[Samba] How to use ldapsam only for authentication?
Meike Stone
meike.stone at googlemail.com
Thu Jan 28 14:28:04 UTC 2016
Hello dear list,
I need help with authentication configuration on samba.
It is a little bit special ...
We have a Linux-Server with all users/groups local configured.
(nsswitch.conf points to passwd and groups)
We have ONE share configured and under this shared folder are located
separated project folders.
On each project folder are set posix ACLs with two groups for read
only and write access.
This rights/ACLs are set once by administrator.
Rights for files and subfolders under the project folders are
automatically inherited.
No user should be able to change rights, that so in share definition
we set "nt acl support"
to NO.
The Samba-Server used tdbsam, all was working well.
But now we like to change the configuration, so that ONLY the user
authentication is going to
ldapsam.
I configured that and all is running well.
But now I see a lot ldap requests to get User and group information
(about 2.5 millions ldap in only 6 hours!).
Are this ldap requests necessary? - because all information needed for
running samba (in this configuration) are available from the system
nsswitch/passwd/groups....
This ldap request are costs resources on the ldap server and time in
the smbd process.
Is it possible, to disable all ldap requests querying for users and
groups and use ldapsam ONLY for authentication?
Here my configration:
[global]
workgroup = Samba
map to guest = Bad User
security = user
server string = FS01
ldap admin dn = uid=samba,cn=susers,o=mydom,c=net
passdb backend = ldapsam:"ldap://ldap01.mydom.net"
ldap suffix = cn=samba,o=mydom,c=net
ldap user suffix = cn=accounts
ldap group suffix = cn=groups
ldap passwd sync = No
[SHARE1]
path = /data/share1
comment = share1
writeable = yes
browseable = no
nt acl support = no
inherit permissions = yes
store dos attributes = yes
Thanks for help,
kindly regards Meike
More information about the samba
mailing list