[Samba] Samba 4.x binding to an LDAP Server as a standalone server.

Danilo Mussolini danilo at mdotti.com
Tue Jun 3 10:01:44 MDT 2014 

Hi Andrew,

This is starting to be clear.
I figured out my problem was exclusively related to one group. All other
groups, or the new ones I have created worked fine. No permission issues.
So I can say this is working to me now.
But, it seems to not be the right way to work with a LDAP backend.

Thanks,

Danilo




On Tue, Jun 3, 2014 at 5:42 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2014-06-02 at 18:44 +0200, Harry Jede wrote:
> > On 18:28:35 wrote steve:
> > > On Mon, 2014-06-02 at 18:11 +0200, Harry Jede wrote:
> > > > Hi Danilo,
> > > >
> > > > > Not supported ?  Really ?
> > > >
> > > > Like you, i am a samba user not a samba developer. And yes, you
> > > > will not find a description in the current samba wiki nor in the
> > > > quite old "Samba 3 Howtos" how to setup a standalone samba server
> > > > with ldap as passwd backend.
> > >
> > > Not in samba no, but openSUSE have been doing it for years:
> > > http://digiplan.eu.org/ldap-samba-howto-v4.html
> > Yes, and his smba3 is compiled by redhat? (Samba Version 3.6.9-151.el6)
> >
> > Currently we know that he is using openldap at debian. So if he sets
> > loglevel to 256 we may see which filters are used by samba and what the
> > ldap server finds.
> >
> > One will see that samba stops the evaluation if username is equal
> > groupname. A nice exercise. Sure, I have only verified this with
> > packages from sernet and debian/ubuntu. Maybe different behavior on
> > suse, redhat, aix and others.
> >
>
> The 'samba-tool domain classicupgrade' script will indeed halt if the
> username is equal to a group name.  Other aspects of the classic DC (and
> the use of that code in the standalone server case, as suggested here)
> does appear to accidentally work, which is why we had to impose such a
> strict test during classicupgrade.
>
> A lot of dubious things are permitted by that code, as it generally was
> written to be tolerent (the AD code is written to be strict).
>
> For example, only recent (and I don't know how recent) Samba versions
> refused to operate on accounts with mis-matching SIDs.  This is likewise
> often discovered only during upgrades.
>
> The only way I can see a series of independent file servers correctly
> sharing a LDAP backend is if they actually believe themselves to be
> domain controllers (even if not used that way), as that is the supported
> way to share a passdb backend.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list