Samba standalone server using LDAP for authentication: SID mismatch
I had a similar issue. What I had to do was edit the sambaSID entries for the domain, user and group in LDAP so they would match with what my server had. If not you will get the following error message in the Samba log in your server. To see this log be sure log level = 2
in your smb.conf
.:
[2015/12/03 14:39:19.753690, 1] ../source3/auth/server_info.c:346(samu_to_SamInfo3)
The primary group domain sid(S-1-5-21-748580849-194208185-3916830000-513) does not match the domain sid(S-1-5-21-2566626306-4294080665-3504248766) for someuser(S-1-5-21-2566626306-4294080665-3504248766-11678)
[2015/12/03 14:39:19.753733, 0] ../source3/auth/check_samsec.c:492(check_sam_security)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
[2015/12/03 14:39:19.753755, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [someuser] -> [bbogaert] FAILED with error NT_STATUS_UNSUCCESSFUL
[2015/12/03 14:39:19.753777, 2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_UNSUCCESSFUL
On your server run net getdomainsid
. This will return the localsid
and domainsid
. These values should match. If they do not run net setdomainsid
to the value of SID for local machine
.
root@TheWiggle:~# net getdomainsid
SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000
SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000
Now on your LDAP server take the value of SID for domain
and make sure this is the value for attribute sambaSID
for sambaDomainName=THISDOMAIN
.
Also make sure sambaSID
and sambaPrimaryGroupID
of the users, and sambaSID
of the group are composed of the SID for domain
and a unique value for attribute.
For example the sambaSID
for someuser
would be S-1-5-21-748580849-194208185-3916830000-99999
and their sambaPrimaryGroupID would be S-1-5-21-748580849-194208185-3916830000-555
. The sambaSID
for the group would be S-1-5-21-748580849-194208185-3916830000-77777
Hope this helps!!!
Related videos on Youtube
Phil
Updated on September 18, 2022Comments
-
Phil almost 2 years
I'm trying to get my new samba server running for days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup:
OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix and a samba password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server.
Now I want to use several samba servers to use the LDAP server to authenticate users. The samba server is a linux configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Now here's the smb.conf:
[global] workgroup = XXXXX security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls
The ldap connection works, as
pdbedit -L
showspm_process() returned Yes smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base => [dc=mydomain,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain
and then the last message repeats for all uids. Using
smbclient -L localhost -U someid
the log file says:check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] -> [someid] FAILED with error NT_STATUS_UNSUCCESSFUL
What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local "Domain Users" group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem?
What I tried so far:
Changing the SID of the samba server to the SID of the LDAP server, but
net setlocalsid S-...
did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID.Setting the domainsid of the samba server to the SID of the ldap server.
net setdomainsid S-...
was successful but the samba server still refuses to authenticate the users.Tried adding the server to the domain with
net join XXX
but the answer was just "standalone server cannot join domain".I tried to run
smbpasswd -a
to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change.How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause other problems if ~10 Samba Server and the LDAP in the end all have the exact same SID?