Web lists-archives.com

Re: [Samba] visibility of groups when multiple Samba servers use the same LDAP server






Am 11.02.19 um 16:33 schrieb Rowland Penny via samba:
On Mon, 11 Feb 2019 15:40:02 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:



Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:
On Mon, 11 Feb 2019 13:46:05 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:



Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:
On Mon, 11 Feb 2019 12:30:51 +0100
Matthias Leopold via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

we are using a _single_ LDAP server as backend for _multiple_
Samba standalone file servers (security=user). This LDAP server
serves mainly other purposes and access for Samba is read only
so the situation is not optimal but "it works for us". Still I
don't understand one phenomenon concerning visibility of LDAP
groups.

The LDAP configuration in smb.conf for all our Samba servers is
basically like this (with each server having it's own branch for
"ldap group suffix", that's the point):

passdb backend = ldapsam:ldap://ldap.domain.tld
ldap suffix = dc=domain,dc=tld
ldap user suffix = ou=people
ldap group suffix = ou=server01,ou=smb,ou=Groups

NSS uses LDAP via SSSD like this:

[domain/LDAP]
id_provider = ldap

ldap_uri = ldap://ldap.domain.tld
ldap_search_base = dc=domain,dc=tld

ldap_user_search_base = ou=People,dc=domain,dc=tld
ldap_group_search_base =
ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld

The sambaDomainName is stored in an entry in LDAP path
ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all
use the same SID.

This setup is not exactly pretty, but it "works". Still,
unexpectedly Samba on server01 sees groups in other branches than
"ou=server01,ou=smb,ou=Groups" (with "net groupmap list").

example:
- group is
cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld
- on server01 this group is visible with "net groupmap list
ntgroup=testgroup"
- "getent group testgroup" does not work (as expected)
Why is this?

thx
matthias


You are going to have to give us more info ;-)
What OS's ?
What version(s) of Samba ?
Have there been any updates/upgrades to anything ?

Rowland


thx for quick reply.
Samba is 4.8.3 on CentOS 7.
LDAP server is IBM Tivoli Directory Server on AIX.
The situation has always been like this, upgrades didn't change
anything.

Matthias


It sounds like you are running Samba in much the same way as a PDC
and in a very old way, but I cannot be sure about this because you
seem to be refusing to post your smb.conf.

You posted:

Still, unexpectedly Samba on server01

To me, A native English speaking person, that sounds like your
problem had just started. I think you meant:

However, Samba on server01

If your NON_PDC PDC is set up correctly, 'getent group testgroup'
would work.

Rowland


Thanks for help.

I'm attaching the output of "testparm" for one of the servers.
Indeed I wanted to express "However, Samba on server01", I wasn't
aware of this potential for misunderstanding, sorry.

No Problem, it was just a misunderstanding, I misunderstood what you
meant, but I understand now.

I don't know any recent SAMBA + LDAP documentation, I roughly follow
https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a
PDC with smbldap-tools a long time ago, but I know that this is not a
PDC right now. What are the differences for non PDC servers?

Not much, what you are running is a PDC, you just don't have any
clients. As for recent Samba with LDAP documentation, there isn't any
and there isn't any real impetus to write any, they are a dying
breed ;-) It is much easier to set up an Samba AD DC domain

When I tell Samba + NSS to use LDAP branch
'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information
I don't expect that group 'testgroup' in branch
'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.

Try setting up a test computer and use this smb.conf:

[global]
     workgroup = SAMBA
     security = USER
     server max protocol = NT1
     passdb backend = ldapsam
     ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld
     ldap suffix = dc=domain,dc=tld
     ldap group suffix = ou=group01,ou=smb,ou=Groups
     ldap user suffix = ou=people
     idmap config * : range = 500-19999
     idmap config * : backend = ldap
     idmap config * : ldap_url = ldap://ldap.domain.tld
     idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld
     idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld

     map acl inherit = Yes
     store dos attributes = Yes
     vfs objects = acl_xattr

[foo_home]
     admin users = +foo_admin
     browseable = No
     path = /srv/foo/lv01/home
     read only = No

if that doesn't work, pretend your AIX server is an AD DC and follow
this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland



thanks to you and harry jede
I will discuss all of this with our LDAP admin, he's looking for a ITDS replacement anyway ;-)

Matthias

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba