When I did this, I did a getlocalsid on the samba server and used that
as the
prefix for all user SIDs so the sambaSID became <Domain SID>-<old Rid>
I then did a setlocalsid on the other servers wanting to use the same
userbase.
As far as I could tell, the only thing samba tries to write is the
SambaDomainName.
If you write it in to the master manually, samba should stop trying to
add it.
dn: sambaDomainName=<Samba Domain>, dc=example,dc=com
sambaDomainName: <Samba Domain>
sambaSID: <Samba Sid>
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextRid: 1104
I don't use the RidBase or NextRid as users and machines have these
assigned outside of samba.
Hope this helps.
Cheers,
Duncan
Peter Daum wrote:
To answer my own question: No, it doesn't work like this!
Samba coumplained about any SID I tried as being invalid.
(Unfortunately, I couldn't find any hint about what constitutes
a "valid" SID). Furthermore, It seems like when using the samba3
ldap_sam backend, samba wants to write all kinds of stuff into
the ldap directory (which does not work because the directory is
replicated and samba only has access to a read-only copy. For many
reasons, I also don't want samba to be able to write the LDAP
directory).
Is it possible at all to use the Samba3 ldapsam backend with this
setup? (With Samba2 it worked without any problem, starting with
Samba3 the focus of Samba shifted obviously mostly towards beeing as
windows-like as possible; right now I am using Samba 3.0.23b).
I am trying to keep out everything that only makes sense within a pure
windows domain controller based network - all I want is a bunch of
samba servers using a shared account database. The clients don't do
domain logons but just connect to single servers, which should consider
all users with a valid unix account as local users and authenticate based
on the lm/nt password hashes stored in the ldap directory.
Any help is appreciated,
Regards,
Peter Daum
Peter Daum wrote:
I maintain a heterogenous network with a shared LDAP account database.
The user accounts have globally unique user names, UIDs and RIDs.
Some, but not all accounts are valid on all machines, but there is no
need for samba to care about this, because there simply won't be a
unix account for invalid users. There are no MS servers involved, and
because every samba server has the same user account base and does its
own authentification, there is no need for winbind.
The samba servers currently still use the old samba2-compatible
ldapsam_compat passdb backend which I eventually want to migrate to the
current sambaSamAccount. While most attributes just changed their names,
which shouldn't make much any difference, I am a little uncertain,
how to handle the new sambaSID attribute without breaking my setup:
Would it work to just put a dummy domain with SID "S-1-0-0" in the
directory and use this as a prefix for all the user SIDs?
Currently, every server has its own SID (which is created by Samba,
so far there was no reason to worry about this), but with the new
LDAP schema, I am afraid that Samba might not accept such an account
as a valid local account ...
Any recommendations?
Regards,
Peter Daum
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
