Web lists-archives.com

Re: [Samba] visibility of groups when multiple Samba servers use the same LDAP server

Am 11.02.19 um 12:30 schrieb Matthias Leopold via samba:

we are using a _single_ LDAP server as backend for _multiple_ Samba standalone file servers (security=user). This LDAP server serves mainly other purposes and access for Samba is read only so the situation is not optimal but "it works for us". Still I don't understand one phenomenon concerning visibility of LDAP groups.

The LDAP configuration in smb.conf for all our Samba servers is basically like this (with each server having it's own branch for "ldap group suffix", that's the point):

passdb backend = ldapsam:ldap://ldap.domain.tld
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=people
ldap group suffix = ou=server01,ou=smb,ou=Groups

NSS uses LDAP via SSSD like this:

id_provider = ldap

ldap_uri = ldap://ldap.domain.tld
ldap_search_base = dc=domain,dc=tld

ldap_user_search_base = ou=People,dc=domain,dc=tld
ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld

The sambaDomainName is stored in an entry in LDAP path ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use the same SID.

This setup is not exactly pretty, but it "works".

More or less

Still, unexpectedly Samba on server01 sees groups in other branches than "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").

Yes, still normal. Samba has an own view of ldap! And this does not use your nss settings.

They only way to get this solved: Use ACLs in Tivoli, so that each samba instance see only the "own groups".

This is a log snippet from an openldap server. Loglevel is set to filter processing:

SRCH base="dc=europa,dc=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=teachers)(cn=teachers)))"

I have searched for a group named teacher with:

net groupmap list ntgroup=teachers

Some lines from smb.conf:

# egrep 'ldap|idmap' /etc/samba/smb.conf
        ldapsam:trusted     = yes
        ldapsam:editposix   = yes
        passdb backend       = ldapsam:ldapi:///
        ldap passwd sync     = yes
        ldap suffix          = dc=europa,dc=xx
        ldap admin dn        = cn=admin,dc=europa,dc=xx
        ldap group suffix    = ou=groups
        ldap user suffix     = ou=people,ou=accounts
        ldap machine suffix  = ou=machines,ou=accounts
;        passwd program       = /usr/sbin/smbldap-passwd %u
;        add machine script   = /usr/sbin/smbldap-useradd -a -W "%u"
        ldap delete dn       = yes
        ldap ssl             = no
        idmap config * : backend      = ldap
        idmap config * : range        = 30000-1999999
        idmap config * : ldap_url     = ldapi:///
        idmap config * : ldap_base_dn = ou=idmap,dc=europa,dc=xx
        idmap config * : ldap_user_dn = cn=admin,dc=europa,dc=xx
        ldap passwd sync     = yes

So, I have set "ldap group suffix " but as you see in the above log, samba does not honor this setting. Samba search start at "ldap suffix".

Again, use acls in tivoli and all is good.

Hope that helps

- group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
- on server01 this group is visible with "net groupmap list ntgroup=testgroup"
- "getent group testgroup" does not work (as expected)
Why is this?


Harry Jede

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba