[Samba] Samba4 binding LDAP Server

Danilo Mussolini danilo at mdotti.com
Mon Jun 2 10:27:37 MDT 2014


On Mon, Jun 2, 2014 at 1:11 PM, Harry Jede <walk2sun at arcor.de> wrote:

> Hi Danilo,
>
> > Not supported ?  Really ?
> Like you, i am a samba user not a samba developer. And yes, you will not
> find a description in the current samba wiki nor in the quite old "Samba
> 3 Howtos" how to setup a standalone samba server with ldap as passwd
> backend.
>
 This is really a surprise to me, since this a very usefull and "simple"
setup. As I said before, I have several file servers like this in the
facility. So, I just I want a centralised user base so I can authenticate
those users in all servers.


> > There you go:
> >
> > [root at Nemesis ~]# ldapsearch -xLLL
> > '(&(sambadomainname=*)(objectclass=sambadomain))' '*' objectclass
> > dn: sambaDomainName=O2POS,dc=o2pos,dc=com
> > sambaDomainName: O2POS
> > sambaSID: S-1-5-21-3378243240-46098705-3816341305
> > sambaAlgorithmicRidBase: 1000
> > objectClass: sambaDomain
> > sambaNextUserRid: 1000
> > sambaMinPwdLength: 5
> > sambaPwdHistoryLength: 0
> > sambaLogonToChgPwd: 0
> > sambaMaxPwdAge: -1
> > sambaMinPwdAge: 0
> > sambaLockoutDuration: 30
> > sambaLockoutObservationWindow: 30
> > sambaLockoutThreshold: 0
> > sambaForceLogoff: -1
> > sambaRefuseMachinePwdChange: 0
> >
> >
> > The LDAP server runs in a Debian Linux, and the version is:
> > $OpenLDAP: slapd 2.4.23 (Dec 16 2012 11:48:44)
> >
> >
> > Actually, now I have only Samba4 in this server. The other ones have
> > Samba Version 3.6.9-151.el6
> >
> > On Mon, Jun 2, 2014 at 12:19 PM, Harry Jede <walk2sun at arcor.de> wrote:
> > > Hi Danilo,
> > >
> > > > Yes, maybe I'm wrong naming that.
> > > > As Rowland said it is a standalone server which authenticates
> > > > users from LDAP.
> > >
> > > That is not a supported samba/ldap setup. Nevertheless I have seen
> > > this
> > >
> > >  some years ago.
> > >
> > > post the output of this command, if you are using openldap:
> > > ldapsearch -xLLL '(&(sambadomainname=*)(objectclass=sambadomain))'
> > > '*' objectclass
> > >
> > > btw, what os do you use, which ldap server
> > >
> > > > I have just noticed something in my tests with this file server.
> > > > As mentioned before, I have the following share:
> > > >
> > > > [Test]
> > > > comment = test
> > > > path = /u01
> > > > read only = no
> > > >
> > > >
> > > > And /u01 folder has the following permissions:
> > > >
> > > > drwxrwsr-x    5   root    o2pos  4096 Jun  1 13:16     u01
> > > >
> > > >  I'm authenticating with the user mussolini (which is my name :))
> > > >
> > > > from the LDAP database:
> > > >
> > > > [root at Nemesis ~]# id mussolini
> > > > uid=3001(mussolini) gid=3001(mussolini)
> > > > groups=3001(mussolini),3003(admins),3014(o2pos)
> > >
> > > This is also not a supported user configuration. Very early samba 3
> > > releases had supported this. Current samba3 and samba4 do not
> > > support users and groups with identical names. Enhance the
> > > loglevels in
> > >
> > >  samba and in your ldap server.
> > >
> > > Please post your samba3 version: smbd -V
> > >
> > > > The authentication is done and the share Test is mounted
> > > > successfully, but even my user been a member of "o2pos" group, I
> > > > can't write in this folder. So, if I change the group owner of
> > > > the u01 folder to "admins" (which also has my user as member) I
> > > > can write files and folders normally in the Test share. Curious
> > > > , isn't it ?
> > >
> > > No, we simply dont know how your users and groups are setup in
> > > ldap. Post the relevant information.
> Without theese informations I can not understand what is wrong in your
>  setup.
>
> so post this also:
>
> grep yourname /etc/passwd
>
   None

>
> ldapsearch -xLLL '(uid=yourname)' '*' objectclass
>
>> [root at Nemesis ~]# ldapsearch -xLLL '(uid=mussolini)' '*' objectclass
>
> dn: cn=Danilo Mussolini Candido,ou=people,dc=TI,dc=o2pos,dc=com
>
> sn: Candido
>
> givenName: Danilo Mussolini
>
> uid: mussolini
>
> dateOfBirth: 1983-07-26
>
> gender: M
>
> preferredLanguage: pt_BR
>
> homeDirectory: /home/mussolini
>
> uidNumber: 3001
>
> gidNumber: 3001
>
> gecos: Danilo Mussolini Candido
>
> gotoLastSystemLogin: 01.01.1970 00:00:00
>
> sambaLogonTime: 0
>
> sambaLogoffTime: 2147483647
>
> sambaAcctFlags: [U           ]
>
> sambaMungedDial:
>> IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA
>
>
>>  CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACA
>
>
>>  ABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGw
>
>
>>  AYQBnAHMAMQAwMGUwMDAxMBYAAAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawASAAgAAQBDAHQAeABT
>
>
>>  AGgAYQBkAG8AdwAwMTAwMDAwMCIAAAABAEMAdAB4AEsAZQB5AGIAbwBhAHIAZABMAGEAeQBvAHUAd
>
>
>>  AAqAAIAAQBDAHQAeABNAGkAbgBFAG4AYwByAHkAcAB0AGkAbwBuAEwAZQB2AGUAbAAwMCAAAgABAE
>
>
>>  MAdAB4AFcAbwByAGsARABpAHIAZQBjAHQAbwByAHkAMDAgAAIAAQBDAHQAeABOAFcATABvAGcAbwB
>
>
>>  uAFMAZQByAHYAZQByADAwGAACAAEAQwB0AHgAVwBGAEgAbwBtAGUARABpAHIAMDAiAAIAAQBDAHQA
>
>
>>  eABXAEYASABvAG0AZQBEAGkAcgBEAHIAaQB2AGUAMDAgAAIAAQBDAHQAeABXAEYAUAByAG8AZgBpA
>
>
>>  GwAZQBQAGEAdABoADAwIgACAAEAQwB0AHgASQBuAGkAdABpAGEAbABQAHIAbwBnAHIAYQBtADAwIg
>
>
>>  ACAAEAQwB0AHgAQwBhAGwAbABiAGEAYwBrAE4AdQBtAGIAZQByADAwKAAIAAEAQwB0AHgATQBhAHg
>
>
>>  AQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBhAHgARABp
>
>
>>  AHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQwB0AHgATQBhAHgAS
>
>  QBkAGwAZQBUAGkAbQBlADAwMDAwMDAw
>
> sambaPrimaryGroupSID: S-1-5-21-1016009054-1483029785-3768009975-7003
>
> cn: Danilo Mussolini Candido
>
> sambaLMPassword: 0DE56BB6E13320771D71060D896B7A46
>
> sambaNTPassword: 6F5ECD9BCD67A77575ABA3D68ACF3F2E
>
> sambaPwdLastSet: 1374792369
>
> sambaBadPasswordCount: 0
>
> sambaBadPasswordTime: 0
>
> userPassword:: e1NTSEF9eGNyVTc0U29CalpkSDBZVXpkTFM2WmpFaFVrMmhVRm8=
>
> shadowLastChange: 15911
>
> homePostalAddress: danilo at o2filmes.com
>
> sambaSID: S-1-5-21-3378243240-46098705-3816341305-7002
>
> sambaDomainName: O2POS
>
> trustModel: fullaccess
>
> objectClass: top
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: inetOrgPerson
>
> objectClass: gosaAccount
>
> objectClass: posixAccount
>
> objectClass: shadowAccount
>
> objectClass: sambaSamAccount
>
> objectClass: trustAccount
>
> loginShell: /bin/bash
>
> l: Sao Paulo
>
> st: SP
>
>
>>
> grep yourname /etc/group
> None
>


> grep o2pos /etc group
> None
>


> ldapsearch -xLLL
> '(&(objectclass=sambagroupmapping)(|(cn=yourname)(cn=o2pos)))' '*'
> objectclass
> [root at Nemesis ~]# ldapsearch -xLLL
> '(&(objectclass=sambagroupmapping)(|(cn=mussolini)(cn=o2pos)))' '*'
> objectclass
> dn: cn=mussolini,ou=groups,dc=o2pos,dc=com
> cn: mussolini
> description: Group of user mussolini mussolini
> gidNumber: 3001
> sambaGroupType: 2
> sambaSID: S-1-5-21-1016009054-1483029785-3768009975-7003
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
>
>

> > >
> > > > Just to remember, this only happens in Samba4.
> > >
> > > Try
> > > acl group control = Yes
> > > in your share definition
> Have you tried this?
> Not yet, but actually I don't need ACL support. But I will try as soon as
> I can and lets see what happens.
>



> > >
> > >
> > > --
> > >
> > >         Harry Jede
>
> --
>
>
>         Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list