[Samba] visibility of groups when multiple Samba servers use the same LDAP server

Matthias Leopold matthias.leopold at meduniwien.ac.at
Mon Feb 11 11:30:51 UTC 2019


we are using a _single_ LDAP server as backend for _multiple_ Samba 
standalone file servers (security=user). This LDAP server serves mainly 
other purposes and access for Samba is read only so the situation is not 
optimal but "it works for us". Still I don't understand one phenomenon 
concerning visibility of LDAP groups.

The LDAP configuration in smb.conf for all our Samba servers is 
basically like this (with each server having it's own branch for "ldap 
group suffix", that's the point):

passdb backend = ldapsam:ldap://ldap.domain.tld
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=people
ldap group suffix = ou=server01,ou=smb,ou=Groups

NSS uses LDAP via SSSD like this:

id_provider = ldap

ldap_uri = ldap://ldap.domain.tld
ldap_search_base = dc=domain,dc=tld

ldap_user_search_base = ou=People,dc=domain,dc=tld
ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld

The sambaDomainName is stored in an entry in LDAP path 
ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use the 
same SID.

This setup is not exactly pretty, but it "works". Still, unexpectedly 
Samba on server01 sees groups in other branches than 
"ou=server01,ou=smb,ou=Groups" (with "net groupmap list").

- group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
- on server01 this group is visible with "net groupmap list 
- "getent group testgroup" does not work (as expected)
Why is this?


More information about the samba mailing list