[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Matthias Leopold
matthias.leopold at meduniwien.ac.at
Mon Feb 11 16:29:32 UTC 2019
Am 11.02.19 um 16:33 schrieb Rowland Penny via samba:
> On Mon, 11 Feb 2019 15:40:02 +0100
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
>>> On Mon, 11 Feb 2019 13:46:05 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>
>>>>
>>>>
>>>> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
>>>>> On Mon, 11 Feb 2019 12:30:51 +0100
>>>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> we are using a _single_ LDAP server as backend for _multiple_
>>>>>> Samba standalone file servers (security=user). This LDAP server
>>>>>> serves mainly other purposes and access for Samba is read only
>>>>>> so the situation is not optimal but "it works for us". Still I
>>>>>> don't understand one phenomenon concerning visibility of LDAP
>>>>>> groups.
>>>>>>
>>>>>> The LDAP configuration in smb.conf for all our Samba servers is
>>>>>> basically like this (with each server having it's own branch for
>>>>>> "ldap group suffix", that's the point):
>>>>>>
>>>>>> passdb backend = ldapsam:ldap://ldap.domain.tld
>>>>>> ldap suffix = dc=domain,dc=tld
>>>>>> ldap user suffix = ou=people
>>>>>> ldap group suffix = ou=server01,ou=smb,ou=Groups
>>>>>>
>>>>>> NSS uses LDAP via SSSD like this:
>>>>>>
>>>>>> [domain/LDAP]
>>>>>> id_provider = ldap
>>>>>>
>>>>>> ldap_uri = ldap://ldap.domain.tld
>>>>>> ldap_search_base = dc=domain,dc=tld
>>>>>>
>>>>>> ldap_user_search_base = ou=People,dc=domain,dc=tld
>>>>>> ldap_group_search_base =
>>>>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
>>>>>>
>>>>>> The sambaDomainName is stored in an entry in LDAP path
>>>>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
>>>>>> use the same SID.
>>>>>>
>>>>>> This setup is not exactly pretty, but it "works". Still,
>>>>>> unexpectedly Samba on server01 sees groups in other branches than
>>>>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
>>>>>>
>>>>>> example:
>>>>>> - group is
>>>>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
>>>>>> - on server01 this group is visible with "net groupmap list
>>>>>> ntgroup=testgroup"
>>>>>> - "getent group testgroup" does not work (as expected)
>>>>>> Why is this?
>>>>>>
>>>>>> thx
>>>>>> matthias
>>>>>>
>>>>>
>>>>> You are going to have to give us more info ;-)
>>>>> What OS's ?
>>>>> What version(s) of Samba ?
>>>>> Have there been any updates/upgrades to anything ?
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> thx for quick reply.
>>>> Samba is 4.8.3 on CentOS 7.
>>>> LDAP server is IBM Tivoli Directory Server on AIX.
>>>> The situation has always been like this, upgrades didn't change
>>>> anything.
>>>>
>>>> Matthias
>>>>
>>>
>>> It sounds like you are running Samba in much the same way as a PDC
>>> and in a very old way, but I cannot be sure about this because you
>>> seem to be refusing to post your smb.conf.
>>>
>>> You posted:
>>>
>>> Still, unexpectedly Samba on server01
>>>
>>> To me, A native English speaking person, that sounds like your
>>> problem had just started. I think you meant:
>>>
>>> However, Samba on server01
>>>
>>> If your NON_PDC PDC is set up correctly, 'getent group testgroup'
>>> would work.
>>>
>>> Rowland
>>>
>>
>> Thanks for help.
>>
>> I'm attaching the output of "testparm" for one of the servers.
>> Indeed I wanted to express "However, Samba on server01", I wasn't
>> aware of this potential for misunderstanding, sorry.
>
> No Problem, it was just a misunderstanding, I misunderstood what you
> meant, but I understand now.
>
>> I don't know any recent SAMBA + LDAP documentation, I roughly follow
>> https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a
>> PDC with smbldap-tools a long time ago, but I know that this is not a
>> PDC right now. What are the differences for non PDC servers?
>
> Not much, what you are running is a PDC, you just don't have any
> clients. As for recent Samba with LDAP documentation, there isn't any
> and there isn't any real impetus to write any, they are a dying
> breed ;-) It is much easier to set up an Samba AD DC domain
>
>>
>> When I tell Samba + NSS to use LDAP branch
>> 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information
>> I don't expect that group 'testgroup' in branch
>> 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.
>
> Try setting up a test computer and use this smb.conf:
>
> [global]
> workgroup = SAMBA
> security = USER
> server max protocol = NT1
> passdb backend = ldapsam
> ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
> ldap suffix = dc=domain,dc=tld
> ldap group suffix = ou=group01,ou=smb,ou=Groups
> ldap user suffix = ou=people
> idmap config * : range = 500-19999
> idmap config * : backend = ldap
> idmap config * : ldap_url = ldap://ldap.domain.tld
> idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld
> idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
>
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [foo_home]
> admin users = +foo_admin
> browseable = No
> path = /srv/foo/lv01/home
> read only = No
>
> if that doesn't work, pretend your AIX server is an AD DC and follow
> this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Rowland
>
>
thanks to you and harry jede
I will discuss all of this with our LDAP admin, he's looking for a ITDS
replacement anyway ;-)
Matthias
More information about the samba
mailing list