[Samba] LDAP group objects?

Daniel Turner daniel.turner at eliciotech.com
Thu Dec 21 23:02:31 UTC 2017 

Thank you, those links were indeed helpful.

It appears to me that while JumpCloud.com touts it's Samba compatibility
(including "Samba Schema support"), their's is an imperfect implementation.
Because they do not leverage the Samba group objectclass they are hampering
Samba's ability.

The method they've used to implement groups does not allow those groups to
be used by Samba. I'm no expert on LDAP, but I believe the addition of an
attribute on their groupOfNames style of group may be all that is needed -
I'm spinning up an OpenLDAP instance to confirm.

Now to try to convince them of this fact in the hopes of future
improvements.

On Thu, Dec 21, 2017 at 2:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 21 Dec 2017 13:45:14 -0600
> Daniel Turner <daniel.turner at eliciotech.com> wrote:
>
> > re: "Depending on how you have Samba set up, you may need different
> > objectclasse, but the main ones for a group are 'posixGroup' and
> > 'sambaGroupMapping'
> >
> > What configuration changes would affect which objectClass type is
> > used? I'm not able to find any information about this on the wiki.
> >
> > My smb.conf:
> >
> > [global]
> > log level = 12
> > workgroup = WORKGROUP
> > server string = MySAN %v
> > security = user
> > dns proxy = no
> >
> > #passdb backend = tdbsam
> >
> > passdb backend  =    ldapsam:ldaps://ldap.jumpcloud.com:636
> > ldap admin dn   =    "uid=daniel.turner,ou=Users,o=
> > 5a21683914f827970a385d7b,dc=$
> > ldap ssl        =    off
> > ldap suffix     =    o=5a21683914f827970a385d7b,dc=jumpcloud,dc=com
> >
> > ldap user suffix = ou=Users
> > ldap group suffix = ou=Groups
> >
> > [LocalStorage]
> >         path = /mnt/localhd
> >         valid users = daniel.turner,tucker.dragoo,daniel
> >         directory mask = 0771
> >         write list = daniel.turner,tucker.dragoo,daniel
> >         create mask = 0660
> >         writeable = yes
> >         force group = users
> >         browsable = yes
> >
>
> You are running Samba as a standalone server with an ldap backend and
> isn't used much (this may not be true, it just isn't asked about on the
> mailing list.)
>
> There are problems with doing this with the authentication in the
> cloud, you still need the same users and groups on the client machines.
>
> Try reading these webpages:
>
> https://help.ubuntu.com/lts/serverguide/samba-ldap.html
> https://spredzy.wordpress.com/2013/08/30/samba-standalone-openldap/
>
> They should show you the basis of what you need.
>
> You basically seem to be running a 'workgroup' with one of the machines
> in the cloud.
>
> Are you allowed to create your own machine in this cloud, if so you
> will probably be better off setting up a DC and then use this for
> authentication, this way you wouldn't need the same users stored
> locally.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list