Samba as DC with LDAP authentication and one annoying error

Published: by Creative Commons Licence

  • Tags:

Recently I changed a Samba installation from using the ‘classic’ file based backend to a newer ldap based backend, in a production environment.

Following one of the many guides in the internet helped a lot, for this task I used most information from: https://help.ubuntu.com/community/LDAPClientAuthentication & http://raerek.blogspot.hu/2012/05/samba-pdc-on-ubuntu-1204-using-ldap_28.html

The biggest problem I faced was that one error showed up during domain login from a terminalserver which prevented roaming profiles to work. The error was:
_netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client WINDOWS7 machine account WINDOWS7$

 

I tested a lot of options and scenario’s to get rid of this error. Removed the computer account from the ldap a number of times, made sure that the computer account could be seen when the command getent passwd was issued, but none helped.

At last I started checking the SID in the ldap I found that it did not match with the one that sudo net getlocalsid gave me.
Syncing al the SID entries manually and making sure that smbldaptools where correctly configured solved this problem for me.