Matthias Leopold
2019-Feb-11 12:46 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 13:22 schrieb Rowland Penny via samba:> On Mon, 11 Feb 2019 12:30:51 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> we are using a _single_ LDAP server as backend for _multiple_ Samba >> standalone file servers (security=user). This LDAP server serves >> mainly other purposes and access for Samba is read only so the >> situation is not optimal but "it works for us". Still I don't >> understand one phenomenon concerning visibility of LDAP groups. >> >> The LDAP configuration in smb.conf for all our Samba servers is >> basically like this (with each server having it's own branch for >> "ldap group suffix", that's the point): >> >> passdb backend = ldapsam:ldap://ldap.domain.tld >> ldap suffix = dc=domain,dc=tld >> ldap user suffix = ou=people >> ldap group suffix = ou=server01,ou=smb,ou=Groups >> >> NSS uses LDAP via SSSD like this: >> >> [domain/LDAP] >> id_provider = ldap >> >> ldap_uri = ldap://ldap.domain.tld >> ldap_search_base = dc=domain,dc=tld >> >> ldap_user_search_base = ou=People,dc=domain,dc=tld >> ldap_group_search_base = ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld >> >> The sambaDomainName is stored in an entry in LDAP path >> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all use >> the same SID. >> >> This setup is not exactly pretty, but it "works". Still, unexpectedly >> Samba on server01 sees groups in other branches than >> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). >> >> example: >> - group is cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld >> - on server01 this group is visible with "net groupmap list >> ntgroup=testgroup" >> - "getent group testgroup" does not work (as expected) >> Why is this? >> >> thx >> matthias >> > > You are going to have to give us more info ;-) > What OS's ? > What version(s) of Samba ? > Have there been any updates/upgrades to anything ? > > Rowland >thx for quick reply. Samba is 4.8.3 on CentOS 7. LDAP server is IBM Tivoli Directory Server on AIX. The situation has always been like this, upgrades didn't change anything. Matthias
Rowland Penny
2019-Feb-11 13:22 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
On Mon, 11 Feb 2019 13:46:05 +0100 Matthias Leopold via samba <samba at lists.samba.org> wrote:> > > Am 11.02.19 um 13:22 schrieb Rowland Penny via samba: > > On Mon, 11 Feb 2019 12:30:51 +0100 > > Matthias Leopold via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> we are using a _single_ LDAP server as backend for _multiple_ Samba > >> standalone file servers (security=user). This LDAP server serves > >> mainly other purposes and access for Samba is read only so the > >> situation is not optimal but "it works for us". Still I don't > >> understand one phenomenon concerning visibility of LDAP groups. > >> > >> The LDAP configuration in smb.conf for all our Samba servers is > >> basically like this (with each server having it's own branch for > >> "ldap group suffix", that's the point): > >> > >> passdb backend = ldapsam:ldap://ldap.domain.tld > >> ldap suffix = dc=domain,dc=tld > >> ldap user suffix = ou=people > >> ldap group suffix = ou=server01,ou=smb,ou=Groups > >> > >> NSS uses LDAP via SSSD like this: > >> > >> [domain/LDAP] > >> id_provider = ldap > >> > >> ldap_uri = ldap://ldap.domain.tld > >> ldap_search_base = dc=domain,dc=tld > >> > >> ldap_user_search_base = ou=People,dc=domain,dc=tld > >> ldap_group_search_base > >> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld > >> > >> The sambaDomainName is stored in an entry in LDAP path > >> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all > >> use the same SID. > >> > >> This setup is not exactly pretty, but it "works". Still, > >> unexpectedly Samba on server01 sees groups in other branches than > >> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). > >> > >> example: > >> - group is > >> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld > >> - on server01 this group is visible with "net groupmap list > >> ntgroup=testgroup" > >> - "getent group testgroup" does not work (as expected) > >> Why is this? > >> > >> thx > >> matthias > >> > > > > You are going to have to give us more info ;-) > > What OS's ? > > What version(s) of Samba ? > > Have there been any updates/upgrades to anything ? > > > > Rowland > > > > thx for quick reply. > Samba is 4.8.3 on CentOS 7. > LDAP server is IBM Tivoli Directory Server on AIX. > The situation has always been like this, upgrades didn't change > anything. > > Matthias >It sounds like you are running Samba in much the same way as a PDC and in a very old way, but I cannot be sure about this because you seem to be refusing to post your smb.conf. You posted: Still, unexpectedly Samba on server01 To me, A native English speaking person, that sounds like your problem had just started. I think you meant: However, Samba on server01 If your NON_PDC PDC is set up correctly, 'getent group testgroup' would work. Rowland
Matthias Leopold
2019-Feb-11 14:40 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:> On Mon, 11 Feb 2019 13:46:05 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> >> >> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba: >>> On Mon, 11 Feb 2019 12:30:51 +0100 >>> Matthias Leopold via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> we are using a _single_ LDAP server as backend for _multiple_ Samba >>>> standalone file servers (security=user). This LDAP server serves >>>> mainly other purposes and access for Samba is read only so the >>>> situation is not optimal but "it works for us". Still I don't >>>> understand one phenomenon concerning visibility of LDAP groups. >>>> >>>> The LDAP configuration in smb.conf for all our Samba servers is >>>> basically like this (with each server having it's own branch for >>>> "ldap group suffix", that's the point): >>>> >>>> passdb backend = ldapsam:ldap://ldap.domain.tld >>>> ldap suffix = dc=domain,dc=tld >>>> ldap user suffix = ou=people >>>> ldap group suffix = ou=server01,ou=smb,ou=Groups >>>> >>>> NSS uses LDAP via SSSD like this: >>>> >>>> [domain/LDAP] >>>> id_provider = ldap >>>> >>>> ldap_uri = ldap://ldap.domain.tld >>>> ldap_search_base = dc=domain,dc=tld >>>> >>>> ldap_user_search_base = ou=People,dc=domain,dc=tld >>>> ldap_group_search_base >>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld >>>> >>>> The sambaDomainName is stored in an entry in LDAP path >>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all >>>> use the same SID. >>>> >>>> This setup is not exactly pretty, but it "works". Still, >>>> unexpectedly Samba on server01 sees groups in other branches than >>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). >>>> >>>> example: >>>> - group is >>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld >>>> - on server01 this group is visible with "net groupmap list >>>> ntgroup=testgroup" >>>> - "getent group testgroup" does not work (as expected) >>>> Why is this? >>>> >>>> thx >>>> matthias >>>> >>> >>> You are going to have to give us more info ;-) >>> What OS's ? >>> What version(s) of Samba ? >>> Have there been any updates/upgrades to anything ? >>> >>> Rowland >>> >> >> thx for quick reply. >> Samba is 4.8.3 on CentOS 7. >> LDAP server is IBM Tivoli Directory Server on AIX. >> The situation has always been like this, upgrades didn't change >> anything. >> >> Matthias >> > > It sounds like you are running Samba in much the same way as a PDC and > in a very old way, but I cannot be sure about this because you seem to > be refusing to post your smb.conf. > > You posted: > > Still, unexpectedly Samba on server01 > > To me, A native English speaking person, that sounds like your problem > had just started. I think you meant: > > However, Samba on server01 > > If your NON_PDC PDC is set up correctly, 'getent group testgroup' would > work. > > Rowland >Thanks for help. I'm attaching the output of "testparm" for one of the servers. Indeed I wanted to express "However, Samba on server01", I wasn't aware of this potential for misunderstanding, sorry. I don't know any recent SAMBA + LDAP documentation, I roughly follow https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a PDC with smbldap-tools a long time ago, but I know that this is not a PDC right now. What are the differences for non PDC servers? When I tell Samba + NSS to use LDAP branch 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information I don't expect that group 'testgroup' in branch 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found. Matthias -------------- next part -------------- [global] ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld ldap group suffix = ou=group01,ou=smb,ou=Groups ldap suffix = dc=domain,dc=tld ldap user suffix = ou=people map to guest = Bad User passdb backend = ldapsam:ldap://ldap.domain.tld security = USER workgroup = SAMBA idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [foo_home] admin users = +foo_admin browseable = No path = /srv/foo/lv01/home read only = No
Possibly Parallel Threads
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server