[Samba] visibility of groups when multiple Samba servers use the same LDAP server

Harry Jede walk2sun at arcor.de
Mon Feb 11 15:36:34 UTC 2019

Am 11.02.19 um 12:30 schrieb Matthias Leopold via samba:
> Hi,
> we are using a _single_ LDAP server as backend for _multiple_ Samba 
> standalone file servers (security=user). This LDAP server serves 
> mainly other purposes and access for Samba is read only so the 
> situation is not optimal but "it works for us". Still I don't 
> understand one phenomenon concerning visibility of LDAP groups.
> The LDAP configuration in smb.conf for all our Samba servers is 
> basically like this (with each server having it's own branch for "ldap 
> group suffix", that's the point):
> passdb backend = ldapsam:ldap://ldap.domain.tld
> ldap suffix = dc=domain,dc=tld
> ldap user suffix = ou=people
> ldap group suffix = ou=server01,ou=smb,ou=Groups
> NSS uses LDAP via SSSD like this:
> [domain/LDAP]
> id_provider = ldap
> ldap_uri = ldap://ldap.domain.tld
> ldap_search_base = dc=domain,dc=tld
> ldap_user_search_base = ou=People,dc=domain,dc=tld
> ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
> The sambaDomainName is stored in an entry in LDAP path 
> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use 
> the same SID.
> This setup is not exactly pretty, but it "works".

More or less

> Still, unexpectedly Samba on server01 sees groups in other branches 
> than "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").

Yes, still normal. Samba has an own view of ldap! And this does not use 
your nss settings.

They only way to get this solved: Use ACLs in Tivoli, so that each samba 
instance see only the "own groups".

This is a log snippet from an openldap server. Loglevel is set to filter 

SRCH base="dc=europa,dc=xx" scope=2 deref=0 

I have searched for a group named teacher with:

net groupmap list ntgroup=teachers

Some lines from smb.conf:

# egrep 'ldap|idmap' /etc/samba/smb.conf
         ldapsam:trusted     = yes
         ldapsam:editposix   = yes
         passdb backend       = ldapsam:ldapi:///
         ldap passwd sync     = yes
         ldap suffix          = dc=europa,dc=xx
         ldap admin dn        = cn=admin,dc=europa,dc=xx
         ldap group suffix    = ou=groups
         ldap user suffix     = ou=people,ou=accounts
         ldap machine suffix  = ou=machines,ou=accounts
;        passwd program       = /usr/sbin/smbldap-passwd %u
;        add machine script   = /usr/sbin/smbldap-useradd -a -W "%u"
         ldap delete dn       = yes
         ldap ssl             = no
         idmap config * : backend      = ldap
         idmap config * : range        = 30000-1999999
         idmap config * : ldap_url     = ldapi:///
         idmap config * : ldap_base_dn = ou=idmap,dc=europa,dc=xx
         idmap config * : ldap_user_dn = cn=admin,dc=europa,dc=xx
         ldap passwd sync     = yes

So, I have set "ldap group suffix " but as you see in the above log, 
samba does not honor this setting. Samba search start at "ldap suffix".

Again, use acls in tivoli and all is good.

Hope that helps

> example:
> - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
> - on server01 this group is visible with "net groupmap list 
> ntgroup=testgroup"
> - "getent group testgroup" does not work (as expected)
> Why is this?

> thx
> matthias

Harry Jede

More information about the samba mailing list