[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Feb 11 11:30:51 UTC 2019
Hi,
we are using a _single_ LDAP server as backend for _multiple_ Samba
standalone file servers (security=user). This LDAP server serves mainly
other purposes and access for Samba is read only so the situation is not
optimal but "it works for us". Still I don't understand one phenomenon
concerning visibility of LDAP groups.
The LDAP configuration in smb.conf for all our Samba servers is
basically like this (with each server having it's own branch for "ldap
group suffix", that's the point):
passdb backend = ldapsam:ldap://ldap.domain.tld
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=people
ldap group suffix = ou=server01,ou=smb,ou=Groups
NSS uses LDAP via SSSD like this:
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.domain.tld
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=People,dc=domain,dc=tld
ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
The sambaDomainName is stored in an entry in LDAP path
ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use the
same SID.
This setup is not exactly pretty, but it "works". Still, unexpectedly
Samba on server01 sees groups in other branches than
"ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
example:
- group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
- on server01 this group is visible with "net groupmap list
ntgroup=testgroup"
- "getent group testgroup" does not work (as expected)
Why is this?
thx
matthias
More information about the samba
mailing list