Hi, i'm new to this discussion here but i reading and remembered i've solved almost the same problem you're having. I was connecting a Samba 4 standalone server with an existent LDAP server which was already being used as backend for a Samba 3. On the process of connecting SMB4 i had that SID mismatch issue. To solve it, i used "net setdomainsid" to set SMB4 domain SID to the one configure on LDAP, that configuration was set in all users. After this, SMB4 was logging with LDAP user credentials smoothly. I know it worked but this work-around may be a problem on the future, so i also suggest you do what Rowland is saying ( i got do this as well :D), but if you're facing an urgency, like i was, it you help you for a while. I feel glad to share it with you if it was an useful info. Em qua, 17 de out de 2018 às 17:36, Andrew Bartlett via samba < samba at lists.samba.org> escreveu:> On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote: > > HI Andrew! > > > > > The user 'johndoe' seems to be rejected because it has the wrong SID. > > > > > > It is the group in this case, we changed the rules to make them > > > stricter a while back, the primary group needs a group mapping entry > > > matching the SID of the standalone server. > > > > > > > How would I match the Primary Group without breaking the existing Samba > > server that connects to this LDAP server? That samba server does not > belong > > to me, and may stay at v3 for a while longer. > > G'Day Emil, > > I asked at the start of this if you had any other Samba servers talking > to this LDAP backend. Clearly we have miscommunicated. > > Your configuration is not supported. One 'domain' per LDAP backend is > the rule. > > Each standalone server is a domain of itself. The only way to share a > backend is to make all servers that use the backend be NT4-like DCs of > the same domain. > > You will need to work with the owner of the other Samba server to > resolve this. Ideally you would upgrade to Samba's AD DC and make both > file servers domain members, but as Rowland mentions this can a long > and difficult process depending on what else depends on this LDAP > server. > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Junior! Great info. I had set the DomainSID to the SID from the LDAP server a week or so ago, and that did not help. After your pointer, I then tried to set the LocalSID to the LDAP SID, but it did not hold. Did a Google search, and one suggestion was to add server role = classic backup domain controller to the smb.conf. This allowed me to do a "net SetLocalSID" to the SID from the LDAP server. and now everything seems to work. Now, I need to check, test and cleanup. Thank you for the details. Thanks. On Wed, Oct 17, 2018 at 12:37 PM Junior Oliveira <emersonjr.eng at gmail.com> wrote:> Hi, i'm new to this discussion here but i reading and remembered i've > solved almost the same problem you're having. > > I was connecting a Samba 4 standalone server with an existent LDAP server > which was already being used as backend for a Samba 3. On the process of > connecting SMB4 i had that SID mismatch issue. To solve it, i used "net > setdomainsid" to set SMB4 domain SID to the one configure on LDAP, that > configuration was set in all users. > > After this, SMB4 was logging with LDAP user credentials smoothly. > > I know it worked but this work-around may be a problem on the future, so i > also suggest you do what Rowland is saying ( i got do this as well :D), but > if you're facing an urgency, like i was, it you help you for a while. > > I feel glad to share it with you if it was an useful info. > > Em qua, 17 de out de 2018 às 17:36, Andrew Bartlett via samba < > samba at lists.samba.org> escreveu: > >> On Wed, 2018-10-17 at 06:17 -0700, Emil Henry via samba wrote: >> > HI Andrew! >> > >> > > The user 'johndoe' seems to be rejected because it has the wrong SID. >> > > >> > > It is the group in this case, we changed the rules to make them >> > > stricter a while back, the primary group needs a group mapping entry >> > > matching the SID of the standalone server. >> > > >> > >> > How would I match the Primary Group without breaking the existing Samba >> > server that connects to this LDAP server? That samba server does not >> belong >> > to me, and may stay at v3 for a while longer. >> >> G'Day Emil, >> >> I asked at the start of this if you had any other Samba servers talking >> to this LDAP backend. Clearly we have miscommunicated. >> >> Your configuration is not supported. One 'domain' per LDAP backend is >> the rule. >> >> Each standalone server is a domain of itself. The only way to share a >> backend is to make all servers that use the backend be NT4-like DCs of >> the same domain. >> >> You will need to work with the owner of the other Samba server to >> resolve this. Ideally you would upgrade to Samba's AD DC and make both >> file servers domain members, but as Rowland mentions this can a long >> and difficult process depending on what else depends on this LDAP >> server. >> >> Sorry, >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT >> http://catalyst.net.nz/services/samba >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
On Wed, 17 Oct 2018 16:45:08 -0700 Emil Henry via samba <samba at lists.samba.org> wrote:> Hi Junior! > > Great info. I had set the DomainSID to the SID from the LDAP server a > week or so ago, and that did not help. After your pointer, I then > tried to set the LocalSID to the LDAP SID, but it did not hold. Did a > Google search, and one suggestion was to add > > server role = classic backup domain controller > > to the smb.conf. This allowed me to do a "net SetLocalSID" to the SID > from the LDAP server. and now everything seems to work. Now, I need > to check, test and cleanup. Thank you for the details. >As I said earlier, if it looks like a duck and quacks like a duck, it probably is a duck and by adding that line, you have proved it is a duck ;-) Now you have caught up to about 15 years ago, can I suggest you browse the internet about the problems with using an NT4-style domain with Windows 10. I hope you will then realise that you have a major disaster coming and then get together with the rest of your universities IT dept and sort out the upgrade to Samba AD. Rowland