[Samba] Samba4 binding LDAP Server

Andrew Bartlett abartlet at samba.org
Sat Jun 7 02:49:04 MDT 2014

On Tue, 2014-06-03 at 12:46 -0300, Danilo Mussolini wrote:
> Hi guys,
> First of all, thanks for all thoughts and support in this topic.
> Just to clarify somethings:
> My LDAP server is a Debian 6.0.7 server. This guy is not a fileserver, I
> built it only to run the LDAP database. After this discussion, I'm not sure
> if this the right approach.
> I have exactly 5 standalone file servers running CentOS 6.4 and Samba
> 3.6.9-151.el6. And as I said before, these servers authenticate users from
> the LDAP database mentioned above, so every user created in the LDAP
> database can authenticate in any of these file servers if allowed, to
> access files through Samba. Just to remember, I have a mixed environment,
> the clients run Windows, Linux and MacOS.
> Now, I'm setting up a brand new server running CentOS6.5 and Samba 4.1.7.
> The main reason for the Samba4 implementation is the performance. In my
> tests I had a huge performance improvement with Samba4 compared to Samba3
> in the same server. So, I took the smb.conf file from one of the Samba3
> servers as a model, made some share changes and after the smbpasswd -W, I
> could authenticate LDAP users in this new server.
> Everything was ok but the group permission issue, which was the main reason
> I wrote to this list.
> I have an LDAP user which is member of two LDAP groups ("o2pos" and
> "admins" groups). When I set write permissions on the share to one of the
> groups (group "o2pos") I couldn't write to this share. But if I change the
> permissions allowing write to the other group (group "admins"), the write
> was allowed as it should. The curious is, all other servers running Samba3,
> are working fine with permissions set to the group "o2pos". But in Samba4
> it wasn't working.
> So now, some things about my last tests yesterday:
> I figured out that the problem was only with the group "o2pos". I created
> two new groups (eng and test) and put the same user (mussolini) as a member
> of both, so this user now is member of "o2pos", "eng" and "test" groups.
> Just for simple tests, I set the share group owner as "eng" with write
> permissions and I could write in the share. Changed the group owner to
> "test" with write permissions as well, also worked. And then, when I set
> back the group owner "o2pos", I couldn't write!
> Maybe this is happening because the SIDs are not matching, as Harry
> mentioned before. I still didn't touch on the SIDs, maybe I'll do that
> today recreating the groups and reorganising the stuffs.
> All of this makes sence ?
> So, after that, this is going to work as I would like! But after all the
> discussion here, work with a standalone LDAP database to authenticate
> standalone Samba servers (without a DC) seems to not be the right way to
> work. Should I care about that ?

The solution I've used at multiple sites where folks have had this
configured is to make the file servers all domain controllers.  You
don't need to use them as such (ie, not join machines to the domain),
but the supported mode for a shared passdb backend is a DC, and a DC can
also share files, so this ends up working. 

I hope this helps you out of this little situation. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list