[Samba] Samba4 binding LDAP Server

steve steve at steve-ss.com
Mon Jun 2 10:17:14 MDT 2014 

On Mon, 2014-06-02 at 17:35 +0200, Harry Jede wrote:
> On 17:22:36 wrote steve:
> > On Mon, 2014-06-02 at 15:36 +0100, Rowland Penny wrote:
> > > On 02/06/14 15:22, Danilo Mussolini wrote:
> > > > No, for sure they aren't. This user and groups only exist in the
> > > > LDAP database.
> > > 
> > > Then this could well be your problem, It has been sometime since I
> > > worked with a samba3 server (and this is what you have, even if you
> > > are using Samba4) and I seem to remember that all LDAP users also
> > > had to be Unix users. Without LDAP users also being Unix users,
> > > the underlying Unix system did not know who the LDAP users &
> > > groups were.
> > 
> > Hi
> > But group information can be stored in ldap too. So long as ldap is
> > specified as a nss option and ldap is running, user and group
> > information can equally well come from there. e.g. /etc/nsswitch.conf
> > could contain:
> > passwd: files ldap
> > group: files ldap
> > The user nor group should should exist in either of /etc/(passwd OR
> > group) and ldap and the user uid:gid pair must not coincide with any
> > local user.
> Replace "must not" with "should not" and you are right.
> 
> It is possible and supported by nss and pam to have users AND groups in 
> local and remote databases. Example:
> setup root user in both databases with different passwords. Switch from 
> runlevel 1 to 3or 5 and see which password is used.

As we have systemd we're not allowed to say runlevel, but I'll guess:
the root who has his entry first in nsswitch.conf.
> 
> > As with AD, ldap schemas can specify group memberships
> > too. e.g. rfc2307bis has member from posixGroup and memberOf from
> > posixAccount.
> Op is not using AD.
> I am pretty sure he is not using MS incarnation of rfc2307bis. But we my 
> know this, if he is posting a group definition from his ldap server. 
> Otherwise it is just an oracle at a sun(ny) day.
> 
Could the OP post DN for a group and for a user? Take out the private
stuff first? Also would be interesting the output of the commands from
earlier.
Cheers,
Steve

More information about the samba mailing list