Samba, LDAP and JumpCloud (again?)

[adlib]

Hello good folks!
I'm trying to get SMB with LDAP authentication working again, which for me seems to have broken since moving to 12.x.
I'm using JumpCloud LDAP which seems to be 'healthy', and running getent passwd and getent group lists all relevant users and groups. But when trying to authenticate to SMB shares, I'm getting NT_STATUS_NO_SUCH_USER. Looking at testparm -s I'm seeing:
idmap config *: range = 1000-4999 idmap config * : backend = tdb
But my user's IDs are in the 5000-11000 range, and shouldn't really originate from tdb either, right?
I'm a bit of a novice here. midclt call smb.passdb_list returns [], shouldn't it return a list of users?
How have I wrecked this? All settings have been set through the web UI.
Thanks in advance!

 

[adlib]

I'm still having trouble. No one has any input?
Please? :)

 

[anodos]

`pdbedit -L` should show your SMB users.
Make sure you have SSL enabled for your LDAP (requirement for pdb_ldap in samba).
If it's still not working run `pdbedit -L -d 5` to print debug output about what Samba doesn't like.

 

[adlib]

Thanks for the reply! I think something's wrong on this end though, because I'm getting a blank reply from pdbedit -L.
Below you can find the output for pdbedit -L -d 5:

Show : pdbedit output

# pdbedit -L -d 5
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter dns proxy = No
doing parameter aio max threads = 2
doing parameter max log size = 5120
doing parameter load printers = No
doing parameter printing = bsd
doing parameter disable spoolss = Yes
doing parameter dos filemode = Yes
doing parameter kernel change notify = No
doing parameter directory name cache size = 0
doing parameter nsupdate command = /usr/local/bin/samba-nsupdate -g
doing parameter unix charset = UTF-8
doing parameter log level = 1, auth_audit:5
doing parameter obey pam restrictions = True
doing parameter enable web service discovery = True
doing parameter logging = file
doing parameter server min protocol = SMB2_02
doing parameter unix extensions = No
doing parameter restrict anonymous = 2
doing parameter server string = <redacted>
doing parameter create mask = 0770
doing parameter directory mask = 0771
doing parameter fruit:nfs_aces = No
doing parameter bind interfaces only = Yes
doing parameter netbios name = nas
doing parameter netbios aliases =
doing parameter server role = standalone
doing parameter workgroup = <redacted>
doing parameter idmap config *: backend = tdb
doing parameter idmap config *: range = 1000-4999
doing parameter force group = www
doing parameter force create mode = 0660
doing parameter force directory mode = 0770
doing parameter registry shares = yes
doing parameter include = registry
doing parameter registry shares = yes
process_registry_service: service name global
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="NAS"
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to find a passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /var/db/system/samba4/private/passdb.tdb

 

[anodos]

Doesn't look like you have proper samba configuration. Do you have the LDAP checkbox "Samba schema" checked?

 

[adlib]

My god, thanks! The GUI displayed it as checked ... but I just deselected it, saved, reselected it and saved again, and now things seem to work. Halleluja! I swear I had tried that as part of all my troubleshooting, but I guess I must've missed it.

Should I be worried about the deprecation warning? Would it require that JumpCloud fixed stuff on their end for things to continue working after samba 4.14+?

 

[anodos]

My god, thanks! The GUI displayed it as checked ... but I just deselected it, saved, reselected it and saved again, and now things seem to work. Halleluja! I swear I had tried that as part of all my troubleshooting, but I guess I must've missed it.

Should I be worried about the deprecation warning? Would it require that JumpCloud fixed stuff on their end for things to continue working after samba 4.14+?

There is no fix on the jumpcloud side. They basically need to migrate this feature into using a Samba DC (there's a script to do this). They're using a _very_ legacy way of providing SMB access. It still works in Samba 4.16 IIRC, but you are on notice that eventually the feature will be deprecated.