[Samba] distributing samba users to the local systems

Wed Jul 13 22:29:14 UTC 2016

mathias dufresne schreef op 13-07-2016 11:42:
> I haven't yet fully read your mail, still trying to understand.
> 
> Anyway all that I read is about complexity of using several users
> databases. Why not use only one user database? AD is a user database,
> can be used on all these systems, can be used in conjunction with
> Samba... All user names, UIDs and GIDs would be into the same DB, they
> would be coherent (if you don't mess up your DB obviously ^^) and that
> could simplify stuffs...

AD is much more complex than what I want to get into..

Also these are Linux to Linux systems currently.

It would be possible to only use LDAP users but not very convenient.

The real setup I want, the only issue is how to merge deal with local 
accounts vs. ldap accounts. I cannot get them on LDAP totally as you say 
because they only have access to LDAP when using VPN.

Suppose they have shares of their own (not just centrally, but 
decentrally). Suppose other users of the VPN would be able to write to 
their shares when connected. Now those writes would be done using LDAP 
users. But the local computer doesn't have LDAP users when not 
connected.

That is problematic by itself, hmm....

Maybe I already have the best I can achieve. I cannot expect the local 
system to have users for whatever LDAP clients there might be. You could 
imagine localizing the file ownership upon write; adding local users as 
needed, and mapping their names to LDAP names when requested from the 
VPN, that's a way to do it. Rather much development though.

I think I already have a rather stable solution at present, thank you 
for your help.

I wrote here before that from my Linux client, the ACL on the server was 
not honoured; I could not write locally even though I had rights 
centrally.

Turns out it was a Linux bug, in the kernel, I just had to reboot and it 
was fixed, apparently.

Linux suffers a lot from "stale handles" and "refcounts" that go wrong.

Often the only way to fix it is to reboot.

I have started using "noperm" locally to mount with unix extensions, so 
that my local system doesn't bug me about being in the wrong group.

It is possible to add myself to LDAP groups (/etc/security/group.conf) 
but that is semantically not correct for me; to achieve local access by 
adding myself to some group, while the remote server has no problem with 
my credentials.

On my Synology NAS posix ACLs are not transmitted to the Linux client. 
It is not using posix ACLs I think.

And it also doesn't map them to it, I'm afraid.