[Samba] How to use ldapsam only for authentication?

mathias dufresne infractory at gmail.com
Thu Jan 28 17:42:00 UTC 2016


Hi Meike,

As far as I understood you are using ldapsam only when Samba is running as
AD domain controller.

And when Samba is running as AD DC, all user stuffs go to AD and so ldapsam.

In the configuration you described I expect your users are existing twice:
once in /etc/passwd as Linux users and once in Samba TDB as Samba users.

As there is work to do to the change you speak about, why not take
advantage of this change to also remove users from flat files? I mean, you
can declare your AD users with the very same UID/GID and groups as those in
flat files...

I should have missed something in your architecture ;)

Cheers,

mathias

2016-01-28 15:28 GMT+01:00 Meike Stone <meike.stone at googlemail.com>:

> Hello dear list,
>
> I need help with authentication configuration on samba.
> It is a little bit special ...
>
> We have a Linux-Server with all users/groups local configured.
> (nsswitch.conf points to passwd and groups)
>
> We have ONE share configured and under this shared folder are located
> separated project folders.
>
> On each project folder are set posix ACLs with two groups for read
> only and write access.
> This rights/ACLs are set once by administrator.
> Rights for files and subfolders under the project folders are
> automatically inherited.
>
> No user should be able to change rights, that so in share definition
> we set "nt acl support"
> to NO.
>
> The Samba-Server used tdbsam, all was working well.
>
> But now we like to change the configuration, so that ONLY the user
> authentication is going to
> ldapsam.
>
> I configured that and all is running well.
>
> But now I see a lot ldap requests to get User and group information
> (about 2.5 millions ldap in only 6 hours!).
> Are this ldap requests necessary? - because all information needed for
> running samba (in this configuration) are available from the system
> nsswitch/passwd/groups....
>
> This ldap request are costs resources on the ldap server and time in
> the smbd process.
> Is it possible, to disable all ldap requests querying for users and
> groups and use ldapsam ONLY for authentication?
>
> Here my configration:
>
> [global]
>           workgroup = Samba
>           map to guest = Bad User
>           security = user
>           server string = FS01
>
>           ldap admin dn = uid=samba,cn=susers,o=mydom,c=net
>           passdb backend = ldapsam:"ldap://ldap01.mydom.net"
>           ldap suffix = cn=samba,o=mydom,c=net
>           ldap user suffix = cn=accounts
>           ldap group suffix = cn=groups
>           ldap passwd sync = No
>
> [SHARE1]
>         path = /data/share1
>         comment = share1
>         writeable = yes
>         browseable = no
>         nt acl support = no
>         inherit permissions = yes
>         store dos attributes = yes
>
> Thanks for help,
> kindly regards Meike
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list