HI Andrew!> The user 'johndoe' seems to be rejected because it has the wrong SID. > > It is the group in this case, we changed the rules to make them > stricter a while back, the primary group needs a group mapping entry > matching the SID of the standalone server. >How would I match the Primary Group without breaking the existing Samba server that connects to this LDAP server? That samba server does not belong to me, and may stay at v3 for a while longer. Thanks!
On Wed, 17 Oct 2018 06:17:10 -0700 Emil Henry <hbcsc153 at gmail.com> wrote:> HI Andrew! > > > The user 'johndoe' seems to be rejected because it has the wrong > > SID. > > > > It is the group in this case, we changed the rules to make them > > stricter a while back, the primary group needs a group mapping entry > > matching the SID of the standalone server. > > > > How would I match the Primary Group without breaking the existing > Samba server that connects to this LDAP server? That samba server > does not belong to me, and may stay at v3 for a while longer. > > Thanks!You cannot, it isn't the RID that is the problem, it is the domain SID Rowland
On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote:> HI Andrew! > > > The user 'johndoe' seems to be rejected because it has the wrong SID. > > > > It is the group in this case, we changed the rules to make them > > stricter a while back, the primary group needs a group mapping entry > > matching the SID of the standalone server. > > > > How would I match the Primary Group without breaking the existing Samba > server that connects to this LDAP server? That samba server does not belong > to me, and may stay at v3 for a while longer.G'Day Emil, I asked at the start of this if you had any other Samba servers talking to this LDAP backend. Clearly we have miscommunicated. Your configuration is not supported. One 'domain' per LDAP backend is the rule. Each standalone server is a domain of itself. The only way to share a backend is to make all servers that use the backend be NT4-like DCs of the same domain. You will need to work with the owner of the other Samba server to resolve this. Ideally you would upgrade to Samba's AD DC and make both file servers domain members, but as Rowland mentions this can a long and difficult process depending on what else depends on this LDAP server. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi, i'm new to this discussion here but i reading and remembered i've solved almost the same problem you're having. I was connecting a Samba 4 standalone server with an existent LDAP server which was already being used as backend for a Samba 3. On the process of connecting SMB4 i had that SID mismatch issue. To solve it, i used "net setdomainsid" to set SMB4 domain SID to the one configure on LDAP, that configuration was set in all users. After this, SMB4 was logging with LDAP user credentials smoothly. I know it worked but this work-around may be a problem on the future, so i also suggest you do what Rowland is saying ( i got do this as well :D), but if you're facing an urgency, like i was, it you help you for a while. I feel glad to share it with you if it was an useful info. Em qua, 17 de out de 2018 às 17:36, Andrew Bartlett via samba < samba at lists.samba.org> escreveu:> On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote: > > HI Andrew! > > > > > The user 'johndoe' seems to be rejected because it has the wrong SID. > > > > > > It is the group in this case, we changed the rules to make them > > > stricter a while back, the primary group needs a group mapping entry > > > matching the SID of the standalone server. > > > > > > > How would I match the Primary Group without breaking the existing Samba > > server that connects to this LDAP server? That samba server does not > belong > > to me, and may stay at v3 for a while longer. > > G'Day Emil, > > I asked at the start of this if you had any other Samba servers talking > to this LDAP backend. Clearly we have miscommunicated. > > Your configuration is not supported. One 'domain' per LDAP backend is > the rule. > > Each standalone server is a domain of itself. The only way to share a > backend is to make all servers that use the backend be NT4-like DCs of > the same domain. > > You will need to work with the owner of the other Samba server to > resolve this. Ideally you would upgrade to Samba's AD DC and make both > file servers domain members, but as Rowland mentions this can a long > and difficult process depending on what else depends on this LDAP > server. > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >