[Samba] Samba domain member server using only nss ldap

Alex Domoradov alex.hha at gmail.com
Sat Feb 25 11:14:13 MST 2012


It seems that I found a working solution. With the following smb.conf all
works as I expected

[global]

    workgroup = W3
    server string = Test file server
    netbios name = FS2
    security = domain

    load printers = no
    show add printer wizard = no
    printcap name = /dev/null
    disable spoolss = yes

    log file = /var/log/samba/samba.log
    max log size = 50000

    encrypt passwords = yes
    winbind enum groups = yes
    winbind enum users = yes

    idmap backend = ldap:"ldap://pdc.w3.lan/"
    ldap idmap suffix = ou=idmap

    idmap uid = 1000-500000
    idmap gid = 1000-500000

    idmap config W3 : backend  = nss
    idmap config W3 : range = 1000-500000

    ldapsam:trusted = yes
    ldapsam:editposix = yes

    ldap suffix = dc=w3,dc=lan
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers
    ldap admin dn = "cn=root,dc=w3,dc=lan"
    ldap ssl = no

    enable privileges = yes

    os level = 8
    local master = no
    domain master = no
    preferred master = no
    domain logons = no

    wins server = 192.168.210.104
    dns proxy = yes

    client ntlmv2 auth = yes
    client plaintext auth = no

    lanman auth = no
    lm announce = no

    deadtime = 15

    display charset = utf8
    unix charset = utf8
    dos charset = cp866

    log level  = 3
    host msdfs  = no

[Test]
    comment = Test
    path = /tmp/Test/
    public = yes
    guest ok = no
    valid users = @W3\w3-nssldap
    write list = @W3\w3-nssldap
    browseable = yes
    force create mode = 0770
    create mode = 0770
    force directory mode = 0770
    directory mode = 0770
    create mask = 0660
    directory mask = 0770

The main difference is that I removed the following line winbind trusted
domains only = yes

# id nssldap
uid=1890(nssldap) gid=1354(w3-nssldap) groups=513(Domain
Users),1354(w3-nssldap)

# getent passwd nssldap
nssldap:x:1890:1354:System User:/home/w3u/nssldap:/bin/false

# getent group w3-nssldap
w3-nssldap:*:1354:nssldap

# wbinfo -i w3\\nssldap
W3\nssldap:*:1890:1354:nssldap:/home/W3/nssldap:/bin/false

# wbinfo --name-to-sid=nssldap
S-1-5-21-250625134-237382211-2379110221-4780 User (1)

# wbinfo --name-to-sid=w3-nssldap
S-1-5-21-250625134-237382211-2379110221-3709 Domain Group (2)

# wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
1890

# wbinfo --sid-to-gid=S-1-5-21-250625134-237382211-2379110221-3709
1354

But there's one little problem. When I execute ls -la in the directory
there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this
problem, there is no delay. Is there any solution without using nscd?



On Tue, Feb 21, 2012 at 10:13 AM, Alex Domoradov <alex.hha at gmail.com> wrote:

> Thanks, I'll try your solution
>
>
> On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch <abosch at cilma.net> wrote:
>
>> Hi,
>>
>> not sure if you solved this. I'll give my advice anyway.
>>
>>
>> if you know how to configure NSS/LDAP at system level is the simplest way
>> i've found to configure a member server.
>>
>> first, be sure to have all nss related configured (nsswitch.conf,
>> ldap.conf) and check it with "getent passwd" and "getent group".
>>
>> once you have that, create a machine account on the PDC and join the
>> member server (net rpc join).
>>
>> then configure member server as a simple file server with no reference to
>> LDAP. you don't need any ldap setting in smb.conf, just something like:
>>
>>
>> [global]
>>        workgroup = MYDOM
>>        server string = %h server
>>        security = DOMAIN
>>        password server = mypdc.example.com
>>
>> [prova3]
>>        comment = proves de membre samba
>>        path = /tmp/prova3
>>        read only = No
>>        guest ok = Yes
>>
>>
>>
>>
>> this is the simplest way i've found to do it.
>>
>> regards,
>>
>> abosch
>>
>>
>>
>> ----- Original Message -----
>> From: "Alex Domoradov" <alex.hha at gmail.com>
>> To: samba at lists.samba.org
>> Sent: Wednesday, February 15, 2012 10:29:19 PM
>> Subject: Re: [Samba] Samba domain member server using only nss ldap
>>
>> > On a member server, the ldap backend should not be needed for user and
>> group look up. You do need some sort of idmapping for the unix level to
>> see the UID's and GID's assigned to the samba users, and use those uid's
>> and gid's to set file permissions.
>> I need to do idmapping via winbind or something else?
>>
>> > I haven't had much luck with member servers either. it does get trickier
>> when you have ldap used for both unix accounts and samba accounts. I
>> found it easier to configure my primary machines as domain controllers.
>> I need to use LDAP only for samba accounts, not local (unix)
>>
>> > I think generally your nsswitch.conf file should include entries to
>> allow
>> unix to retrieve uid's and gid's from winbind.
>> > passwd: files ldap winbind
>> > shadow: files ldap winbind
>> > group: files ldap winbind
>> but according to
>>
>> http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf
>> I have one domain and all server are the member of this domain there
>> is
>> no need to use winbind at all. Did I miss something?
>>
>> > This means that you would be able to type "getent user1" and "getent
>> MYDOMAIN\user1." I
>> I don't need such case, in my case local and domain users always unique
>>
>> > I think it appears you are getting group information from winbind since
>> have the "force group" entry in smb.conf.
>> It's strange. When I added force user to the share description, samba set
>> uid of the new file from ldap
>>
>> > You should look at the man page for idmap_nss. In theory, this should
>> let you use a local backend to store the idmap entries, and the idmap
>> system should use map the SID's to the existing unix uid and gid. Never
>> worked for me in practice.
>> I read the man
>> http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but
>> didn't
>> get clear understanding
>>
>> > Alternately, you may want to manually edit the idmap entries in ldap.
>> The domain controller should have automatically created them.
>> there are a 10-15 entries in the ou Idmap
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list