Samba standalone server using LDAP for authentication: SID mismatch

linux ldap authentication samba
10,266

I had a similar issue. What I had to do was edit the sambaSID entries for the domain, user and group in LDAP so they would match with what my server had. If not you will get the following error message in the Samba log in your server. To see this log be sure log level = 2 in your smb.conf.:

[2015/12/03 14:39:19.753690,  1] ../source3/auth/server_info.c:346(samu_to_SamInfo3)
  The primary group domain sid(S-1-5-21-748580849-194208185-3916830000-513) does not match the domain sid(S-1-5-21-2566626306-4294080665-3504248766) for someuser(S-1-5-21-2566626306-4294080665-3504248766-11678)
[2015/12/03 14:39:19.753733,  0] ../source3/auth/check_samsec.c:492(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
[2015/12/03 14:39:19.753755,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [someuser] -> [bbogaert] FAILED with error NT_STATUS_UNSUCCESSFUL
[2015/12/03 14:39:19.753777,  2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_UNSUCCESSFUL

On your server run net getdomainsid. This will return the localsid and domainsid. These values should match. If they do not run net setdomainsid to the value of SID for local machine.

root@TheWiggle:~# net getdomainsid
SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000
SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000

Now on your LDAP server take the value of SID for domain and make sure this is the value for attribute sambaSID for sambaDomainName=THISDOMAIN.

Also make sure sambaSID and sambaPrimaryGroupID of the users, and sambaSID of the group are composed of the SID for domain and a unique value for attribute.

For example the sambaSID for someuser would be S-1-5-21-748580849-194208185-3916830000-99999 and their sambaPrimaryGroupID would be S-1-5-21-748580849-194208185-3916830000-555. The sambaSID for the group would be S-1-5-21-748580849-194208185-3916830000-77777

Hope this helps!!!

Share:
10,266

Related videos on Youtube

Phil
Author by

Phil

Updated on September 18, 2022

Comments

  • Phil
    Phil almost 2 years

    I'm trying to get my new samba server running for days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup:

    OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix and a samba password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server.

    Now I want to use several samba servers to use the LDAP server to authenticate users. The samba server is a linux configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Now here's the smb.conf:

    [global]
workgroup = XXXXX
security = user
passdb backend = ldapsam:ldap://myldapserver
ldap suffix = dc=mydomain,dc=com
ldap admin dn = cn=replicator,dc=mydomain,dc=com
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap ssl = start tls

    The ldap connection works, as pdbedit -L shows

    pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_paged: base => [dc=mydomain,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

    and then the last message repeats for all uids. Using smbclient -L localhost -U someid the log file says:

    check_ntlm_password:  Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface
check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: someid
Home server: SAMBAHOST
Home server: SAMBAHOST
init_group_from_ldap: Entry found for group: 1011
init_group_from_ldap: Entry found for group: 1011
Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for someid
ntlm_password_check: Checking NTLMv2 password with domain [CIN]
sam_account_ok: Checking SMB password for user someid
The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password:  Authentication for user [someid] -> [someid] FAILED with error NT_STATUS_UNSUCCESSFUL

    What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local "Domain Users" group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem?

    What I tried so far:

    Changing the SID of the samba server to the SID of the LDAP server, but net setlocalsid S-... did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID.

    Setting the domainsid of the samba server to the SID of the ldap server. net setdomainsid S-... was successful but the samba server still refuses to authenticate the users.

    Tried adding the server to the domain with net join XXX but the answer was just "standalone server cannot join domain".

    I tried to run smbpasswd -a to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change.

    How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP+SAMBA login issues
Samba authentication problem when attempting to connect from Windows client
Allowing LDAP users to change password
Find users currently logged in using ldap?
Failed to bind to server ldap://<ipaddress> Error: Can't contact LDAP server
Disable ldap login for a particular user on a particular machine
How to change expired LDAP user password under linux?
How do I connect my FreeNAS File Server to my Mac OS X Directory Server?
ldap-authentication without sambaSamAccount on linux smb/cifs server (e.g. samba)
Managing LDAP logins to a machine without pam_groupdn: multiple groups allowed