Matthias Leopold
2019-Feb-11  11:30 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Hi, we are using a _single_ LDAP server as backend for _multiple_ Samba standalone file servers (security=user). This LDAP server serves mainly other purposes and access for Samba is read only so the situation is not optimal but "it works for us". Still I don't understand one phenomenon concerning visibility of LDAP groups. The LDAP configuration in smb.conf for all our Samba servers is basically like this (with each server having it's own branch for "ldap group suffix", that's the point): passdb backend = ldapsam:ldap://ldap.domain.tld ldap suffix = dc=domain,dc=tld ldap user suffix = ou=people ldap group suffix = ou=server01,ou=smb,ou=Groups NSS uses LDAP via SSSD like this: [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.domain.tld ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=People,dc=domain,dc=tld ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld The sambaDomainName is stored in an entry in LDAP path ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use the same SID. This setup is not exactly pretty, but it "works". Still, unexpectedly Samba on server01 sees groups in other branches than "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). example: - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld - on server01 this group is visible with "net groupmap list ntgroup=testgroup" - "getent group testgroup" does not work (as expected) Why is this? thx matthias
Rowland Penny
2019-Feb-11  12:22 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
On Mon, 11 Feb 2019 12:30:51 +0100 Matthias Leopold via samba <samba at lists.samba.org> wrote:> Hi, > > we are using a _single_ LDAP server as backend for _multiple_ Samba > standalone file servers (security=user). This LDAP server serves > mainly other purposes and access for Samba is read only so the > situation is not optimal but "it works for us". Still I don't > understand one phenomenon concerning visibility of LDAP groups. > > The LDAP configuration in smb.conf for all our Samba servers is > basically like this (with each server having it's own branch for > "ldap group suffix", that's the point): > > passdb backend = ldapsam:ldap://ldap.domain.tld > ldap suffix = dc=domain,dc=tld > ldap user suffix = ou=people > ldap group suffix = ou=server01,ou=smb,ou=Groups > > NSS uses LDAP via SSSD like this: > > [domain/LDAP] > id_provider = ldap > > ldap_uri = ldap://ldap.domain.tld > ldap_search_base = dc=domain,dc=tld > > ldap_user_search_base = ou=People,dc=domain,dc=tld > ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld > > The sambaDomainName is stored in an entry in LDAP path > ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use > the same SID. > > This setup is not exactly pretty, but it "works". Still, unexpectedly > Samba on server01 sees groups in other branches than > "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). > > example: > - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld > - on server01 this group is visible with "net groupmap list > ntgroup=testgroup" > - "getent group testgroup" does not work (as expected) > Why is this? > > thx > matthias >You are going to have to give us more info ;-) What OS's ? What version(s) of Samba ? Have there been any updates/upgrades to anything ? Rowland
Matthias Leopold
2019-Feb-11  12:46 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:> On Mon, 11 Feb 2019 12:30:51 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> we are using a _single_ LDAP server as backend for _multiple_ Samba >> standalone file servers (security=user). This LDAP server serves >> mainly other purposes and access for Samba is read only so the >> situation is not optimal but "it works for us". Still I don't >> understand one phenomenon concerning visibility of LDAP groups. >> >> The LDAP configuration in smb.conf for all our Samba servers is >> basically like this (with each server having it's own branch for >> "ldap group suffix", that's the point): >> >> passdb backend = ldapsam:ldap://ldap.domain.tld >> ldap suffix = dc=domain,dc=tld >> ldap user suffix = ou=people >> ldap group suffix = ou=server01,ou=smb,ou=Groups >> >> NSS uses LDAP via SSSD like this: >> >> [domain/LDAP] >> id_provider = ldap >> >> ldap_uri = ldap://ldap.domain.tld >> ldap_search_base = dc=domain,dc=tld >> >> ldap_user_search_base = ou=People,dc=domain,dc=tld >> ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld >> >> The sambaDomainName is stored in an entry in LDAP path >> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use >> the same SID. >> >> This setup is not exactly pretty, but it "works". Still, unexpectedly >> Samba on server01 sees groups in other branches than >> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). >> >> example: >> - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld >> - on server01 this group is visible with "net groupmap list >> ntgroup=testgroup" >> - "getent group testgroup" does not work (as expected) >> Why is this? >> >> thx >> matthias >> > > You are going to have to give us more info ;-) > What OS's ? > What version(s) of Samba ? > Have there been any updates/upgrades to anything ? > > Rowland >thx for quick reply. Samba is 4.8.3 on CentOS 7. LDAP server is IBM Tivoli Directory Server on AIX. The situation has always been like this, upgrades didn't change anything. Matthias
Harry Jede
2019-Feb-11  15:36 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 12:30 schrieb Matthias Leopold via samba:> Hi, > > we are using a _single_ LDAP server as backend for _multiple_ Samba > standalone file servers (security=user). This LDAP server serves > mainly other purposes and access for Samba is read only so the > situation is not optimal but "it works for us". Still I don't > understand one phenomenon concerning visibility of LDAP groups. > > The LDAP configuration in smb.conf for all our Samba servers is > basically like this (with each server having it's own branch for "ldap > group suffix", that's the point): > > passdb backend = ldapsam:ldap://ldap.domain.tld > ldap suffix = dc=domain,dc=tld > ldap user suffix = ou=people > ldap group suffix = ou=server01,ou=smb,ou=Groups > > NSS uses LDAP via SSSD like this: > > [domain/LDAP] > id_provider = ldap > > ldap_uri = ldap://ldap.domain.tld > ldap_search_base = dc=domain,dc=tld > > ldap_user_search_base = ou=People,dc=domain,dc=tld > ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld > > The sambaDomainName is stored in an entry in LDAP path > ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use > the same SID. > > This setup is not exactly pretty, but it "works".More or less> Still, unexpectedly Samba on server01 sees groups in other branches > than "ou=server01,ou=smb,ou=Groups" (with "net groupmap list").Yes, still normal. Samba has an own view of ldap! And this does not use your nss settings. They only way to get this solved: Use ACLs in Tivoli, so that each samba instance see only the "own groups". This is a log snippet from an openldap server. Loglevel is set to filter processing: SRCH base="dc=europa,dc=xx" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=teachers)(cn=teachers)))" I have searched for a group named teacher with: net groupmap list ntgroup=teachers Some lines from smb.conf: # egrep 'ldap|idmap' /etc/samba/smb.conf ldapsam:trusted = yes ldapsam:editposix = yes passdb backend = ldapsam:ldapi:/// ldap passwd sync = yes ldap suffix = dc=europa,dc=xx ldap admin dn = cn=admin,dc=europa,dc=xx ldap group suffix = ou=groups ldap user suffix = ou=people,ou=accounts ldap machine suffix = ou=machines,ou=accounts ; passwd program = /usr/sbin/smbldap-passwd %u ; add machine script = /usr/sbin/smbldap-useradd -a -W "%u" ldap delete dn = yes ldap ssl = no idmap config * : backend = ldap idmap config * : range = 30000-1999999 idmap config * : ldap_url = ldapi:/// idmap config * : ldap_base_dn = ou=idmap,dc=europa,dc=xx idmap config * : ldap_user_dn = cn=admin,dc=europa,dc=xx ldap passwd sync = yes So, I have set "ldap group suffix " but as you see in the above log, samba does not honor this setting. Samba search start at "ldap suffix". Again, use acls in tivoli and all is good. Hope that helps> > example: > - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld > - on server01 this group is visible with "net groupmap list > ntgroup=testgroup" > - "getent group testgroup" does not work (as expected) > Why is this?> > thx > matthias >-- Harry Jede
Possibly Parallel Threads
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server