[Samba] visibility of groups when multiple Samba servers use the same LDAP server

Rowland Penny rpenny at samba.org
Mon Feb 11 17:02:18 UTC 2019


On Mon, 11 Feb 2019 17:29:32 +0100
Matthias Leopold <matthias.leopold at meduniwien.ac.at> wrote:

> 
> 
> Am 11.02.19 um 16:33 schrieb Rowland Penny via samba:
> > On Mon, 11 Feb 2019 15:40:02 +0100
> > Matthias Leopold via samba <samba at lists.samba.org> wrote:
> > 
> >>
> >>
> >> Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
> >>> On Mon, 11 Feb 2019 13:46:05 +0100
> >>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> >>>
> >>>>
> >>>>
> >>>> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
> >>>>> On Mon, 11 Feb 2019 12:30:51 +0100
> >>>>> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> we are using a _single_ LDAP server as backend for _multiple_
> >>>>>> Samba standalone file servers (security=user). This LDAP server
> >>>>>> serves mainly other purposes and access for Samba is read only
> >>>>>> so the situation is not optimal but "it works for us". Still I
> >>>>>> don't understand one phenomenon concerning visibility of LDAP
> >>>>>> groups.
> >>>>>>
> >>>>>> The LDAP configuration in smb.conf for all our Samba servers is
> >>>>>> basically like this (with each server having it's own branch
> >>>>>> for "ldap group suffix", that's the point):
> >>>>>>
> >>>>>> passdb backend = ldapsam:ldap://ldap.domain.tld
> >>>>>> ldap suffix = dc=domain,dc=tld
> >>>>>> ldap user suffix = ou=people
> >>>>>> ldap group suffix = ou=server01,ou=smb,ou=Groups
> >>>>>>
> >>>>>> NSS uses LDAP via SSSD like this:
> >>>>>>
> >>>>>> [domain/LDAP]
> >>>>>> id_provider = ldap
> >>>>>>
> >>>>>> ldap_uri = ldap://ldap.domain.tld
> >>>>>> ldap_search_base = dc=domain,dc=tld
> >>>>>>
> >>>>>> ldap_user_search_base = ou=People,dc=domain,dc=tld
> >>>>>> ldap_group_search_base =
> >>>>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
> >>>>>>
> >>>>>> The sambaDomainName is stored in an entry in LDAP path
> >>>>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but
> >>>>>> all use the same SID.
> >>>>>>
> >>>>>> This setup is not exactly pretty, but it "works". Still,
> >>>>>> unexpectedly Samba on server01 sees groups in other branches
> >>>>>> than "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
> >>>>>>
> >>>>>> example:
> >>>>>> - group is
> >>>>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
> >>>>>> - on server01 this group is visible with "net groupmap list
> >>>>>> ntgroup=testgroup"
> >>>>>> - "getent group testgroup" does not work (as expected)
> >>>>>> Why is this?
> >>>>>>
> >>>>>> thx
> >>>>>> matthias
> >>>>>>
> >>>>>
> >>>>> You are going to have to give us more info ;-)
> >>>>> What OS's ?
> >>>>> What version(s) of Samba ?
> >>>>> Have there been any updates/upgrades to anything ?
> >>>>>
> >>>>> Rowland
> >>>>>
> >>>>
> >>>> thx for quick reply.
> >>>> Samba is 4.8.3 on CentOS 7.
> >>>> LDAP server is IBM Tivoli Directory Server on AIX.
> >>>> The situation has always been like this, upgrades didn't change
> >>>> anything.
> >>>>
> >>>> Matthias
> >>>>
> >>>
> >>> It sounds like you are running Samba in much the same way as a PDC
> >>> and in a very old way, but I cannot be sure about this because you
> >>> seem to be refusing to post your smb.conf.
> >>>
> >>> You posted:
> >>>
> >>> Still, unexpectedly Samba on server01
> >>>
> >>> To me, A native English speaking person, that sounds like your
> >>> problem had just started. I think you meant:
> >>>
> >>> However, Samba on server01
> >>>
> >>> If your NON_PDC PDC is set up correctly, 'getent group testgroup'
> >>> would work.
> >>>
> >>> Rowland
> >>>
> >>
> >> Thanks for help.
> >>
> >> I'm attaching the output of "testparm" for one of the servers.
> >> Indeed I wanted to express "However, Samba on server01", I wasn't
> >> aware of this potential for misunderstanding, sorry.
> > 
> > No Problem, it was just a misunderstanding, I misunderstood what you
> > meant, but I understand now.
> > 
> >> I don't know any recent SAMBA + LDAP documentation, I roughly
> >> follow https://wiki.samba.org/index.php/Samba_%26_LDAP and I did
> >> set up a PDC with smbldap-tools a long time ago, but I know that
> >> this is not a PDC right now. What are the differences for non PDC
> >> servers?
> > 
> > Not much, what you are running is a PDC, you just don't have any
> > clients. As for recent Samba with LDAP documentation, there isn't
> > any and there isn't any real impetus to write any, they are a dying
> > breed ;-) It is much easier to set up an Samba AD DC domain
> >   
> >>
> >> When I tell Samba + NSS to use LDAP branch
> >> 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group
> >> information I don't expect that group 'testgroup' in branch
> >> 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.
> > 
> > Try setting up a test computer and use this smb.conf:
> > 
> > [global]
> >      workgroup = SAMBA
> >      security = USER
> >      server max protocol = NT1
> >      passdb backend = ldapsam
> >      ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
> >      ldap suffix = dc=domain,dc=tld
> >      ldap group suffix = ou=group01,ou=smb,ou=Groups
> >      ldap user suffix = ou=people
> >      idmap config * : range = 500-19999
> >      idmap config * : backend = ldap
> >      idmap config * : ldap_url = ldap://ldap.domain.tld
> >      idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld
> >      idmap config * : ldap_user_dn =
> > uid=ldapadmin,ou=services,dc=domain,dc=tld
> > 
> >      map acl inherit = Yes
> >      store dos attributes = Yes
> >      vfs objects = acl_xattr
> > 
> > [foo_home]
> >      admin users = +foo_admin
> >      browseable = No
> >      path = /srv/foo/lv01/home
> >      read only = No
> > 
> > if that doesn't work, pretend your AIX server is an AD DC and follow
> > this wiki page:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> > Rowland
> > 
> > 
> 
> thanks to you and harry jede
> I will discuss all of this with our LDAP admin, he's looking for a
> ITDS replacement anyway ;-)
> 
> Matthias

Well, if 'ITDS' is short for Information Technology Directory Server,
then you should look at a SADDS ( which is a Samba Active Directory
Server) ;-)

Rowland



More information about the samba mailing list