[Samba] Samba domain member server using only nss ldap
Alex Domoradov
alex.hha at gmail.com
Sat Feb 25 11:14:13 MST 2012
It seems that I found a working solution. With the following smb.conf all
works as I expected
[global]
workgroup = W3
server string = Test file server
netbios name = FS2
security = domain
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/samba.log
max log size = 50000
encrypt passwords = yes
winbind enum groups = yes
winbind enum users = yes
idmap backend = ldap:"ldap://pdc.w3.lan/"
ldap idmap suffix = ou=idmap
idmap uid = 1000-500000
idmap gid = 1000-500000
idmap config W3 : backend = nss
idmap config W3 : range = 1000-500000
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap suffix = dc=w3,dc=lan
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap admin dn = "cn=root,dc=w3,dc=lan"
ldap ssl = no
enable privileges = yes
os level = 8
local master = no
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.210.104
dns proxy = yes
client ntlmv2 auth = yes
client plaintext auth = no
lanman auth = no
lm announce = no
deadtime = 15
display charset = utf8
unix charset = utf8
dos charset = cp866
log level = 3
host msdfs = no
[Test]
comment = Test
path = /tmp/Test/
public = yes
guest ok = no
valid users = @W3\w3-nssldap
write list = @W3\w3-nssldap
browseable = yes
force create mode = 0770
create mode = 0770
force directory mode = 0770
directory mode = 0770
create mask = 0660
directory mask = 0770
The main difference is that I removed the following line winbind trusted
domains only = yes
# id nssldap
uid=1890(nssldap) gid=1354(w3-nssldap) groups=513(Domain
Users),1354(w3-nssldap)
# getent passwd nssldap
nssldap:x:1890:1354:System User:/home/w3u/nssldap:/bin/false
# getent group w3-nssldap
w3-nssldap:*:1354:nssldap
# wbinfo -i w3\\nssldap
W3\nssldap:*:1890:1354:nssldap:/home/W3/nssldap:/bin/false
# wbinfo --name-to-sid=nssldap
S-1-5-21-250625134-237382211-2379110221-4780 User (1)
# wbinfo --name-to-sid=w3-nssldap
S-1-5-21-250625134-237382211-2379110221-3709 Domain Group (2)
# wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
1890
# wbinfo --sid-to-gid=S-1-5-21-250625134-237382211-2379110221-3709
1354
But there's one little problem. When I execute ls -la in the directory
there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this
problem, there is no delay. Is there any solution without using nscd?
On Tue, Feb 21, 2012 at 10:13 AM, Alex Domoradov <alex.hha at gmail.com> wrote:
> Thanks, I'll try your solution
>
>
> On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch <abosch at cilma.net> wrote:
>
>> Hi,
>>
>> not sure if you solved this. I'll give my advice anyway.
>>
>>
>> if you know how to configure NSS/LDAP at system level is the simplest way
>> i've found to configure a member server.
>>
>> first, be sure to have all nss related configured (nsswitch.conf,
>> ldap.conf) and check it with "getent passwd" and "getent group".
>>
>> once you have that, create a machine account on the PDC and join the
>> member server (net rpc join).
>>
>> then configure member server as a simple file server with no reference to
>> LDAP. you don't need any ldap setting in smb.conf, just something like:
>>
>>
>> [global]
>> workgroup = MYDOM
>> server string = %h server
>> security = DOMAIN
>> password server = mypdc.example.com
>>
>> [prova3]
>> comment = proves de membre samba
>> path = /tmp/prova3
>> read only = No
>> guest ok = Yes
>>
>>
>>
>>
>> this is the simplest way i've found to do it.
>>
>> regards,
>>
>> abosch
>>
>>
>>
>> ----- Original Message -----
>> From: "Alex Domoradov" <alex.hha at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Wednesday, February 15, 2012 10:29:19 PM
>> Subject: Re: [Samba] Samba domain member server using only nss ldap
>>
>> > On a member server, the ldap backend should not be needed for user and
>> group look up. You do need some sort of idmapping for the unix level to
>> see the UID's and GID's assigned to the samba users, and use those uid's
>> and gid's to set file permissions.
>> I need to do idmapping via winbind or something else?
>>
>> > I haven't had much luck with member servers either. it does get trickier
>> when you have ldap used for both unix accounts and samba accounts. I
>> found it easier to configure my primary machines as domain controllers.
>> I need to use LDAP only for samba accounts, not local (unix)
>>
>> > I think generally your nsswitch.conf file should include entries to
>> allow
>> unix to retrieve uid's and gid's from winbind.
>> > passwd: files ldap winbind
>> > shadow: files ldap winbind
>> > group: files ldap winbind
>> but according to
>>
>> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf
>> I have one domain and all server are the member of this domain there
>> is
>> no need to use winbind at all. Did I miss something?
>>
>> > This means that you would be able to type "getent user1" and "getent
>> MYDOMAIN\user1." I
>> I don't need such case, in my case local and domain users always unique
>>
>> > I think it appears you are getting group information from winbind since
>> have the "force group" entry in smb.conf.
>> It's strange. When I added force user to the share description, samba set
>> uid of the new file from ldap
>>
>> > You should look at the man page for idmap_nss. In theory, this should
>> let you use a local backend to store the idmap entries, and the idmap
>> system should use map the SID's to the existing unix uid and gid. Never
>> worked for me in practice.
>> I read the man
>> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but
>> didn't
>> get clear understanding
>>
>> > Alternately, you may want to manually edit the idmap entries in ldap.
>> The domain controller should have automatically created them.
>> there are a 10-15 entries in the ou Idmap
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list