The Samba-Bugzilla – Bug 7954
Samba ignores "password server" in smb.conf.
Last modified: 2011-02-26 07:19:31 UTC
I have confirmed this with both the CentOS 5 v3.0.33 RPM and SerNet's v3.5.6 RPM.
I tried several values for "password server" in smb.conf (with "security = ads"), but Samba always uses an auto-detected LDAP server and ignores my specification (other changes are picked up with "service smb restart"). I need to override the port, but cannot get it to take. I have tried both real servers with port (e.g., "password server = 140.163.***.***:3268") and "password server = 127.0.0.1". But every time I check, "net ads info" shows the autotdetected LDAP server & default port 389.
[root@ananew samba]# uname -a
Linux ananew.cbio.mskcc.org 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@ananew samba]# rpm -qi samba3
Name : samba3 Relocations: (not relocatable)
Version : 3.5.6 Vendor: Service Network GmbH, Goettingen
Release : 43.el5 Build Date: Thu 07 Oct 2010 04:49:39 PM EDT
Install Date: Fri 11 Feb 2011 09:39:52 AM EST Build Host: sam
Group : Productivity/Networking/Samba Source RPM: samba3-3.5.6-43.el5.src.rpm
Size : 52760655 License: GPL v3 or later
Signature : DSA/SHA1, Wed 13 Oct 2010 06:59:38 AM EDT, Key ID d9921b1cf4428b1a
Packager : SerNet Samba Team <Samba@SerNet.DE>
URL : http://www.samba.org
Summary : SerNet Samba SMB/CIFS file, print and authentication server
Samba is a suite of programs which work together to allow clients to
access Unix filespace and printers via the SMB/CIFS protocol.
[root@ananew samba]# net ads info
LDAP server: 140.163.***.***
LDAP server name: SMSKPADSM03.MSKCC.ROOT.MSKCC.ORG
Bind Path: dc=MSKCC,dc=ROOT,dc=MSKCC,dc=ORG
LDAP port: 389
Server time: Fri, 11 Feb 2011 09:59:15 EST
KDC server: 140.163.***.***
Server time offset: 0
[root@ananew samba]# grep "password server" /etc/samba/smb.conf|grep -v \#
password server = 127.0.0.1
; password server = <NT-Server-Name>
[root@ananew samba]# grep security /etc/samba/smb.conf|grep -v \#
security = ads
; security = ads
; security = user
Originally observed with the CentOS 5 RPM:
Name : samba
Arch : x86_64
Version : 3.0.33
Release : 3.29.el5_5.1
Size : 16 M
Repo : updates
Volker, would you like to comment on this one?
Sorry, I'd see this not as a major bug but as an enhancement.
I don't understand. There is a documented feature that doesn't work. Not supporting the specification (the manual page in this case) seems like a bug.
Is it just that Samba doesn't support alternate LDAP ports and never has, and the manual page writer just got carried away and made up a nonexistent feature?
For us it's major -- Samba cannot communicate with our AD system.
Sorry, but the documentation is wrong. A port option in the ADS world just does not make sense, as we have to contact several services in AD. 445, 389, 135 at least. All of them might be individually redirected.
In case you are working with Linux, you might want to try iptables DNAT rules that redirect 389 connects to another port.
Thanks, I will check out iptables DNAT, but the "password server" configuration is specifically for the LDAP service normally on port 389 -- nothing to do with the CIFS file service ports.
(In reply to comment #5)
> Thanks, I will check out iptables DNAT, but the "password server" configuration
> is specifically for the LDAP service normally on port 389 -- nothing to do with
> the CIFS file service ports.
The documentation might wrongly indicate so. Historically, "password server" predates our AD and thus LDAP support by years. it came from "security=server", which has nothing to do with LDAP at all. That is pure CIFS on port 139/445.