Hello,> As far as I understood you are using ldapsam only when Samba is running as > AD domain controller.it is only a standalone server, no sid/gid (mapping) needed. All users and groups are local (passwd/groups) maintained. We only want to authenticate the users against the ldap server (openDJ). No Active Directory is used. But if I configure, there are a lot (to much) ldap searches/request, that only waste time and cpu. The requesting smbd process does not get back a usable (empty) result. So i think, then (after ldap search) the smbd process asks the system and get the proper information. Samba is running well in this configuration. I'm looking for a way to disable this ldap request, because at the moment are only a few files on the server, but I want migrate Windows file servers on it. So I'm afraid that the performance of the samba will go down and my ldap server will collapse. Thanks Meike
On 28/01/16 21:30, Meike Stone wrote:> Hello, > >> As far as I understood you are using ldapsam only when Samba is running as >> AD domain controller. > it is only a standalone server, no sid/gid (mapping) needed. All users > and groups are local (passwd/groups) maintained.If all your users & groups are only local users & groups, then they are unknown to Samba. For your windows users to connect to a samba share, they must be known to Samba *and* for them to be able to read & write to the share on the Unix machine, they must be known to the Unix OS, this is the main problem with a windows workgroup, along with having to keep *all* the passwords in sync. Why do you think microsoft went to all the trouble of creating AD? You have all your users in one place with one password. You can setup a workgroup that uses passwords if you want, but you will need to set it up correctly. If you want to setup a Samba server without passwords, try reading this: https://wiki.samba.org/index.php/Standalone_server Rowland
On Thu, Jan 28, 2016 at 10:30:55PM +0100, Meike Stone wrote:> it is only a standalone server, no sid/gid (mapping) needed. All users > and groups are local (passwd/groups) maintained. > We only want to authenticate the users against the ldap server > (openDJ). No Active Directory is used. > > But if I configure, there are a lot (to much) ldap searches/request, > that only waste time and cpu. The requesting smbd process does not get > back a usable (empty) result. So i think, then (after ldap search) the > smbd process asks the system and get the proper information. > Samba is running well in this configuration. > > I'm looking for a way to disable this ldap request, because at the > moment are only a few files on the server, but I want migrate Windows > file servers on it. So I'm afraid that the performance of the samba > will go down and my ldap server will collapse.So you have two choices: Diagnose why this is done with debug level 10 logs and ldap network traces and then remove those calls. The alternative is to set up a LDAP slave server on the Samba server. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
On Fri, Jan 29, 2016 at 07:39:32AM +0100, Volker Lendecke wrote:> So you have two choices: Diagnose why this is done with > debug level 10 logs and ldap network traces and then remove > those calls. The alternative is to set up a LDAP slave > server on the Samba server.Another choice: Do regular "pdbedit -i ldapsam -e tdbsam" for a local passdb.tdb copy. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de