[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Feb 11 14:40:02 UTC 2019
Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
> On Mon, 11 Feb 2019 13:46:05 +0100
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
>>> On Mon, 11 Feb 2019 12:30:51 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> we are using a _single_ LDAP server as backend for _multiple_ Samba
>>>> standalone file servers (security=user). This LDAP server serves
>>>> mainly other purposes and access for Samba is read only so the
>>>> situation is not optimal but "it works for us". Still I don't
>>>> understand one phenomenon concerning visibility of LDAP groups.
>>>>
>>>> The LDAP configuration in smb.conf for all our Samba servers is
>>>> basically like this (with each server having it's own branch for
>>>> "ldap group suffix", that's the point):
>>>>
>>>> passdb backend = ldapsam:ldap://ldap.domain.tld
>>>> ldap suffix = dc=domain,dc=tld
>>>> ldap user suffix = ou=people
>>>> ldap group suffix = ou=server01,ou=smb,ou=Groups
>>>>
>>>> NSS uses LDAP via SSSD like this:
>>>>
>>>> [domain/LDAP]
>>>> id_provider = ldap
>>>>
>>>> ldap_uri = ldap://ldap.domain.tld
>>>> ldap_search_base = dc=domain,dc=tld
>>>>
>>>> ldap_user_search_base = ou=People,dc=domain,dc=tld
>>>> ldap_group_search_base =
>>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
>>>>
>>>> The sambaDomainName is stored in an entry in LDAP path
>>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
>>>> use the same SID.
>>>>
>>>> This setup is not exactly pretty, but it "works". Still,
>>>> unexpectedly Samba on server01 sees groups in other branches than
>>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
>>>>
>>>> example:
>>>> - group is
>>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
>>>> - on server01 this group is visible with "net groupmap list
>>>> ntgroup=testgroup"
>>>> - "getent group testgroup" does not work (as expected)
>>>> Why is this?
>>>>
>>>> thx
>>>> matthias
>>>>
>>>
>>> You are going to have to give us more info ;-)
>>> What OS's ?
>>> What version(s) of Samba ?
>>> Have there been any updates/upgrades to anything ?
>>>
>>> Rowland
>>>
>>
>> thx for quick reply.
>> Samba is 4.8.3 on CentOS 7.
>> LDAP server is IBM Tivoli Directory Server on AIX.
>> The situation has always been like this, upgrades didn't change
>> anything.
>>
>> Matthias
>>
>
> It sounds like you are running Samba in much the same way as a PDC and
> in a very old way, but I cannot be sure about this because you seem to
> be refusing to post your smb.conf.
>
> You posted:
>
> Still, unexpectedly Samba on server01
>
> To me, A native English speaking person, that sounds like your problem
> had just started. I think you meant:
>
> However, Samba on server01
>
> If your NON_PDC PDC is set up correctly, 'getent group testgroup' would
> work.
>
> Rowland
>
Thanks for help.
I'm attaching the output of "testparm" for one of the servers.
Indeed I wanted to express "However, Samba on server01", I wasn't aware
of this potential for misunderstanding, sorry.
I don't know any recent SAMBA + LDAP documentation, I roughly follow
https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a PDC
with smbldap-tools a long time ago, but I know that this is not a PDC
right now. What are the differences for non PDC servers?
When I tell Samba + NSS to use LDAP branch
'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information I
don't expect that group 'testgroup' in branch
'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.
Matthias
-------------- next part --------------
[global]
ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
ldap group suffix = ou=group01,ou=smb,ou=Groups
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=people
map to guest = Bad User
passdb backend = ldapsam:ldap://ldap.domain.tld
security = USER
workgroup = SAMBA
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[foo_home]
admin users = +foo_admin
browseable = No
path = /srv/foo/lv01/home
read only = No
More information about the samba
mailing list