[Samba] visibility of groups when multiple Samba servers use the same LDAP server

Matthias Leopold matthias.leopold at meduniwien.ac.at
Mon Feb 11 16:29:32 UTC 2019 


Am 11.02.19 um 16:33 schrieb Rowland Penny via samba:
> On Mon, 11 Feb 2019 15:40:02 +0100
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> 
>>
>>
>> Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
>>> On Mon, 11 Feb 2019 13:46:05 +0100
>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>
>>>>
>>>>
>>>> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
>>>>> On Mon, 11 Feb 2019 12:30:51 +0100
>>>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> we are using a _single_ LDAP server as backend for _multiple_
>>>>>> Samba standalone file servers (security=user). This LDAP server
>>>>>> serves mainly other purposes and access for Samba is read only
>>>>>> so the situation is not optimal but "it works for us". Still I
>>>>>> don't understand one phenomenon concerning visibility of LDAP
>>>>>> groups.
>>>>>>
>>>>>> The LDAP configuration in smb.conf for all our Samba servers is
>>>>>> basically like this (with each server having it's own branch for
>>>>>> "ldap group suffix", that's the point):
>>>>>>
>>>>>> passdb backend = ldapsam:ldap://ldap.domain.tld
>>>>>> ldap suffix = dc=domain,dc=tld
>>>>>> ldap user suffix = ou=people
>>>>>> ldap group suffix = ou=server01,ou=smb,ou=Groups
>>>>>>
>>>>>> NSS uses LDAP via SSSD like this:
>>>>>>
>>>>>> [domain/LDAP]
>>>>>> id_provider = ldap
>>>>>>
>>>>>> ldap_uri = ldap://ldap.domain.tld
>>>>>> ldap_search_base = dc=domain,dc=tld
>>>>>>
>>>>>> ldap_user_search_base = ou=People,dc=domain,dc=tld
>>>>>> ldap_group_search_base =
>>>>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
>>>>>>
>>>>>> The sambaDomainName is stored in an entry in LDAP path
>>>>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
>>>>>> use the same SID.
>>>>>>
>>>>>> This setup is not exactly pretty, but it "works". Still,
>>>>>> unexpectedly Samba on server01 sees groups in other branches than
>>>>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
>>>>>>
>>>>>> example:
>>>>>> - group is
>>>>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
>>>>>> - on server01 this group is visible with "net groupmap list
>>>>>> ntgroup=testgroup"
>>>>>> - "getent group testgroup" does not work (as expected)
>>>>>> Why is this?
>>>>>>
>>>>>> thx
>>>>>> matthias
>>>>>>
>>>>>
>>>>> You are going to have to give us more info ;-)
>>>>> What OS's ?
>>>>> What version(s) of Samba ?
>>>>> Have there been any updates/upgrades to anything ?
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> thx for quick reply.
>>>> Samba is 4.8.3 on CentOS 7.
>>>> LDAP server is IBM Tivoli Directory Server on AIX.
>>>> The situation has always been like this, upgrades didn't change
>>>> anything.
>>>>
>>>> Matthias
>>>>
>>>
>>> It sounds like you are running Samba in much the same way as a PDC
>>> and in a very old way, but I cannot be sure about this because you
>>> seem to be refusing to post your smb.conf.
>>>
>>> You posted:
>>>
>>> Still, unexpectedly Samba on server01
>>>
>>> To me, A native English speaking person, that sounds like your
>>> problem had just started. I think you meant:
>>>
>>> However, Samba on server01
>>>
>>> If your NON_PDC PDC is set up correctly, 'getent group testgroup'
>>> would work.
>>>
>>> Rowland
>>>
>>
>> Thanks for help.
>>
>> I'm attaching the output of "testparm" for one of the servers.
>> Indeed I wanted to express "However, Samba on server01", I wasn't
>> aware of this potential for misunderstanding, sorry.
> 
> No Problem, it was just a misunderstanding, I misunderstood what you
> meant, but I understand now.
> 
>> I don't know any recent SAMBA + LDAP documentation, I roughly follow
>> https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a
>> PDC with smbldap-tools a long time ago, but I know that this is not a
>> PDC right now. What are the differences for non PDC servers?
> 
> Not much, what you are running is a PDC, you just don't have any
> clients. As for recent Samba with LDAP documentation, there isn't any
> and there isn't any real impetus to write any, they are a dying
> breed ;-) It is much easier to set up an Samba AD DC domain
>   
>>
>> When I tell Samba + NSS to use LDAP branch
>> 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information
>> I don't expect that group 'testgroup' in branch
>> 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.
> 
> Try setting up a test computer and use this smb.conf:
> 
> [global]
>      workgroup = SAMBA
>      security = USER
>      server max protocol = NT1
>      passdb backend = ldapsam
>      ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
>      ldap suffix = dc=domain,dc=tld
>      ldap group suffix = ou=group01,ou=smb,ou=Groups
>      ldap user suffix = ou=people
>      idmap config * : range = 500-19999
>      idmap config * : backend = ldap
>      idmap config * : ldap_url = ldap://ldap.domain.tld
>      idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld
>      idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
> 
>      map acl inherit = Yes
>      store dos attributes = Yes
>      vfs objects = acl_xattr
> 
> [foo_home]
>      admin users = +foo_admin
>      browseable = No
>      path = /srv/foo/lv01/home
>      read only = No
> 
> if that doesn't work, pretend your AIX server is an AD DC and follow
> this wiki page:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Rowland
> 
> 

thanks to you and harry jede
I will discuss all of this with our LDAP admin, he's looking for a ITDS 
replacement anyway ;-)

Matthias

More information about the samba mailing list