Re: [Samba] visibility of groups when multiple Samba servers use the same LDAP server
- Date: Mon, 11 Feb 2019 13:22:00 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] visibility of groups when multiple Samba servers use the same LDAP server
On Mon, 11 Feb 2019 13:46:05 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
> > On Mon, 11 Feb 2019 12:30:51 +0100
> > Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> Hi,
> >> we are using a _single_ LDAP server as backend for _multiple_ Samba
> >> standalone file servers (security=user). This LDAP server serves
> >> mainly other purposes and access for Samba is read only so the
> >> situation is not optimal but "it works for us". Still I don't
> >> understand one phenomenon concerning visibility of LDAP groups.
> >> The LDAP configuration in smb.conf for all our Samba servers is
> >> basically like this (with each server having it's own branch for
> >> "ldap group suffix", that's the point):
> >> passdb backend = ldapsam:ldap://ldap.domain.tld
> >> ldap suffix = dc=domain,dc=tld
> >> ldap user suffix = ou=people
> >> ldap group suffix = ou=server01,ou=smb,ou=Groups
> >> NSS uses LDAP via SSSD like this:
> >> [domain/LDAP]
> >> id_provider = ldap
> >> ldap_uri = ldap://ldap.domain.tld
> >> ldap_search_base = dc=domain,dc=tld
> >> ldap_user_search_base = ou=People,dc=domain,dc=tld
> >> ldap_group_search_base =
> >> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld
> >> The sambaDomainName is stored in an entry in LDAP path
> >> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
> >> use the same SID.
> >> This setup is not exactly pretty, but it "works". Still,
> >> unexpectedly Samba on server01 sees groups in other branches than
> >> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").
> >> example:
> >> - group is
> >> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
> >> - on server01 this group is visible with "net groupmap list
> >> ntgroup=testgroup"
> >> - "getent group testgroup" does not work (as expected)
> >> Why is this?
> >> thx
> >> matthias
> > You are going to have to give us more info ;-)
> > What OS's ?
> > What version(s) of Samba ?
> > Have there been any updates/upgrades to anything ?
> > Rowland
> thx for quick reply.
> Samba is 4.8.3 on CentOS 7.
> LDAP server is IBM Tivoli Directory Server on AIX.
> The situation has always been like this, upgrades didn't change
It sounds like you are running Samba in much the same way as a PDC and
in a very old way, but I cannot be sure about this because you seem to
be refusing to post your smb.conf.
Still, unexpectedly Samba on server01
To me, A native English speaking person, that sounds like your problem
had just started. I think you meant:
However, Samba on server01
If your NON_PDC PDC is set up correctly, 'getent group testgroup' would
To unsubscribe from this list go to the following URL and read the