[Samba] How to use ldapsam only for authentication?

Meike Stone meike.stone at googlemail.com
Thu Jan 28 14:28:04 UTC 2016


Hello dear list,

I need help with authentication configuration on samba.
It is a little bit special ...

We have a Linux-Server with all users/groups local configured.
(nsswitch.conf points to passwd and groups)

We have ONE share configured and under this shared folder are located
separated project folders.

On each project folder are set posix ACLs with two groups for read
only and write access.
This rights/ACLs are set once by administrator.
Rights for files and subfolders under the project folders are
automatically inherited.

No user should be able to change rights, that so in share definition
we set "nt acl support"
to NO.

The Samba-Server used tdbsam, all was working well.

But now we like to change the configuration, so that ONLY the user
authentication is going to
ldapsam.

I configured that and all is running well.

But now I see a lot ldap requests to get User and group information
(about 2.5 millions ldap in only 6 hours!).
Are this ldap requests necessary? - because all information needed for
running samba (in this configuration) are available from the system
nsswitch/passwd/groups....

This ldap request are costs resources on the ldap server and time in
the smbd process.
Is it possible, to disable all ldap requests querying for users and
groups and use ldapsam ONLY for authentication?

Here my configration:

[global]
          workgroup = Samba
          map to guest = Bad User
          security = user
          server string = FS01

          ldap admin dn = uid=samba,cn=susers,o=mydom,c=net
          passdb backend = ldapsam:"ldap://ldap01.mydom.net"
          ldap suffix = cn=samba,o=mydom,c=net
          ldap user suffix = cn=accounts
          ldap group suffix = cn=groups
          ldap passwd sync = No

[SHARE1]
        path = /data/share1
        comment = share1
        writeable = yes
        browseable = no
        nt acl support = no
        inherit permissions = yes
        store dos attributes = yes

Thanks for help,
kindly regards Meike



More information about the samba mailing list