Adventures with Samba
Jan. 13th, 2015 08:17 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
swarm32A little background is in order. Several years ago I set up a CentOS 5 LDAP server and two virtual machines running Openfiler 2.99. Since then the Openfiler project has gone more or less defunct and hasn't seen any significant activity in over a year. The two Openfiler machines rely on the CentOS LDAP server for authentication.
I have been working on migrating the primary filserver over to my new Rackable 3U server running CentOS 7 and ZFS and so far it's been an uphill battle. I thought I could cheat a bit and copy the samba.conf from the main Openfiler VM to the new machine and it would work. Turns out there is more setup behind the scenes for Samba and LDAP to play nice than expected, plus there are features that have been changed or depreciated between Samba 3 and Samba 4.
And then their are SIDs. A SID is an identifier used by Samba and Active Directory to distinctly identify things like users, groups, and computers. While this is spiffy, things apparently go sideways in a setup like the one I have where I have multiple computers that aren't on a domain but are joined to LDAP.
"The primary group domain sid(S-1-5-21-[LOCALSID]-1236) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password: Authentication for user [someid] -> [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL "
Is a rather infuriating error to receive, in part due to the fact it does not show up in the default log level of Samba. In combination to this, I was getting errors like "mount error(6): No such device or address" or "CIFS VFS: cifs_mount failed w/return code = -5" and Windows 7 would see a list of shares but complain they did not exist when trying to connect.
What I ended up doing to resolve it was to copy the machine SID from the original Openfiler box that I created the accounts on to the machine object for the new server in my LDAP tree.
On top of this, I had to use authconfig-tui to set up ldap on the new server, as well as add a samba config to /etc/pam.d . I was able to copy the latter from my existing opefiler box.
Now, onward to seeing if I can get something other than access denied on my newly visible shares.
I have been working on migrating the primary filserver over to my new Rackable 3U server running CentOS 7 and ZFS and so far it's been an uphill battle. I thought I could cheat a bit and copy the samba.conf from the main Openfiler VM to the new machine and it would work. Turns out there is more setup behind the scenes for Samba and LDAP to play nice than expected, plus there are features that have been changed or depreciated between Samba 3 and Samba 4.
And then their are SIDs. A SID is an identifier used by Samba and Active Directory to distinctly identify things like users, groups, and computers. While this is spiffy, things apparently go sideways in a setup like the one I have where I have multiple computers that aren't on a domain but are joined to LDAP.
"The primary group domain sid(S-1-5-21-[LOCALSID]-1236) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password: Authentication for user [someid] -> [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL "
Is a rather infuriating error to receive, in part due to the fact it does not show up in the default log level of Samba. In combination to this, I was getting errors like "mount error(6): No such device or address" or "CIFS VFS: cifs_mount failed w/return code = -5" and Windows 7 would see a list of shares but complain they did not exist when trying to connect.
What I ended up doing to resolve it was to copy the machine SID from the original Openfiler box that I created the accounts on to the machine object for the new server in my LDAP tree.
On top of this, I had to use authconfig-tui to set up ldap on the new server, as well as add a samba config to /etc/pam.d . I was able to copy the latter from my existing opefiler box.
Now, onward to seeing if I can get something other than access denied on my newly visible shares.
