ERIC PEYREMORTE
2020-Jul-07 10:39 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
Hi, thanks for your answer. We are migrating on AD, but the legacy domain will stay for few a months. I still use samba 4.2 (before upgrading every file server). I don't understand how winbind will be used. I don't need an ou=Idmap as user entry in uid=login already contains the association between uid and sambaSID in the openldap passdb backend (on the DC). I just need the domain member to use that information, it seems that winbind is unable to do that : it's going to make it's own uid <> sid mapping and store it in ldap ou=idmap. Maybe it's not possible to correctly use domain member with a samba 3 + openldap pdc ? I didn't find any winbind doc covering that case... Cheers De: "sambalist" <samba at lists.samba.org> ?: "sambalist" <samba at lists.samba.org> Envoy?: Mardi 7 Juillet 2020 12:02:51 Objet: Re: [Samba] NT4 Domain PDC with Ldap backend and domain members On 07/07/2020 10:46, ERIC PEYREMORTE via samba wrote:> Hi, > > I still have an old samba 4 (not AD) NT4 domain controller. > > I use an openldap backend on the PDC, where my users are stored with all their attributes (uidnumber, sambaSID etc....) > > I have two file servers as domain members. > > When i connect to a share on the domain controller itself, right click properties on a file / security tabs under Windows gives me the ACL properly : > "MYDOMAIN\User" > > But when i connect to a share on a domain member, right click / security tabs under Windows, i get: > "Unix User\User" > > (User gets mapped to local user, but ACL not displayed properly) > > It makes some applications checking for user permissions fail (Eclipse 2020 for example) > > ---- > > I tried using passdb backend = ldapsam:ldap://172.30.1.250/ on my domain member : it works great and the acl are ok. > > But it adds a sambaDomainName entry in my ldap. > > I've seen an old thread here with an answer from Andrew Bartlett mentionning we should not use ldapsam as passdb backend on a domain member : > >> https://lists.samba.org/archive/samba/2012-January/165972.html >> This is the why the entry is created. You have pointed your member >> server at the LDAP backend of the DC. The member server started to >> write it's own information there. Simply remove this line and use a >> local passdb for the local users - communication between Samba member >> servers and Samba3 DCs is not over LDAP. > > So i don't understand how i should configure properly the domain member. > > I don't need winbind, as all my users are already SID to uidnumber mapped in the ldapbackend. > > I've read all the docs, and still can't figure it out. Doing as Andrew suggests breaks the ACL, and i get an empty net groupmap list. > > Any ideas ?Yes, do what Andrew said, use winbind, in fact, if you are using Samba>= 4.8.0, you must use winbind. From Samba 4.8.0, smbd can no longercontact the PDC directly, it must use winbind.>From the release notes for 4.8.0:Setups with "security = domain" or "security = ads" require a running 'winbindd' now. The fallback that smbd directly contacts domain controllers is gone. Can I also suggest that you consider upgrading to AD, before it stops working again (Microsoft has twice broken NT4-style domains by accident, they fixed them, next time they might not). Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2020-Jul-07 11:11 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
On 07/07/2020 11:39, ERIC PEYREMORTE wrote:> Hi, thanks for your answer. > > We are migrating on AD, but the legacy domain will stay for few a > months. I still use samba 4.2 (before upgrading every file server).4.2 is EOL, but I think you know that ;-)> > I don't understand how winbind will be used. I don't need an ou=Idmap > as user entry in uid=login already contains the association between > uid and sambaSID in the openldap passdb backend (on the DC).OK, your PDC needs to know who your users and groups are, but, like an AD DC, you shouldn't use the PDC as a fileserver.> > I just need the domain member to use that information, it seems that > winbind is unable to do that : it's going to make it's own uid <> sid > mapping and store it in ldap ou=idmap.It doesn't actually, I created a test NT4-style domain last week, to remind me how they worked, you create the users and groups on the PDC, joining a computer creates a computer object in ldap on the PDC. However, your users and groups get ID's from winbind based in the range you set in the clients smb.conf> > Maybe it's not possible to correctly use domain member with a samba 3 > + openldap pdc ? I didn't find any winbind doc covering that case...By 'samba 3' do you mean Samba version 3.x.x and if so, what version, or do you mean an NT4-style domain ? Rowland
ERIC PEYREMORTE
2020-Jul-07 12:16 UTC
[Samba] NT4 Domain PDC with Ldap backend and domain members
Sorry, i say samba 3, meaning samba not AD but NT4-Style domain as i use samba 4.2 on this marchine. It's a shame i can't use openldap user information on domain member, as mapping are already done there. Using passdb backend = ldapsam:ldap://172.30.1.250/ works but i need to hack SID in sambaDomainName to match domain SID (meaning my member SID for local machine matches SID for domain using net getdomainsid on client) Eric De: "sambalist" <samba at lists.samba.org> ?: "sambalist" <samba at lists.samba.org> Envoy?: Mardi 7 Juillet 2020 13:11:23 Objet: Re: [Samba] NT4 Domain PDC with Ldap backend and domain members On 07/07/2020 11:39, ERIC PEYREMORTE wrote:> Hi, thanks for your answer. > > We are migrating on AD, but the legacy domain will stay for few a > months. I still use samba 4.2 (before upgrading every file server).4.2 is EOL, but I think you know that ;-)> > I don't understand how winbind will be used. I don't need an ou=Idmap > as user entry in uid=login already contains the association between > uid and sambaSID in the openldap passdb backend (on the DC).OK, your PDC needs to know who your users and groups are, but, like an AD DC, you shouldn't use the PDC as a fileserver.> > I just need the domain member to use that information, it seems that > winbind is unable to do that : it's going to make it's own uid <> sid > mapping and store it in ldap ou=idmap.It doesn't actually, I created a test NT4-style domain last week, to remind me how they worked, you create the users and groups on the PDC, joining a computer creates a computer object in ldap on the PDC. However, your users and groups get ID's from winbind based in the range you set in the clients smb.conf> > Maybe it's not possible to correctly use domain member with a samba 3 > + openldap pdc ? I didn't find any winbind doc covering that case...By 'samba 3' do you mean Samba version 3.x.x and if so, what version, or do you mean an NT4-style domain ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba