How can I check the sambaSID of the storage

[marshauzer]

Hello,

we use a external LDAP Server without samba for users and groups.
But we are not able to connect to our shares from our Win 7 clients.
To solve this we need the sambaSID of the storage to set the correct user sambaSID.
How can we check the sambaSID?

Thanks.

[Gr-R]

this should help (section 4 &5)
http://kb.open-e.com/afile/852/82/

[marshauzer]

Thanks a lot for the fast response.

I know this paper, but it does not really help or I do not understand the step in section 2.
I have a structure similar to the discribed structure.
But it is not possible to put a entry like
dn: sambaDomainName=xxx,dc=server,dc=com
in LDAP.
Because is not a LDAP conformal map.
When I do that I got

warning: no attributes to add (entry="sambaDomainName=xxx,dc=xxx,dc=xx")
adding new entry "sambaDomainName=xxx,dc=xxx,dc=xx"
ldapadd: Protocol error (2)
additional info: no attributes provided

Any suggestion?

[Al-S]

Try to add the Samba Group Mapping and Samba Account,
After that add the User/group to the share.


For External LDAP, the following link will be useful for you:
http://kb.open-e.com/file/82/

[marshauzer]

Not sure if I understand this.

As a entry in the DIT
dn: cn=sambaGroup;ou=group;.....

or as a entry to the test user
objectClass: sambaGroupMapping

I think you mean the first one, or not?

thanks

[marshauzer]

Ok,

try out with objectclass sambaGroupMapping.
Get
adding new entry "uid=test,ou=people,dc=xxx,dc=xx"
ldapadd: Object class violation (65)
additional info: object class 'sambaGroupMapping' requires attribute 'sambaSID'

and that´s what I searching for!

try out with objectclass sambaAccount
Get
adding new entry "uid=test,ou=people,dc=xxx,dc=xx"
ldapadd: Invalid syntax (21)
additional info: objectClass: value #2 invalid per syntax

value #2 is the objectclass sambaAccount

This should normally work.
Do not know why getting a Invalid syntax error.
Objectclass sambaAccount have only uid and rid as MUST attribute and is AUXILARY.
I have post it to openldap-technical list.
Hope they know what´s going wrong.

Also try out remote console access and api configuration.
But both terminals have a limited command set.
Nothing like net getlocalsid / getdomainsid.
Access from outside with the commands also want work.

Can't fetch domain SID for name: xxx.xxx.xx.xx


Any other suggestions?
Thanks

[Pi-L]

yes, one

ldapsearch -x -h DSS_IP -b dc=server,dc=nas -D cn=admin,dc=server,dc=nas -w secret | grep sambaSID

[marshauzer]

Thanks for fast reply,

I run the command with my base and get
ldap_bind: Invalid credentials (49)

than run the command exactly how you wrote and get
sambaSID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-1203

First I think great that´s it.
But than I realize I know this sid.
So I run net getlocalsid on my LDAP server and get exactly the same sid but without
-1203.

Now I am a little confused.

Any explanation for this?
Thanks

[marshauzer]

@Pi-L

Sorry for the late response.
But my system is in full productivity.
So I have to wait for the right moment to test your tip.

Now I get the right sambaSID.

How:

stop my ldap server.
set authentication to internal ldap.
shutdown the storage
plugging to another eth interface
start storage to negotiate a new sid in network
create a user in internal ldap
run ldapsearch command

ldapsearch -x -h DSS_IP -b dc=server,dc=nas -D cn=admin,dc=server,dc=nas -w secret objectclass=*

copy user entries
correct entries for my ldap
correct sid: user_sid = domain_sid+rid / rid=2*uid + 1000
put sambaDomain objectclass entry in my ldap
put user in my ldap
set authentication to external ldap.
add user to users share access
and can access my shares.

last question on moderators.
how to mark this thread as solved?

thanks
marshauzer