[Samba] Samba4 binding LDAP Server
Harry Jede
walk2sun at arcor.de
Mon Jun 2 10:55:37 MDT 2014
Am Montag, 2. Juni 2014 schrieb Danilo Mussolini:
> On Mon, Jun 2, 2014 at 1:11 PM, Harry Jede <walk2sun at arcor.de> wrote:
> > Hi Danilo,
> >
> > > Not supported ? Really ?
> >
> > Like you, i am a samba user not a samba developer. And yes, you
> > will not find a description in the current samba wiki nor in the
> > quite old "Samba 3 Howtos" how to setup a standalone samba server
> > with ldap as passwd backend.
>
> This is really a surprise to me, since this a very usefull and
> "simple" setup. As I said before, I have several file servers like
> this in the facility. So, I just I want a centralised user base so I
> can authenticate those users in all servers.
>
> > > There you go:
> > >
> > > [root at Nemesis ~]# ldapsearch -xLLL
> > > '(&(sambadomainname=*)(objectclass=sambadomain))' '*' objectclass
> > > dn: sambaDomainName=O2POS,dc=o2pos,dc=com
> > > sambaDomainName: O2POS
> > > sambaSID: S-1-5-21-3378243240-46098705-3816341305
> > > sambaAlgorithmicRidBase: 1000
> > > objectClass: sambaDomain
> > > sambaNextUserRid: 1000
> > > sambaMinPwdLength: 5
> > > sambaPwdHistoryLength: 0
> > > sambaLogonToChgPwd: 0
> > > sambaMaxPwdAge: -1
> > > sambaMinPwdAge: 0
> > > sambaLockoutDuration: 30
> > > sambaLockoutObservationWindow: 30
> > > sambaLockoutThreshold: 0
> > > sambaForceLogoff: -1
> > > sambaRefuseMachinePwdChange: 0
> > >
> > >
> > > The LDAP server runs in a Debian Linux, and the version is:
> > > $OpenLDAP: slapd 2.4.23 (Dec 16 2012 11:48:44)
> > >
> > >
> > > Actually, now I have only Samba4 in this server. The other ones
> > > have Samba Version 3.6.9-151.el6
> > >
> > > On Mon, Jun 2, 2014 at 12:19 PM, Harry Jede <walk2sun at arcor.de>
wrote:
> > > > Hi Danilo,
> > > >
> > > > > Yes, maybe I'm wrong naming that.
> > > > > As Rowland said it is a standalone server which authenticates
> > > > > users from LDAP.
> > > >
> > > > That is not a supported samba/ldap setup. Nevertheless I have
> > > > seen this
> > > >
> > > > some years ago.
> > > >
> > > > post the output of this command, if you are using openldap:
> > > > ldapsearch -xLLL
> > > > '(&(sambadomainname=*)(objectclass=sambadomain))' '*'
> > > > objectclass
> > > >
> > > > btw, what os do you use, which ldap server
> > > >
> > > > > I have just noticed something in my tests with this file
> > > > > server. As mentioned before, I have the following share:
> > > > >
> > > > > [Test]
> > > > > comment = test
> > > > > path = /u01
> > > > > read only = no
> > > > >
> > > > >
> > > > > And /u01 folder has the following permissions:
> > > > >
> > > > > drwxrwsr-x 5 root o2pos 4096 Jun 1 13:16 u01
> > > > >
> > > > > I'm authenticating with the user mussolini (which is my name
> > > > > :))
> > > > >
> > > > > from the LDAP database:
> > > > >
> > > > > [root at Nemesis ~]# id mussolini
> > > > > uid=3001(mussolini) gid=3001(mussolini)
> > > > > groups=3001(mussolini),3003(admins),3014(o2pos)
> > > >
> > > > This is also not a supported user configuration. Very early
> > > > samba 3 releases had supported this. Current samba3 and samba4
> > > > do not support users and groups with identical names. Enhance
> > > > the loglevels in
> > > >
> > > > samba and in your ldap server.
> > > >
> > > > Please post your samba3 version: smbd -V
> > > >
> > > > > The authentication is done and the share Test is mounted
> > > > > successfully, but even my user been a member of "o2pos"
> > > > > group, I can't write in this folder. So, if I change the
> > > > > group owner of the u01 folder to "admins" (which also has my
> > > > > user as member) I can write files and folders normally in
> > > > > the Test share. Curious , isn't it ?
> > > >
> > > > No, we simply dont know how your users and groups are setup in
> > > > ldap. Post the relevant information.
> >
> > Without theese informations I can not understand what is wrong in
> > your
> >
> > setup.
> >
> > so post this also:
> >
> > grep yourname /etc/passwd
>
> None
>
> > ldapsearch -xLLL '(uid=yourname)' '*' objectclass
> >
> >> [root at Nemesis ~]# ldapsearch -xLLL '(uid=mussolini)' '*'
> >> objectclass
> >
> > dn: cn=Danilo Mussolini Candido,ou=people,dc=TI,dc=o2pos,dc=com
> >
> > sn: Candido
> >
> > givenName: Danilo Mussolini
> >
> > uid: mussolini
> >
> > dateOfBirth: 1983-07-26
> >
> > gender: M
> >
> > preferredLanguage: pt_BR
> >
> > homeDirectory: /home/mussolini
> >
> > uidNumber: 3001
> >
> > gidNumber: 3001
> >
> > gecos: Danilo Mussolini Candido
> >
> > gotoLastSystemLogin: 01.01.1970 00:00:00
> >
> > sambaLogonTime: 0
> >
> > sambaLogoffTime: 2147483647
> >
> > sambaAcctFlags: [U ]
> >
> > sambaMungedDial:
> >> IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA
> >>
> >> CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
> >> AAUAAQABoACA
> >>
> >>
> >> ABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeAB
> >> DAGYAZwBGAGw
> >>
> >>
> >> AYQBnAHMAMQAwMGUwMDAxMBYAAAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawASAAgA
> >> AQBDAHQAeABT
> >>
> >>
> >> AGgAYQBkAG8AdwAwMTAwMDAwMCIAAAABAEMAdAB4AEsAZQB5AGIAbwBhAHIAZABMA
> >> GEAeQBvAHUAd
> >>
> >>
> >> AAqAAIAAQBDAHQAeABNAGkAbgBFAG4AYwByAHkAcAB0AGkAbwBuAEwAZQB2AGUAbA
> >> AwMCAAAgABAE
> >>
> >>
> >> MAdAB4AFcAbwByAGsARABpAHIAZQBjAHQAbwByAHkAMDAgAAIAAQBDAHQAeABOAFc
> >> ATABvAGcAbwB
> >>
> >>
> >> uAFMAZQByAHYAZQByADAwGAACAAEAQwB0AHgAVwBGAEgAbwBtAGUARABpAHIAMDAi
> >> AAIAAQBDAHQA
> >>
> >>
> >> eABXAEYASABvAG0AZQBEAGkAcgBEAHIAaQB2AGUAMDAgAAIAAQBDAHQAeABXAEYAU
> >> AByAG8AZgBpA
> >>
> >>
> >> GwAZQBQAGEAdABoADAwIgACAAEAQwB0AHgASQBuAGkAdABpAGEAbABQAHIAbwBnAH
> >> IAYQBtADAwIg
> >>
> >>
> >> ACAAEAQwB0AHgAQwBhAGwAbABiAGEAYwBrAE4AdQBtAGIAZQByADAwKAAIAAEAQwB
> >> 0AHgATQBhAHg
> >>
> >>
> >> AQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgA
> >> TQBhAHgARABp
> >>
> >>
> >> AHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQwB0A
> >> HgATQBhAHgAS
> >
> > QBkAGwAZQBUAGkAbQBlADAwMDAwMDAw
> >
> > sambaPrimaryGroupSID:
> > S-1-5-21-1016009054-1483029785-3768009975-7003
> >
> > cn: Danilo Mussolini Candido
> >
> > sambaLMPassword: 0DE56BB6E13320771D71060D896B7A46
> >
> > sambaNTPassword: 6F5ECD9BCD67A77575ABA3D68ACF3F2E
> >
> > sambaPwdLastSet: 1374792369
> >
> > sambaBadPasswordCount: 0
> >
> > sambaBadPasswordTime: 0
> >
> > userPassword:: e1NTSEF9eGNyVTc0U29CalpkSDBZVXpkTFM2WmpFaFVrMmhVRm8=
> >
> > shadowLastChange: 15911
> >
> > homePostalAddress: danilo at o2filmes.com
> >
> > sambaSID: S-1-5-21-3378243240-46098705-3816341305-7002
> >
> > sambaDomainName: O2POS
> >
> > trustModel: fullaccess
> >
> > objectClass: top
> >
> > objectClass: person
> >
> > objectClass: organizationalPerson
> >
> > objectClass: inetOrgPerson
> >
> > objectClass: gosaAccount
> >
> > objectClass: posixAccount
> >
> > objectClass: shadowAccount
> >
> > objectClass: sambaSamAccount
> >
> > objectClass: trustAccount
> >
> > loginShell: /bin/bash
> >
> > l: Sao Paulo
> >
> > st: SP
> >
> >
> >
> > grep yourname /etc/group
> > None
> >
> >
> >
> > grep o2pos /etc group
> > None
> >
> >
> >
> > ldapsearch -xLLL
> > '(&(objectclass=sambagroupmapping)(|(cn=yourname)(cn=o2pos)))' '*'
> > objectclass
> > [root at Nemesis ~]# ldapsearch -xLLL
> > '(&(objectclass=sambagroupmapping)(|(cn=mussolini)(cn=o2pos)))' '*'
> > objectclass
> > dn: cn=mussolini,ou=groups,dc=o2pos,dc=com
> > cn: mussolini
> > description: Group of user mussolini mussolini
> > gidNumber: 3001
> > sambaGroupType: 2
> > sambaSID: S-1-5-21-1016009054-1483029785-3768009975-7003
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
Two errors:
1. The sid from cn=mussolini,ou=groups,dc=o2pos,dc=com does not match
your sambadomainsid. So this group is never used by your samba server.
2. No groupmapping for group o2pos. This group is ignored by samba.
> >
> > > > > Just to remember, this only happens in Samba4.
> > > >
> > > > Try
> > > > acl group control = Yes
> > > > in your share definition
> >
> > Have you tried this?
> > Not yet, but actually I don't need ACL support. But I will try as
> > soon as I can and lets see what happens.
Has nothing todo with extended acls.
--
Harry Jede
More information about the samba
mailing list