samba - Jan 2016 - How to use ldapsam only for authentication?

Hello dear list,

I need help with authentication configuration on samba.
It is a little bit special ...

We have a Linux-Server with all users/groups local configured.
(nsswitch.conf points to passwd and groups)

We have ONE share configured and under this shared folder are located
separated project folders.

On each project folder are set posix ACLs with two groups for read
only and write access.
This rights/ACLs are set once by administrator.
Rights for files and subfolders under the project folders are
automatically inherited.

No user should be able to change rights, that so in share definition
we set "nt acl support"
to NO.

The Samba-Server used tdbsam, all was working well.

But now we like to change the configuration, so that ONLY the user
authentication is going to
ldapsam.

I configured that and all is running well.

But now I see a lot ldap requests to get User and group information
(about 2.5 millions ldap in only 6 hours!).
Are this ldap requests necessary? - because all information needed for
running samba (in this configuration) are available from the system
nsswitch/passwd/groups....

This ldap request are costs resources on the ldap server and time in
the smbd process.
Is it possible, to disable all ldap requests querying for users and
groups and use ldapsam ONLY for authentication?

Here my configration:

[global]
          workgroup = Samba
          map to guest = Bad User
          security = user
          server string = FS01

          ldap admin dn = uid=samba,cn=susers,o=mydom,c=net
          passdb backend = ldapsam:"ldap://ldap01.mydom.net"
          ldap suffix = cn=samba,o=mydom,c=net
          ldap user suffix = cn=accounts
          ldap group suffix = cn=groups
          ldap passwd sync = No

[SHARE1]
        path = /data/share1
        comment = share1
        writeable = yes
        browseable = no
        nt acl support = no
        inherit permissions = yes
        store dos attributes = yes

Thanks for help,
kindly regards Meike

Hi Meike,

As far as I understood you are using ldapsam only when Samba is running as
AD domain controller.

And when Samba is running as AD DC, all user stuffs go to AD and so ldapsam.

In the configuration you described I expect your users are existing twice:
once in /etc/passwd as Linux users and once in Samba TDB as Samba users.

As there is work to do to the change you speak about, why not take
advantage of this change to also remove users from flat files? I mean, you
can declare your AD users with the very same UID/GID and groups as those in
flat files...

I should have missed something in your architecture ;)

Cheers,

mathias

2016-01-28 15:28 GMT+01:00 Meike Stone <meike.stone at googlemail.com>:
> Hello dear list,
>
> I need help with authentication configuration on samba.
> It is a little bit special ...
>
> We have a Linux-Server with all users/groups local configured.
> (nsswitch.conf points to passwd and groups)
>
> We have ONE share configured and under this shared folder are located
> separated project folders.
>
> On each project folder are set posix ACLs with two groups for read
> only and write access.
> This rights/ACLs are set once by administrator.
> Rights for files and subfolders under the project folders are
> automatically inherited.
>
> No user should be able to change rights, that so in share definition
> we set "nt acl support"
> to NO.
>
> The Samba-Server used tdbsam, all was working well.
>
> But now we like to change the configuration, so that ONLY the user
> authentication is going to
> ldapsam.
>
> I configured that and all is running well.
>
> But now I see a lot ldap requests to get User and group information
> (about 2.5 millions ldap in only 6 hours!).
> Are this ldap requests necessary? - because all information needed for
> running samba (in this configuration) are available from the system
> nsswitch/passwd/groups....
>
> This ldap request are costs resources on the ldap server and time in
> the smbd process.
> Is it possible, to disable all ldap requests querying for users and
> groups and use ldapsam ONLY for authentication?
>
> Here my configration:
>
> [global]
>           workgroup = Samba
>           map to guest = Bad User
>           security = user
>           server string = FS01
>
>           ldap admin dn = uid=samba,cn=susers,o=mydom,c=net
>           passdb backend = ldapsam:"ldap://ldap01.mydom.net"
>           ldap suffix = cn=samba,o=mydom,c=net
>           ldap user suffix = cn=accounts
>           ldap group suffix = cn=groups
>           ldap passwd sync = No
>
> [SHARE1]
>         path = /data/share1
>         comment = share1
>         writeable = yes
>         browseable = no
>         nt acl support = no
>         inherit permissions = yes
>         store dos attributes = yes
>
> Thanks for help,
> kindly regards Meike
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 28/01/16 17:42, mathias dufresne wrote:
> Hi Meike,
>
> As far as I understood you are using ldapsam only when Samba is running as
> AD domain controller.
No, you don't use ldapsam on a DC, you use ldapsam when your users etc 
are stored in LDAP.
>
> And when Samba is running as AD DC, all user stuffs go to AD and so
ldapsam.
Everything is stored in AD, this is a version of ldap, but you don't use 
ldapsam with it.
>
> In the configuration you described I expect your users are existing twice:
> once in /etc/passwd as Linux users and once in Samba TDB as Samba users.
This would seem to be correct, I would suggest adding 'unix password 
sync = yes' to smb.conf, I also think the OP also needs to add
'ldap' to
the passwd & group lines in /etc/nsswitch.
> As there is work to do to the change you speak about, why not take
> advantage of this change to also remove users from flat files? I mean, you
> can declare your AD users with the very same UID/GID and groups as those in
> flat files...
No, on a standalone server (this is what the OP has) you need the users 
in /etc/passwd and Samba.

Rowland

Hello,
> As far as I understood you are using ldapsam only when Samba is running as
> AD domain controller.
it is only a standalone server, no sid/gid (mapping) needed. All users
and groups are local (passwd/groups) maintained.
We only want to authenticate the users against the ldap server
(openDJ). No Active Directory is used.

But if I configure, there are a lot (to much) ldap searches/request,
that only waste time and cpu. The requesting smbd process does not get
back a usable (empty) result. So i think, then (after ldap search) the
smbd process asks the system and get the proper information.
Samba is running well in this configuration.

I'm looking for a way to disable this ldap request, because at the
moment are only a few files on the server, but I want migrate  Windows
file servers on it. So I'm afraid that the performance of the samba
will go down and my ldap server will collapse.

Thanks Meike