[Samba] Samba4 binding LDAP Server

Danilo Mussolini danilo at mdotti.com
Tue Jun 3 09:46:12 MDT 2014


Hi guys,
First of all, thanks for all thoughts and support in this topic.

Just to clarify somethings:

My LDAP server is a Debian 6.0.7 server. This guy is not a fileserver, I
built it only to run the LDAP database. After this discussion, I'm not sure
if this the right approach.

I have exactly 5 standalone file servers running CentOS 6.4 and Samba
3.6.9-151.el6. And as I said before, these servers authenticate users from
the LDAP database mentioned above, so every user created in the LDAP
database can authenticate in any of these file servers if allowed, to
access files through Samba. Just to remember, I have a mixed environment,
the clients run Windows, Linux and MacOS.
Now, I'm setting up a brand new server running CentOS6.5 and Samba 4.1.7.
The main reason for the Samba4 implementation is the performance. In my
tests I had a huge performance improvement with Samba4 compared to Samba3
in the same server. So, I took the smb.conf file from one of the Samba3
servers as a model, made some share changes and after the smbpasswd -W, I
could authenticate LDAP users in this new server.

Everything was ok but the group permission issue, which was the main reason
I wrote to this list.
I have an LDAP user which is member of two LDAP groups ("o2pos" and
"admins" groups). When I set write permissions on the share to one of the
groups (group "o2pos") I couldn't write to this share. But if I change the
permissions allowing write to the other group (group "admins"), the write
was allowed as it should. The curious is, all other servers running Samba3,
are working fine with permissions set to the group "o2pos". But in Samba4
it wasn't working.


So now, some things about my last tests yesterday:

I figured out that the problem was only with the group "o2pos". I created
two new groups (eng and test) and put the same user (mussolini) as a member
of both, so this user now is member of "o2pos", "eng" and "test" groups.
Just for simple tests, I set the share group owner as "eng" with write
permissions and I could write in the share. Changed the group owner to
"test" with write permissions as well, also worked. And then, when I set
back the group owner "o2pos", I couldn't write!
Maybe this is happening because the SIDs are not matching, as Harry
mentioned before. I still didn't touch on the SIDs, maybe I'll do that
today recreating the groups and reorganising the stuffs.

All of this makes sence ?


So, after that, this is going to work as I would like! But after all the
discussion here, work with a standalone LDAP database to authenticate
standalone Samba servers (without a DC) seems to not be the right way to
work. Should I care about that ?


If something I wrote here is not clear, please, let me know.


Thanks






On Tue, Jun 3, 2014 at 7:57 AM, Harry Jede <walk2sun at arcor.de> wrote:

> Hi steve,
>
> > On Mon, 2014-06-02 at 21:14 +0200, Harry Jede wrote:
> > > On 20:57:58 wrote steve:
> > > > On Mon, 2014-06-02 at 20:05 +0200, Harry Jede wrote:
> > > > > On 19:41:51 wrote steve:
> > > > > > On Mon, 2014-06-02 at 18:55 +0200, Harry Jede wrote:
> > > > > > > Am Montag, 2. Juni 2014 schrieb Danilo Mussolini:
> > > > > > >
> > > > > > > Two errors:
> > > > > > > 1. The sid from cn=mussolini,ou=groups,dc=o2pos,dc=com does
> > > > > > > not match your sambadomainsid. So this group is never used
> > > > > > > by your samba server.
> > > > > > >
> > > > > > > 2. No groupmapping for group o2pos. This group is ignored
> > > > > > > by samba.
> > > > > > >
> > > > > > > > > > > > Just to remember, this only happens in Samba4.
> > > > > >
> > > > > > Are you sure that this is the same db as you used for samba3?
> > > > > > e.g. before any upgrade?
> > > > >
> > > > > What upgrade? He is using samba in classic mode. No need to
> > > > > upgrade schema.
> > > >
> > > > Eh? Who said anything about schema?
> > >
> > > You are asking about the db. What db?
> > >
> > > > >  In classic mode one *must* use samba3 schema. AD schema is
> > > > >
> > > > > unknown, no support for rfc2307bis, member/uniqemember just
> > > > > memberuid, and so on...
> > > >
> > > > How about the supposition that the OP upgraded to Samba4? We use
> > > > the term upgrade to mean moving from one version to another. As
> > > > Samba 3 is no longer developed, we consider it an upgrade to
> > > > move to Samba 4. Maybe you do not?
> > >
> > > I believe we are meaning the same. Just to clarify:
> > > An upgrade from samba 3.5.x to 3.6.y to 4.1.z is just an update of
> > > the software. In theory nothing has changed, in practice there are
> > > a lot of changes in code and some changes in default settings.
> > >
> > > But an upgrade is not a change from "classical samba" to "AD based
> > > samba".
> >
> > OK, fine. We'll adopt that meaning then. But we're digressing.
> Ok, let us focus on his problem.
>
> > The OP
> > has done an update of a working samba3 system.
> Yes and no. No, because I assume he has not updated a system. He
> installed samba on an other PC, with debian in this case.
>
> > We do not know what he
> > has upgraded nor how, but he describes it as Samba4.
> I assume he is using Debians samba 4.1.x from backports.
>
> > It is clear from
> > his smb.conf that he has no intention of upgrading.
> I assume he has copied thes smb.conf from the old system to the new one.
>
> > His issue
> > remains: why did it work with Samba3 but not with Samba4.
> It is not a case of the samba version. This will always happen.
>
> His mistake:
> He installed the new box with wheezy and samba4. At this point the
> postinst script from the package configures a default smb.conf and
> starts samba.
>
> When samba starts the first time, the tdb files are filled up with some
> default settings. This is required. Important is, that a new SID was
> created.
>
> After this is done, he shut down samba, copied the smb.conf from the old
> system, restarted samba.
>
> And now the samba setup is broken. The SIDs are different. Old SID in
> the LDAP DB, new SID in local TBD.
>
> He may try this on the new debian system:
>
> net setdomainsid S-1-5-21-1016009054-1483029785-3768009975
> and
> net setlocalsid S-1-5-21-1016009054-1483029785-3768009975
>
> even if this setup declares no domain. After a samba restart it may
> work. I dont know if the ldap entry will be written, but i am sure the
> secrets.tdb gets updated. He may verify the ldap with a search filter I
> have already posted.
>
> And now a way to circumvent this mistake:
> One should copy the smb.conf from the old system to the new system,
> before installing the samba package :-) .
>
> > I don't
> > know because I do not have enough information.
> He has posted all relevant information, some only to my privat address.
> But I have posted all answers back to the list.
> Ok, some infos I have requested were not posted right away, because of a
> copy and paste error. But he did it one mail later.
>
> > HTH
> > Steve
>
>
> --
>
> Regards
>
>         Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list