samba 配置LDAP认证不通过
报错类似
Primary group S-1-5-21-xxx for user testuser is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for testuser
The primary group domain sid(S-1-5-21-xxx) does not match the domain sid(S-1-5-21-188xx ) for testuser(S-1-5-21-x)
或者 NT_STATUS_NO_SUCH_USER
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID'
Got user=[test666] domain=[AAA] workstation=[server-test] len1=24 len2=242
[2022/05/17 15:57:55.861027, 3] ../../source3/auth/auth.c:202(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [AAA]\[test666]@[server-test] with the new password interface
[2022/05/17 15:57:55.861064, 3] ../../source3/auth/auth.c:205(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AAA]\[test666]@[server-test]
[2022/05/17 15:57:55.862405, 2] ../../source3/passdb/pdb_ldap.c:532(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: test666
[2022/05/17 15:57:55.865783, 2] ../../source3/passdb/pdb_ldap.c:2415(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1000001
[2022/05/17 15:57:55.866586, 3] ../../source3/passdb/lookup_sid.c:1704(get_primary_group_sid)
Primary group S-1-5-21-1886146278-2710169434-1767538749-1000 for user test666 is a UNKNOWN and not a domain group
[2022/05/17 15:57:55.866623, 3] ../../source3/passdb/lookup_sid.c:1711(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for test666
[2022/05/17 15:57:55.867169, 1] ../../source3/auth/server_info.c:487(SamInfo3_handle_sids)
The primary group domain sid(S-1-5-21-704720473-2748480791-66770105-513) does not match the domain sid(S-1-5-21-1886146278-2710169434-1767538749) for test666(S-1-5-21-1886146278-2710169434-1767538749-1008)
[root@server-test ]# net getdomainsid
SID for domain LDAP is: S-1-5-21-2063164327-2821526992-1524058643
[root@server-test ]# net getlocalsid
SID for domain server-test is: S-1-5-21-1886146278-2710169434-1767538749
发现并不一致
导致SID错误
pdbedit -L 如下
[root@server-test ]# pdbedit -L
added interface eth1 ip=10.18.13.41 bcast=10.18.13.255 netmask=255.255.255.0
added interface eth0 ip=10.18.13.107 bcast=10.18.13.255 netmask=255.255.255.0
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=server-test))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=ldap,dc=com], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1000]
smbldap_search_paged: search was successful
sid S-1-5-21-2063164327-2821526992-1524058643-1005 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1006 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1007 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1008 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1009 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1010 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1011 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1012 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1014 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1019 does not belong to our domain
sid S-1-5-21-2063164327-2821526992-1524058643-1020 does not belong to our domain
可知无法用域用户登录本机的samba
google得知,需要修改本机的SID
如下命令
[root@server-test ]# net setlocalsid S-1-5-21-2063164327-2821526992-1524058643
但是发现不生效
[root@server-test ]# net getlocalsid
SID for domain server-test is: S-1-5-21-1886146278-2710169434-1767538749
修改不成功
net setlocalsid 失败
net setlocalsid 不成功
需要在samba 配置中新增
需要在samba配置 /etc/samba/smb.conf
中新增配置项
server role = classic backup domain controller