[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Rowland Penny
rpenny at samba.org
Mon Feb 11 12:22:46 UTC 2019
On Mon, 11 Feb 2019 12:30:51 +0100
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> Hi,
>
> we are using a _single_ LDAP server as backend for _multiple_ Samba
> standalone file servers (security=user). This LDAP server serves
> mainly other purposes and access for Samba is read only so the
> situation is not optimal but "it works for us". Still I don't
> understand one phenomenon concerning visibility of LDAP groups.
>
> The LDAP configuration in smb.conf for all our Samba servers is
> basically like this (with each server having it's own branch for
> "ldap group suffix", that's the point):
>
> passdb backend = ldapsam:ldap://ldap.domain.tld
> ldap suffix = dc=domain,dc=tld
> ldap user suffix = ou=people
> ldap group suffix = ou=server01,ou=smb,ou=Groups
>
> NSS uses LDAP via SSSD like this:
>
> [domain/LDAP]
> id_provider = ldap
>
> ldap_uri = ldap://ldap.domain.tld
> ldap_search_base = dc=domain,dc=tld
>
> ldap_user_search_base = ou=People,dc=domain,dc=tld
> ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
>
> The sambaDomainName is stored in an entry in LDAP path
> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use
> the same SID.
>
> This setup is not exactly pretty, but it "works". Still, unexpectedly
> Samba on server01 sees groups in other branches than
> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
>
> example:
> - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
> - on server01 this group is visible with "net groupmap list
> ntgroup=testgroup"
> - "getent group testgroup" does not work (as expected)
> Why is this?
>
> thx
> matthias
>
You are going to have to give us more info ;-)
What OS's ?
What version(s) of Samba ?
Have there been any updates/upgrades to anything ?
Rowland
More information about the samba
mailing list