2

We have a read-only OpenLDAP server which is used for a variety of authentification services. I am currently trying to add a (standalone) samba server to that list which is only to be used as a storage space for backups. There is no need for anything besides the basic username/password authentification.

The incredible long list of tutorials and howtos all assume a newly configured LDAP server with full access. While I have the admin credentials for the server and it already contains all the users and the populated samba scheme, the LDAP server is merely a read-only mirror.

Currently my configuration ...

# LDAP Settings
   passdb backend = ldapsam:ldap://192.168.100.11
   ldap suffix = dc=our-domain,dc=de
   ldap user suffix = ou=people
   ldap admin dn = cn=adminacc,ou=daemonadmins,dc=our-domain,dc=de
   ldap ssl = no
   ldap passwd sync = yes

...fails with:

smbd version 4.2.14-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2014
[2017/01/13 12:52:49.367065,  0] ../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
  smbldap_search_domain_info: Adding domain info for SBACKUP failed with NT_STATUS_UNSUCCESSFUL
[2017/01/13 12:52:49.367106,  0] ../source3/passdb/pdb_ldap.c:6534(pdb_ldapsam_init_common)
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2017/01/13 12:52:49.367116,  0] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
  pdb backend ldapsam:ldap://192.168.100.11 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)

which is of course not surprising. This server is not known to the LDAP and since it is read-only a new entry can't be created. I fail to understand why it is necessary to add any information about the machine in the first place. Is there a certain way smb needs to be configured to cope with read-only access to LDAP?

If I explicitly set a netbios name in my smb.conf which matches the one existing entry on the LDAP server everything works fine. But this somewhat feels like a hack and I would prefer to not change the netbios name

This is somewhat similar to this which unfortunately only covers the possibility of using a read-only server and not the implementation of it.

Community
  • 1
Bowdzone
  • 161
  • 8

1 Answers1

1

samba NEEDS to be read-write on LDAP in order to add/modify machines, trust accounts and a few local users really necessary for a domain to work (admin, nobody and the domain admins and-so-like-groups).

The workaround is: install a OpenLDAP on the samba PDC, have a replicated branch (let's say: ou=people) from you master LDAP on read-only; use the glue overlay to apply this branch under a read-write tree with branches ou=users (local users), ou=groups, ou=computers (self-explanatory).

ldap machine suffix = ou=computers
ldap suffix = dc=our-domain,dc=de
# do not set the following; OpenLDAP is
#  able to sort out if a user is a replicated user in 'ou=people'
#  or a local user in 'ou=users'
# ldap group suffix = ou=groups
# ldap user suffix = ou=people
473183469
  • 1,360
  • 1
  • 12
  • 23