[Samba] Samba4 binding LDAP Server
Danilo Mussolini
danilo at mdotti.com
Sun Jun 1 19:28:22 MDT 2014
Yes, maybe I'm wrong naming that.
As Rowland said it is a standalone server which authenticates users from
LDAP.
I have just noticed something in my tests with this file server. As
mentioned before, I have the following share:
[Test]
comment = test
path = /u01
read only = no
And /u01 folder has the following permissions:
drwxrwsr-x 5 root o2pos 4096 Jun 1 13:16 u01
I'm authenticating with the user mussolini (which is my name :)) from the
LDAP database:
[root at Nemesis ~]# id mussolini
uid=3001(mussolini) gid=3001(mussolini)
groups=3001(mussolini),3003(admins),3014(o2pos)
The authentication is done and the share Test is mounted successfully, but
even my user been a member of "o2pos" group, I can't write in this folder.
So, if I change the group owner of the u01 folder to "admins" (which also
has my user as member) I can write files and folders normally in the Test
share. Curious , isn't it ?
Just to remember, this only happens in Samba4.
On Sun, Jun 1, 2014 at 7:10 PM, steve <steve at steve-ss.com> wrote:
> On Sun, 2014-06-01 at 21:43 +0100, Rowland Penny wrote:
> > On 01/06/14 20:29, Marc Muehlfeld wrote:
> > > Am 01.06.2014 18:11, schrieb Danilo Mussolini:
> > >> * Samba Version?
> > >> 4.1.7
> > >>
> > >> * Self compiled / Package (from where) / ...?
> > >> Self compiled
> > >>
> > >> * Do you use Winbind or how you get the domain users from your LDAP
> server?
> > >> I don't use winbindd. Here are the LDAP settings:
> > >> passdb backend = ldapsam:"ldap://192.168.8.9 ldap://192.168.8.7"
> > >> ldap suffix = dc=o2pos,dc=com
> > >> ldap user suffix = ou=people
> > >> ldap group suffix = ou=groups
> > >> ldap machine suffix = ou=Computers
> > >> ldap idmap suffix = ou=Idmap
> > >> ldap admin dn = cn=admin,dc=o2pos,dc=com
> > >> ldap ssl = no
> > >> name resolve order = lmhosts host wins bcast
> > >> security = user
> > >>
> > >> * Please show the ACLs on the folder.
> > >> I don't use ACL because the filesystem (ZFS) still doesn't support
> that on
> > >> Linux.
> > >> Here is an example of the shared folder permissions:
> > >> drwxrwsr-x 4 o2pos o2pos 6 May 29 20:08 Publicidade
> > >>
> > >> * Your complete smb.conf would be helpful to.
> > >> There you go:
> > >>
> > >> [global]
> > >>> server string = Samba Server Version %v
> > >>>
> > >>> netbios name = o2pos
> > >>>
> > >>> log file = /var/log/samba/log.%m
> > >>>
> > >>> max log size = 50
> > >>>
> > >>> log level = 5
> > >>>
> > >>> load printers = no
> > >>>
> > >>> cups options = raw
> > >>>
> > >>>
> > >>>
> > >>> passdb backend = ldapsam:"ldap://192.168.8.9 ldap://
> 192.168.8.7"
> > >>>
> > >>> ldap suffix = dc=o2pos,dc=com
> > >>>
> > >>> ldap user suffix = ou=people
> > >>>
> > >>> ldap group suffix = ou=groups
> > >>>
> > >>> ldap machine suffix = ou=Computers
> > >>>
> > >>> ldap idmap suffix = ou=Idmap
> > >>>
> > >>> ldap admin dn = cn=admin,dc=o2pos,dc=com
> > >>>
> > >>> ldap ssl = no
> > >>>
> > >>> name resolve order = lmhosts host wins bcast
> > >>>
> > >>> security = user
> > >>>
> > >>>
> > >>> [Publicidade]
> > >>>
> > >>> comment = Publicidade
> > >>>
> > >>> path = /Storage/Publicidade
> > >>>
> > >>> read only = no
> > >>>
> > >>>
> > >>> [Test]
> > >>>
> > >>> comment = test
> > >>>
> > >>> path = /u01
> > >>>
> > >>> read only = no
> > >>>
> > >>>
> > >> I have a mixed environment involving MacOS, Windows and Linux
> clients. So I
> > >> don't need to administer the permissions from Windows. The important
> to me
> > >> is the group owner, so the users in this group will have permissions
> to
> > >> write in this share, and this will be so in the subfolders and files.
> There
> > >> is no need to custom or change permissions in the share.
> > >
> > > Could it be possible that this is a standalone server or a PDC and not
> a
> > > Member Server (the config doesn't look like a Member Server).
> > I agree this is not a member server, it also not a PDC, no domain lines!
> > it can only be a standalone server.
> > The OP probably calls it a member server, but it isn't, well not in my
> > opinion.
> >
> > Rowland
>
> So it must be E, none of the above. Our money is on: 'computer of some
> sort'. How did we do?!
>
> >
> > >
> > > I sadly have no PDC with openLDAP backend in my test environment here
> > > and run a standalone with LDAP backend. So I can't give your config a
> > > short try. Sorry.
> > >
> > >
> > > The following is a working share configuration from my production
> > > (4.1.7, AD Member Server, that uses only Linux ACLs):
> > > [packages]
> > > path = /srv/samba/Packages
> > > browsable = no
> > > force create mode = 0664
> > > force directory mode = 2775
> > > guest ok = no
> > > valid users = +MUC\packages
> > > invalid users =
> > > wide links = yes
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > > Marc
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list