samba - Feb 2012 - Samba domain member server using only nss ldap

I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain
users in the shares permissions

On the domain member server I have the following smb.conf

[global]

    workgroup = W3
    server string = File server
    netbios name = FS1
    security = domain

    load printers = no
    show add printer wizard = no
    printcap name = /dev/null
    disable spoolss = yes

    log file = /var/log/samba/samba.log
    max log size = 50000

    encrypt passwords = yes

    winbind trusted domains only = yes

    idmap backend = ldap:"ldap://pdc.w3.lan/"
    ldap idmap suffix = ou=idmap

    idmap uid = 50000-500000
    idmap gid = 50000-500000

    ldapsam:trusted = yes
    ldapsam:editposix = yes

    ldap suffix = dc=w3,dc=lan
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=computers
    ldap admin dn = "cn=root,dc=w3,dc=lan"
    ldap ssl = no

    socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192

    enable privileges = yes

    os level = 8
    local master = no
    domain master = no
    preferred master = no
    domain logons = no

    wins server = 192.168.210.104
    dns proxy = yes

    client ntlmv2 auth = yes
    client plaintext auth = no

    lanman auth = no
    lm announce = no

    deadtime = 15

    display charset = utf8
    unix charset = utf8
    dos charset = cp866

    log level  = 3
    host msdfs  = no

[Test]
    comment = Test
    path = /data/production/Test/
    public = yes
    guest ok = no
    valid users = @W3\w3-nssldap
    write list = @W3\w3-nssldap
    browseable = yes
    force create mode = 0770
    create mode = 0770
    force directory mode = 0770
    directory mode = 0770
    create mask = 0660
    directory mask = 0770
    force group = @W3\w3-nssldap

# cat /etc/nsswitch.conf | grep ldap
passwd:     files ldap
shadow:     files ldap
group:      files ldap

When I create any folder in the share Test I get the following uid/gid

# ls -l
total 4
drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test

# ls -ln
total 4
drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test

# getent group | grep ^w3-nssldap
w3-nssldap:*:1354:nssldap

# id nssldap
uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain
Users)

# wbinfo --name-to-sid=nssldap
S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1)

# wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
50290

It's seems that samba get uid from LDAP and gid from winbind. So my
question is - Is it possible to use only nss ldap on domain member server
to mapping uid/gid?

On a member server,  the ldap backend should not be needed for user and 
group look up.  You do need some sort of idmapping for the unix level to 
see the UID's and GID's assigned to the samba users, and use those
uid's
and gid's to set file permissions.

I haven't had much luck with member servers either.    it does get 
trickier when you have ldap used for both unix accounts and samba 
accounts.   I found it easier to configure my primary machines as domain 
controllers.


I think generally your nsswitch.conf file should include entries to 
allow unix to retrieve uid's and gid's from winbind.

passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind

This means that you would be able to type "getent user1" and
"getent
MYDOMAIN\user1."   I

I think it appears you are getting group information from winbind since 
have the "force group" entry in smb.conf.


You should look at the man page for idmap_nss.  In theory, this should 
let you use a local backend to store the idmap entries, and the idmap 
system should use map the SID's to the existing unix uid and gid.  Never 
worked for me in practice.

Alternately, you may want to manually edit the idmap entries in ldap.  
The domain controller should have automatically created them.



On 02/15/12 10:21, Alex Domoradov wrote:
> I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain
> users in the shares permissions
>
> On the domain member server I have the following smb.conf
>
> [global]
>
>      workgroup = W3
>      server string = File server
>      netbios name = FS1
>      security = domain
>
>      load printers = no
>      show add printer wizard = no
>      printcap name = /dev/null
>      disable spoolss = yes
>
>      log file = /var/log/samba/samba.log
>      max log size = 50000
>
>      encrypt passwords = yes
>
>      winbind trusted domains only = yes
>
>      idmap backend = ldap:"ldap://pdc.w3.lan/"
>      ldap idmap suffix = ou=idmap
>
>      idmap uid = 50000-500000
>      idmap gid = 50000-500000
>
>      ldapsam:trusted = yes
>      ldapsam:editposix = yes
>
>      ldap suffix = dc=w3,dc=lan
>      ldap user suffix = ou=users
>      ldap group suffix = ou=groups
>      ldap machine suffix = ou=computers
>      ldap admin dn = "cn=root,dc=w3,dc=lan"
>      ldap ssl = no
>
>      socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>
>      enable privileges = yes
>
>      os level = 8
>      local master = no
>      domain master = no
>      preferred master = no
>      domain logons = no
>
>      wins server = 192.168.210.104
>      dns proxy = yes
>
>      client ntlmv2 auth = yes
>      client plaintext auth = no
>
>      lanman auth = no
>      lm announce = no
>
>      deadtime = 15
>
>      display charset = utf8
>      unix charset = utf8
>      dos charset = cp866
>
>      log level  = 3
>      host msdfs  = no
>
> [Test]
>      comment = Test
>      path = /data/production/Test/
>      public = yes
>      guest ok = no
>      valid users = @W3\w3-nssldap
>      write list = @W3\w3-nssldap
>      browseable = yes
>      force create mode = 0770
>      create mode = 0770
>      force directory mode = 0770
>      directory mode = 0770
>      create mask = 0660
>      directory mask = 0770
>      force group = @W3\w3-nssldap
>
> # cat /etc/nsswitch.conf | grep ldap
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
>
> When I create any folder in the share Test I get the following uid/gid
>
> # ls -l
> total 4
> drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test
>
> # ls -ln
> total 4
> drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test
>
> # getent group | grep ^w3-nssldap
> w3-nssldap:*:1354:nssldap
>
> # id nssldap
> uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain
> Users)
>
> # wbinfo --name-to-sid=nssldap
> S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1)
>
> # wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780
> 50290
>
> It's seems that samba get uid from LDAP and gid from winbind. So my
> question is - Is it possible to use only nss ldap on domain member server
> to mapping uid/gid?

> On a member server,  the ldap backend should not be needed for user and
group look up.  You do need some sort of idmapping for the unix level to
see the UID's and GID's assigned to the samba users, and use those
uid's
and gid's to set file permissions.
I need to do idmapping via winbind or something else?
> I haven't had much luck with member servers either. it does get
trickier
when you have ldap used for both unix accounts and samba accounts.   I
found it easier to configure my primary machines as domain controllers.
I need to use LDAP only for samba accounts, not local (unix)
> I think generally your nsswitch.conf file should include entries to allow
unix to retrieve uid's and gid's from winbind.
> passwd:     files ldap winbind
> shadow:     files ldap winbind
> group:      files ldap winbind
but according to
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf
I have one domain and all server are the member of this domain there
is
no need to use winbind at all. Did I miss something?
> This means that you would be able to type "getent user1" and
"getent
MYDOMAIN\user1."   I
I don't need such case, in my case local and domain users always unique
> I think it appears you are getting group information from winbind since
have the "force group" entry in smb.conf.
It's strange. When I added force user to the share description, samba set
uid of the new file from ldap
> You should look at the man page for idmap_nss.  In theory, this should
let you use a local backend to store the idmap entries, and the idmap
system should use map the SID's to the existing unix uid and gid.  Never
worked for me in practice.
I read the man
http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't
get clear understanding
> Alternately, you may want to manually edit the idmap entries in ldap.
 The domain controller should have automatically created them.
there are a 10-15 entries in the ou Idmap

On Sat, 2012-02-25 at 19:49 +0100, steve wrote:
> one little problem. When I execute ls -la in the directory there is a 
> delay about 1-2 seconds. Is it normal? nscd deamon solves this problem, 
> there is no delay. Is there any solution without using nscd?
> nss-ldapd with nslcd. Much quicker mappings.
> http://arthurdejong.org/nss-pam-ldapd/
+1  Use nslcd, not nscd.  It also reduces the number of separate
connections to the DSA.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20120228/d26ddea8/attachment.pgp>