[Samba] Samba4 binding LDAP Server
walk2sun at arcor.de
Mon Jun 2 10:11:48 MDT 2014
> Not supported ? Really ?
Like you, i am a samba user not a samba developer. And yes, you will not
find a description in the current samba wiki nor in the quite old "Samba
3 Howtos" how to setup a standalone samba server with ldap as passwd
> There you go:
> [root at Nemesis ~]# ldapsearch -xLLL
> '(&(sambadomainname=*)(objectclass=sambadomain))' '*' objectclass
> dn: sambaDomainName=O2POS,dc=o2pos,dc=com
> sambaDomainName: O2POS
> sambaSID: S-1-5-21-3378243240-46098705-3816341305
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
> sambaNextUserRid: 1000
> sambaMinPwdLength: 5
> sambaPwdHistoryLength: 0
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutDuration: 30
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 0
> sambaForceLogoff: -1
> sambaRefuseMachinePwdChange: 0
> The LDAP server runs in a Debian Linux, and the version is:
> $OpenLDAP: slapd 2.4.23 (Dec 16 2012 11:48:44)
> Actually, now I have only Samba4 in this server. The other ones have
> Samba Version 3.6.9-151.el6
> On Mon, Jun 2, 2014 at 12:19 PM, Harry Jede <walk2sun at arcor.de> wrote:
> > Hi Danilo,
> > > Yes, maybe I'm wrong naming that.
> > > As Rowland said it is a standalone server which authenticates
> > > users from LDAP.
> > That is not a supported samba/ldap setup. Nevertheless I have seen
> > this
> > some years ago.
> > post the output of this command, if you are using openldap:
> > ldapsearch -xLLL '(&(sambadomainname=*)(objectclass=sambadomain))'
> > '*' objectclass
> > btw, what os do you use, which ldap server
> > > I have just noticed something in my tests with this file server.
> > > As mentioned before, I have the following share:
> > >
> > > [Test]
> > > comment = test
> > > path = /u01
> > > read only = no
> > >
> > >
> > > And /u01 folder has the following permissions:
> > >
> > > drwxrwsr-x 5 root o2pos 4096 Jun 1 13:16 u01
> > >
> > > I'm authenticating with the user mussolini (which is my name :))
> > >
> > > from the LDAP database:
> > >
> > > [root at Nemesis ~]# id mussolini
> > > uid=3001(mussolini) gid=3001(mussolini)
> > > groups=3001(mussolini),3003(admins),3014(o2pos)
> > This is also not a supported user configuration. Very early samba 3
> > releases had supported this. Current samba3 and samba4 do not
> > support users and groups with identical names. Enhance the
> > loglevels in
> > samba and in your ldap server.
> > Please post your samba3 version: smbd -V
> > > The authentication is done and the share Test is mounted
> > > successfully, but even my user been a member of "o2pos" group, I
> > > can't write in this folder. So, if I change the group owner of
> > > the u01 folder to "admins" (which also has my user as member) I
> > > can write files and folders normally in the Test share. Curious
> > > , isn't it ?
> > No, we simply dont know how your users and groups are setup in
> > ldap. Post the relevant information.
Without theese informations I can not understand what is wrong in your
so post this also:
grep yourname /etc/passwd
ldapsearch -xLLL '(uid=yourname)' '*' objectclass
grep yourname /etc/group
grep o2pos /etc group
ldapsearch -xLLL '(&(objectclass=sambagroupmapping)(|(cn=yourname)(cn=o2pos)))' '*' objectclass
> > > Just to remember, this only happens in Samba4.
> > Try
> > acl group control = Yes
> > in your share definition
Have you tried this?
> > --
> > Harry Jede
More information about the samba