[Samba] Samba4 binding LDAP Server

Danilo Mussolini danilo at mdotti.com
Sun Jun 1 19:28:22 MDT 2014


Yes, maybe I'm wrong naming that.
As Rowland said it is a standalone server which authenticates users from
LDAP.

I have just noticed something in my tests with this file server. As
mentioned before, I have the following share:

[Test]
comment = test
path = /u01
read only = no


And /u01 folder has the following permissions:

drwxrwsr-x    5   root    o2pos  4096 Jun  1 13:16     u01


 I'm authenticating with the user mussolini (which is my name :)) from the
LDAP database:

[root at Nemesis ~]# id mussolini
uid=3001(mussolini) gid=3001(mussolini)
groups=3001(mussolini),3003(admins),3014(o2pos)

The authentication is done and the share Test is mounted successfully, but
 even my user been a member of "o2pos" group, I can't write in this folder.
So, if I change the group owner of the u01 folder to "admins" (which also
has my user as member) I can write files and folders normally in the Test
share. Curious , isn't it ?

Just to remember, this only happens in Samba4.






On Sun, Jun 1, 2014 at 7:10 PM, steve <steve at steve-ss.com> wrote:

> On Sun, 2014-06-01 at 21:43 +0100, Rowland Penny wrote:
> > On 01/06/14 20:29, Marc Muehlfeld wrote:
> > > Am 01.06.2014 18:11, schrieb Danilo Mussolini:
> > >> * Samba Version?
> > >> 4.1.7
> > >>
> > >> * Self compiled / Package (from where) / ...?
> > >> Self compiled
> > >>
> > >> * Do you use Winbind or how you get the domain users from your LDAP
> server?
> > >> I don't use winbindd. Here are the LDAP settings:
> > >>      passdb backend = ldapsam:"ldap://192.168.8.9 ldap://192.168.8.7"
> > >>      ldap suffix = dc=o2pos,dc=com
> > >>      ldap user suffix = ou=people
> > >>      ldap group suffix = ou=groups
> > >>      ldap machine suffix = ou=Computers
> > >>      ldap idmap suffix = ou=Idmap
> > >>      ldap admin dn = cn=admin,dc=o2pos,dc=com
> > >>      ldap ssl = no
> > >>      name resolve order = lmhosts host wins bcast
> > >>      security = user
> > >>
> > >> * Please show the ACLs on the folder.
> > >> I don't use ACL because the filesystem (ZFS) still doesn't support
> that on
> > >> Linux.
> > >> Here is an example of the shared folder permissions:
> > >>      drwxrwsr-x 4 o2pos o2pos 6 May 29 20:08 Publicidade
> > >>
> > >> * Your complete smb.conf would be helpful to.
> > >> There you go:
> > >>
> > >> [global]
> > >>>   server string = Samba Server Version %v
> > >>>
> > >>>   netbios name = o2pos
> > >>>
> > >>>   log file = /var/log/samba/log.%m
> > >>>
> > >>> max log size = 50
> > >>>
> > >>>   log level = 5
> > >>>
> > >>>   load printers = no
> > >>>
> > >>> cups options = raw
> > >>>
> > >>>
> > >>>
> > >>>         passdb backend = ldapsam:"ldap://192.168.8.9 ldap://
> 192.168.8.7"
> > >>>
> > >>>         ldap suffix = dc=o2pos,dc=com
> > >>>
> > >>>         ldap user suffix = ou=people
> > >>>
> > >>>         ldap group suffix = ou=groups
> > >>>
> > >>>         ldap machine suffix = ou=Computers
> > >>>
> > >>>         ldap idmap suffix = ou=Idmap
> > >>>
> > >>>         ldap admin dn = cn=admin,dc=o2pos,dc=com
> > >>>
> > >>>         ldap ssl = no
> > >>>
> > >>>         name resolve order = lmhosts host wins bcast
> > >>>
> > >>>         security = user
> > >>>
> > >>>
> > >>> [Publicidade]
> > >>>
> > >>>          comment = Publicidade
> > >>>
> > >>>          path = /Storage/Publicidade
> > >>>
> > >>> read only = no
> > >>>
> > >>>
> > >>> [Test]
> > >>>
> > >>> comment = test
> > >>>
> > >>> path = /u01
> > >>>
> > >>> read only = no
> > >>>
> > >>>
> > >> I have a mixed environment involving MacOS, Windows and Linux
> clients. So I
> > >> don't need to administer the permissions from Windows. The important
> to me
> > >> is the group owner, so the users in this group will have permissions
> to
> > >> write in this share, and this will be so in the subfolders and files.
> There
> > >> is no need to custom or change permissions in the share.
> > >
> > > Could it be possible that this is a standalone server or a PDC and not
> a
> > > Member Server (the config doesn't look like a Member Server).
> > I agree this is not a member server, it also not a PDC, no domain lines!
> > it can only be a standalone server.
> > The OP probably calls it a member server, but it isn't, well not in my
> > opinion.
> >
> > Rowland
>
> So it must be E, none of the above. Our money is on: 'computer of some
> sort'. How did we do?!
>
> >
> > >
> > > I sadly have no PDC with openLDAP backend in my test environment here
> > > and run a standalone with LDAP backend. So I can't give your config a
> > > short try. Sorry.
> > >
> > >
> > > The following is a working share configuration from my production
> > > (4.1.7, AD Member Server, that uses only Linux ACLs):
> > > [packages]
> > >          path = /srv/samba/Packages
> > >          browsable = no
> > >          force create mode = 0664
> > >          force directory mode = 2775
> > >          guest ok = no
> > >          valid users = +MUC\packages
> > >          invalid users =
> > >          wide links = yes
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > > Marc
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list