[Samba] Winbind and nss-ldap

Praveen Ghimire PGhimire at sundata.com.au
Thu Oct 4 08:34:03 UTC 2018


Hi Rowland,

We are caught in  a similar situation.  The question is if the users and groups are defined in /etc/passwd and /etc/group,  shouldn't the server auth them using these first? As nsswitch directs the server to look at "files" first . Shouldn't this be the default regardlessof winbind/ldap configs?



Regards,

Praveen Ghimire


-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 3/10/2018 5:33 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Winbind and nss-ldap

On Wed, 3 Oct 2018 16:01:29 +1000
Rob Thoman via samba <samba at lists.samba.org> wrote:

> Hi Guys,
>
> Have some issues with winbind and nss-ldap in LDAP based NT4
> BDC/fileserver
>
> The DC has the LDAP server role and the BDC connects to it for
> authentication.
>
> smb.conf of the BDC
>
>     netbios name = TRAC5
>      local master = no
>     domain master = no
>     preferred master = no
>     domain logons = no
>  passdb backend = ldapsam:ldap://trac15.ste.com
>   ldap admin dn = cn=admin,dc=ste,d=com
>   ldap suffix = dc=ste
>   ldap group suffix = ou=groups
>   ldap machine suffix = ou=computers
>   ldap user suffix = ou=users
>   idmap backend = ldap
>   ldap idmap suffix = ou=idmap
>   idmap config * : ldap_url = ldap://trac15.ste
>   idmap config * : ldap_base_dn = ou=idmap,dc=ste,dc=com
>   idmap config * : ldap_user_dn = cn=admin,dc=ste,dc=com
>   ldap delete dn = no
>   ldap ssl = start tls
>
> We've setup libnss-ldap in the servers (both trac15 and trac5)
>
> When we enable winbind service, we get the following error
>  user 'asmith' (from session setup) not permitted to access this share
> (dataldap). In the actual client when you open the share, it prompts
> for the login creds again and again
>
> When the winbind is disabled,
> The user is able to login and access the shares. The issue seems to
> be with the folder permissions. The /home drive is setup with 700 as
> the mask and the folder permission in smb.conf. The user can create
> folders but not rename them. They can create a text file but not
> rename them. It comes with the You need permission from a the
> following user to make changes. The SID presented is the SID of the
> user in LDAP
>
> We have removed and added back the user in the /etc/passwd file in the
> fileserver. If we remove it the getent passwd doesn't recoginse the
> user. Our nsswitch.conf has files ldap
>
> So basically at this stage we are disabling winbind to get LDAP
> working
>
> Thank you,
>
> RT

The 'smbd' deamon used to be able to carry out some authentication it
self, but now it needs to go through winbind or another agent. It looks
like winbind doesn't like ldap any more. All of the current developer
focus seems to be aimed at AD, so it looks like something has got broken
accidentally. Will it get fixed, possibly, but only if you provide
level 10 logs and/or network traces that show just where the problem is
and open a bugreport.

This type of thing is not just happening on Samba, Microsoft is having
similar problems, but their problems may be on purpose, they declared
NT4-style domains EOL over 10 years ago.

Your best choice would be to upgrade to AD as soon as possible, this
is where all the developer focus is aimed at.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


More information about the samba mailing list