On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote:> On Tue, 16 Oct 2018 12:13:16 -0700 > Emil Henry via samba <samba at lists.samba.org> wrote: > > > Hello! > > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > > configs of the smb.conf (including the old config) without success. > > Cleaned up smb.conf is below. Also, included is the output of a > > smbclient command on the SMBServer with debug option 10. Hoping that > > someone can point me in the right direction. > > > > Thanks > > > > [global] > > security = user > > ldap user suffix = ou=people > > ldap group suffix = ou=groups > > ldap ssl = off > > ldap passwd sync = yes > > ldap delete dn = no > > workgroup = WORKGROUP > > server string = "Samba Drives" > > netbios name = SMBServer > > log file = /var/log/samba/log.%m > > > > # For debugging enable the log level of 5 > > log level = 5 > > max log size = 50 > > > > # LDAP Settings > > ldap suffix = "o=EXAMPLE" > > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > > passdb backend = ldapsam:ldap://ldapserver.example.com > > > > [homes] > > valid users = %S > > read only = No > > writeable = yes > > browseable = no > > create mask = 0600 > > public = No > > comment = %u's Z-Drive > > nt acl support = no > > inherit permissions = no > > hide dot files = yes > > directory mask = 0700 > > force create mode = 0700 > > valid users = MYDOMAIN\%S > > > > Hmm, I don't this is going to work: > > negotiated dialect[SMB3_11] against server[localhost] > > Try adding: > > server max protocol = NT1 > client max protocol = NT1 > > To smb.conf > > Check that Samba can contact the ldap server.G'Day Rowland, The client-side log shows smbclient contacting smbd fine and getting to the session setup, so it isn't the protocol version. Emil, The logs we need are from Samba on the server, not smbclient. The use of LDAP by Samba in this configuration is all 'behind' smbd, not related at all to the smbclient call. eg [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd] The use case here is for Samba as a standalone server using an LDAP server for the passdb. This is a rare configuration, almost all users of this mode have Samba as DC so that multiple Samba servers can share the same LDAP backend (even if that functionality is unused). This is because each server has an internal 'domain' if not a DC, and that has a SID, and each LDAP entry can only have one SID. Do you have multiple servers referring to this backend? Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Just because it hasn't yet been mentioned, did you run 'smbpasswd -w <ldap-secret>' to pass samba the admin dn passwords? https://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP Kris Lou klou at themusiclink.net On Tue, Oct 16, 2018 at 2:24 PM, Andrew Bartlett via samba < samba at lists.samba.org> wrote:> On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote: > > On Tue, 16 Oct 2018 12:13:16 -0700 > > Emil Henry via samba <samba at lists.samba.org> wrote: > > > > > Hello! > > > > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > > > configs of the smb.conf (including the old config) without success. > > > Cleaned up smb.conf is below. Also, included is the output of a > > > smbclient command on the SMBServer with debug option 10. Hoping that > > > someone can point me in the right direction. > > > > > > Thanks > > > > > > [global] > > > security = user > > > ldap user suffix = ou=people > > > ldap group suffix = ou=groups > > > ldap ssl = off > > > ldap passwd sync = yes > > > ldap delete dn = no > > > workgroup = WORKGROUP > > > server string = "Samba Drives" > > > netbios name = SMBServer > > > log file = /var/log/samba/log.%m > > > > > > # For debugging enable the log level of 5 > > > log level = 5 > > > max log size = 50 > > > > > > # LDAP Settings > > > ldap suffix = "o=EXAMPLE" > > > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > > > passdb backend = ldapsam:ldap://ldapserver.example.com > > > > > > [homes] > > > valid users = %S > > > read only = No > > > writeable = yes > > > browseable = no > > > create mask = 0600 > > > public = No > > > comment = %u's Z-Drive > > > nt acl support = no > > > inherit permissions = no > > > hide dot files = yes > > > directory mask = 0700 > > > force create mode = 0700 > > > valid users = MYDOMAIN\%S > > > > > > > Hmm, I don't this is going to work: > > > > negotiated dialect[SMB3_11] against server[localhost] > > > > Try adding: > > > > server max protocol = NT1 > > client max protocol = NT1 > > > > To smb.conf > > > > Check that Samba can contact the ldap server. > > G'Day Rowland, > > The client-side log shows smbclient contacting smbd fine and getting to > the session setup, so it isn't the protocol version. > > Emil, > > The logs we need are from Samba on the server, not smbclient. > > The use of LDAP by Samba in this configuration is all 'behind' smbd, > not related at all to the smbclient call. > > eg > > [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd] > > The use case here is for Samba as a standalone server using an LDAP > server for the passdb. This is a rare configuration, almost all users > of this mode have Samba as DC so that multiple Samba servers can share > the same LDAP backend (even if that functionality is unused). This is > because each server has an internal 'domain' if not a DC, and that has > a SID, and each LDAP entry can only have one SID. > > Do you have multiple servers referring to this backend? > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Andrew! At the moment, there is only 1 Samba server that is working with this LDAP backend that I know of. I just shutdown the smbd, and restarted it. I then did a smbclient call, which failed. I am including the log.smbd as well. Thanks. On Tue, Oct 16, 2018 at 2:24 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote: > > On Tue, 16 Oct 2018 12:13:16 -0700 > > Emil Henry via samba <samba at lists.samba.org> wrote: > > > > > Hello! > > > > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > > > configs of the smb.conf (including the old config) without success. > > > Cleaned up smb.conf is below. Also, included is the output of a > > > smbclient command on the SMBServer with debug option 10. Hoping that > > > someone can point me in the right direction. > > > > > > Thanks > > > > > > [global] > > > security = user > > > ldap user suffix = ou=people > > > ldap group suffix = ou=groups > > > ldap ssl = off > > > ldap passwd sync = yes > > > ldap delete dn = no > > > workgroup = WORKGROUP > > > server string = "Samba Drives" > > > netbios name = SMBServer > > > log file = /var/log/samba/log.%m > > > > > > # For debugging enable the log level of 5 > > > log level = 5 > > > max log size = 50 > > > > > > # LDAP Settings > > > ldap suffix = "o=EXAMPLE" > > > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > > > passdb backend = ldapsam:ldap://ldapserver.example.com > > > > > > [homes] > > > valid users = %S > > > read only = No > > > writeable = yes > > > browseable = no > > > create mask = 0600 > > > public = No > > > comment = %u's Z-Drive > > > nt acl support = no > > > inherit permissions = no > > > hide dot files = yes > > > directory mask = 0700 > > > force create mode = 0700 > > > valid users = MYDOMAIN\%S > > > > > > > Hmm, I don't this is going to work: > > > > negotiated dialect[SMB3_11] against server[localhost] > > > > Try adding: > > > > server max protocol = NT1 > > client max protocol = NT1 > > > > To smb.conf > > > > Check that Samba can contact the ldap server. > > G'Day Rowland, > > The client-side log shows smbclient contacting smbd fine and getting to > the session setup, so it isn't the protocol version. > > Emil, > > The logs we need are from Samba on the server, not smbclient. > > The use of LDAP by Samba in this configuration is all 'behind' smbd, > not related at all to the smbclient call. > > eg > > [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd] > > The use case here is for Samba as a standalone server using an LDAP > server for the passdb. This is a rare configuration, almost all users > of this mode have Samba as DC so that multiple Samba servers can share > the same LDAP backend (even if that functionality is unused). This is > because each server has an internal 'domain' if not a DC, and that has > a SID, and each LDAP entry can only have one SID. > > Do you have multiple servers referring to this backend? > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
Hi Kris! Sadly, I have done it too many times. :-( Thanks. On Tue, Oct 16, 2018 at 3:03 PM Kris Lou via samba <samba at lists.samba.org> wrote:> Just because it hasn't yet been mentioned, did you run 'smbpasswd -w > <ldap-secret>' to pass samba the admin dn passwords? > > https://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP > > > Kris Lou > klou at themusiclink.net > > On Tue, Oct 16, 2018 at 2:24 PM, Andrew Bartlett via samba < > samba at lists.samba.org> wrote: > > > On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote: > > > On Tue, 16 Oct 2018 12:13:16 -0700 > > > Emil Henry via samba <samba at lists.samba.org> wrote: > > > > > > > Hello! > > > > > > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > > > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > > > > configs of the smb.conf (including the old config) without success. > > > > Cleaned up smb.conf is below. Also, included is the output of a > > > > smbclient command on the SMBServer with debug option 10. Hoping that > > > > someone can point me in the right direction. > > > > > > > > Thanks > > > > > > > > [global] > > > > security = user > > > > ldap user suffix = ou=people > > > > ldap group suffix = ou=groups > > > > ldap ssl = off > > > > ldap passwd sync = yes > > > > ldap delete dn = no > > > > workgroup = WORKGROUP > > > > server string = "Samba Drives" > > > > netbios name = SMBServer > > > > log file = /var/log/samba/log.%m > > > > > > > > # For debugging enable the log level of 5 > > > > log level = 5 > > > > max log size = 50 > > > > > > > > # LDAP Settings > > > > ldap suffix = "o=EXAMPLE" > > > > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > > > > passdb backend = ldapsam:ldap://ldapserver.example.com > > > > > > > > [homes] > > > > valid users = %S > > > > read only = No > > > > writeable = yes > > > > browseable = no > > > > create mask = 0600 > > > > public = No > > > > comment = %u's Z-Drive > > > > nt acl support = no > > > > inherit permissions = no > > > > hide dot files = yes > > > > directory mask = 0700 > > > > force create mode = 0700 > > > > valid users = MYDOMAIN\%S > > > > > > > > > > Hmm, I don't this is going to work: > > > > > > negotiated dialect[SMB3_11] against server[localhost] > > > > > > Try adding: > > > > > > server max protocol = NT1 > > > client max protocol = NT1 > > > > > > To smb.conf > > > > > > Check that Samba can contact the ldap server. > > > > G'Day Rowland, > > > > The client-side log shows smbclient contacting smbd fine and getting to > > the session setup, so it isn't the protocol version. > > > > Emil, > > > > The logs we need are from Samba on the server, not smbclient. > > > > The use of LDAP by Samba in this configuration is all 'behind' smbd, > > not related at all to the smbclient call. > > > > eg > > > > [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd] > > > > The use case here is for Samba as a standalone server using an LDAP > > server for the passdb. This is a rare configuration, almost all users > > of this mode have Samba as DC so that multiple Samba servers can share > > the same LDAP backend (even if that functionality is unused). This is > > because each server has an internal 'domain' if not a DC, and that has > > a SID, and each LDAP entry can only have one SID. > > > > Do you have multiple servers referring to this backend? > > > > Thanks, > > > > Andrew Bartlett > > > > -- > > Andrew Bartlett > > https://samba.org/~abartlet/ > > Authentication Developer, Samba Team https://samba.org > > Samba Development and Support, Catalyst IT > > https://catalyst.net.nz/services/samba > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 2018-10-16 at 15:09 -0700, Emil Henry wrote:> Hi Andrew! > > At the moment, there is only 1 Samba server that is working with this LDAP backend that I know of. I just shutdown the smbd, and restarted it. I then did a smbclient call, which failed. I am including the log.smbd as well.I think the log you need is in another file. eg log.127.0.0.1 Sorry, Andrew Bartlett> >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba