session setup) not permitted to access this share (dataldap). In the actual client when you open the share, it prompts for the login creds again and again When the winbind is disabled, The user is able to login and access the shares. The issue seems to be with the folder permissions. The /home drive is setup with 700 as the mask and the folder permission in smb.conf. The user can create folders but not rename them. They can create a text file but not rename them. It comes with the You need permission from a the following user to make changes. The SID presented is the SID of the user in LDAP We have removed and added back the user in the /etc/passwd file in the fileserver. If we remove it the getent passwd doesn't recoginse the user. Our nsswitch.conf has files ldap So basically at this stage we are disabling winbind to get LDAP working Thank you, RT
On Wed, 3 Oct 2018 16:01:29 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = no > passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=com > ldap suffix = dc=ste > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldap > ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.ste > idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tls > > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to > be with the folder permissions. The /home drive is setup with 700 as > the mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RTThe 'smbd' deamon used to be able to carry out some authentication it self, but now it needs to go through winbind or another agent. It looks like winbind doesn't like ldap any more. All of the current developer focus seems to be aimed at AD, so it looks like something has got broken accidentally. Will it get fixed, possibly, but only if you provide level 10 logs and/or network traces that show just where the problem is and open a bugreport. This type of thing is not just happening on Samba, Microsoft is having similar problems, but their problems may be on purpose, they declared NT4-style domains EOL over 10 years ago. Your best choice would be to upgrade to AD as soon as possible, this is where all the developer focus is aimed at. Rowland
Hi Rowland, We are caught in a similar situation. The question is if the users and groups are defined in /etc/passwd and /etc/group, shouldn't the server auth them using these first? As nsswitch directs the server to look at "files" first . Shouldn't this be the default regardlessof winbind/ldap configs? Regards, Praveen Ghimire -------- Original message -------- From: Rowland Penny via samba <samba at lists.samba.org> Date: 3/10/2018 5:33 PM (GMT+10:00) To: samba at lists.samba.org Subject: Re: [Samba] Winbind and nss-ldap On Wed, 3 Oct 2018 16:01:29 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = no > passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=com > ldap suffix = dc=ste > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldap > ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.ste > idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tls > > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to > be with the folder permissions. The /home drive is setup with 700 as > the mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RTThe 'smbd' deamon used to be able to carry out some authentication it self, but now it needs to go through winbind or another agent. It looks like winbind doesn't like ldap any more. All of the current developer focus seems to be aimed at AD, so it looks like something has got broken accidentally. Will it get fixed, possibly, but only if you provide level 10 logs and/or network traces that show just where the problem is and open a bugreport. This type of thing is not just happening on Samba, Microsoft is having similar problems, but their problems may be on purpose, they declared NT4-style domains EOL over 10 years ago. Your best choice would be to upgrade to AD as soon as possible, this is where all the developer focus is aimed at. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
Am Mittwoch, 3. Oktober 2018, 16:01:29 CEST schrieb Rob Thoman via samba:> Hi Guys, > > Have some issues with winbind and nss-ldap in LDAP based NT4 > BDC/fileserver > > The DC has the LDAP server role and the BDC connects to it for > authentication. > > smb.conf of the BDC > > netbios name = TRAC5 > local master = no > domain master = no > preferred master = no > domain logons = noMUST be yes. Read: man smb.conf> passdb backend = ldapsam:ldap://trac15.ste.com > ldap admin dn = cn=admin,dc=ste,d=comInvalid, should be: ldap admin dn = cn=admin,dc=ste,dc=com> ldap suffix = dc=steInvalid, should be: ldap suffix = dc=ste,d=com> ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap backend = ldapDeprecated, rtm> ldap idmap suffix = ou=idmap > idmap config * : ldap_url = ldap://trac15.steInvalid, should be: idmap config * : ldap_url = ldap://trac15.ste,dc=com/> idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com > idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com > ldap delete dn = no > ldap ssl = start tlsDefault> > We've setup libnss-ldap in the servers (both trac15 and trac5) > > When we enable winbind service, we get the following error > user 'asmith' (from session setup) not permitted to access this share > (dataldap). In the actual client when you open the share, it prompts > for the login creds again and again > > When the winbind is disabled, > The user is able to login and access the shares. The issue seems to be > with the folder permissions. The /home drive is setup with 700 as the > mask and the folder permission in smb.conf. The user can create > folders but not rename them. They can create a text file but not > rename them. It comes with the You need permission from a the > following user to make changes. The SID presented is the SID of the > user in LDAP > > We have removed and added back the user in the /etc/passwd file in the > fileserver. If we remove it the getent passwd doesn't recoginse the > user. Our nsswitch.conf has files ldap > > So basically at this stage we are disabling winbind to get LDAP > working > > Thank you, > > RT-- Gruss Harry Jede