Matthias Leopold
2019-Feb-11 14:40 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 14:22 schrieb Rowland Penny via samba:> On Mon, 11 Feb 2019 13:46:05 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> >> >> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba: >>> On Mon, 11 Feb 2019 12:30:51 +0100 >>> Matthias Leopold via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> we are using a _single_ LDAP server as backend for _multiple_ Samba >>>> standalone file servers (security=user). This LDAP server serves >>>> mainly other purposes and access for Samba is read only so the >>>> situation is not optimal but "it works for us". Still I don't >>>> understand one phenomenon concerning visibility of LDAP groups. >>>> >>>> The LDAP configuration in smb.conf for all our Samba servers is >>>> basically like this (with each server having it's own branch for >>>> "ldap group suffix", that's the point): >>>> >>>> passdb backend = ldapsam:ldap://ldap.domain.tld >>>> ldap suffix = dc=domain,dc=tld >>>> ldap user suffix = ou=people >>>> ldap group suffix = ou=server01,ou=smb,ou=Groups >>>> >>>> NSS uses LDAP via SSSD like this: >>>> >>>> [domain/LDAP] >>>> id_provider = ldap >>>> >>>> ldap_uri = ldap://ldap.domain.tld >>>> ldap_search_base = dc=domain,dc=tld >>>> >>>> ldap_user_search_base = ou=People,dc=domain,dc=tld >>>> ldap_group_search_base >>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld >>>> >>>> The sambaDomainName is stored in an entry in LDAP path >>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all >>>> use the same SID. >>>> >>>> This setup is not exactly pretty, but it "works". Still, >>>> unexpectedly Samba on server01 sees groups in other branches than >>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). >>>> >>>> example: >>>> - group is >>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld >>>> - on server01 this group is visible with "net groupmap list >>>> ntgroup=testgroup" >>>> - "getent group testgroup" does not work (as expected) >>>> Why is this? >>>> >>>> thx >>>> matthias >>>> >>> >>> You are going to have to give us more info ;-) >>> What OS's ? >>> What version(s) of Samba ? >>> Have there been any updates/upgrades to anything ? >>> >>> Rowland >>> >> >> thx for quick reply. >> Samba is 4.8.3 on CentOS 7. >> LDAP server is IBM Tivoli Directory Server on AIX. >> The situation has always been like this, upgrades didn't change >> anything. >> >> Matthias >> > > It sounds like you are running Samba in much the same way as a PDC and > in a very old way, but I cannot be sure about this because you seem to > be refusing to post your smb.conf. > > You posted: > > Still, unexpectedly Samba on server01 > > To me, A native English speaking person, that sounds like your problem > had just started. I think you meant: > > However, Samba on server01 > > If your NON_PDC PDC is set up correctly, 'getent group testgroup' would > work. > > Rowland >Thanks for help. I'm attaching the output of "testparm" for one of the servers. Indeed I wanted to express "However, Samba on server01", I wasn't aware of this potential for misunderstanding, sorry. I don't know any recent SAMBA + LDAP documentation, I roughly follow https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a PDC with smbldap-tools a long time ago, but I know that this is not a PDC right now. What are the differences for non PDC servers? When I tell Samba + NSS to use LDAP branch 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information I don't expect that group 'testgroup' in branch 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found. Matthias -------------- next part -------------- [global] ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld ldap group suffix = ou=group01,ou=smb,ou=Groups ldap suffix = dc=domain,dc=tld ldap user suffix = ou=people map to guest = Bad User passdb backend = ldapsam:ldap://ldap.domain.tld security = USER workgroup = SAMBA idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [foo_home] admin users = +foo_admin browseable = No path = /srv/foo/lv01/home read only = No
Rowland Penny
2019-Feb-11 15:33 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
On Mon, 11 Feb 2019 15:40:02 +0100 Matthias Leopold via samba <samba at lists.samba.org> wrote:> > > Am 11.02.19 um 14:22 schrieb Rowland Penny via samba: > > On Mon, 11 Feb 2019 13:46:05 +0100 > > Matthias Leopold via samba <samba at lists.samba.org> wrote: > > > >> > >> > >> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba: > >>> On Mon, 11 Feb 2019 12:30:51 +0100 > >>> Matthias Leopold via samba <samba at lists.samba.org> wrote: > >>> > >>>> Hi, > >>>> > >>>> we are using a _single_ LDAP server as backend for _multiple_ > >>>> Samba standalone file servers (security=user). This LDAP server > >>>> serves mainly other purposes and access for Samba is read only > >>>> so the situation is not optimal but "it works for us". Still I > >>>> don't understand one phenomenon concerning visibility of LDAP > >>>> groups. > >>>> > >>>> The LDAP configuration in smb.conf for all our Samba servers is > >>>> basically like this (with each server having it's own branch for > >>>> "ldap group suffix", that's the point): > >>>> > >>>> passdb backend = ldapsam:ldap://ldap.domain.tld > >>>> ldap suffix = dc=domain,dc=tld > >>>> ldap user suffix = ou=people > >>>> ldap group suffix = ou=server01,ou=smb,ou=Groups > >>>> > >>>> NSS uses LDAP via SSSD like this: > >>>> > >>>> [domain/LDAP] > >>>> id_provider = ldap > >>>> > >>>> ldap_uri = ldap://ldap.domain.tld > >>>> ldap_search_base = dc=domain,dc=tld > >>>> > >>>> ldap_user_search_base = ou=People,dc=domain,dc=tld > >>>> ldap_group_search_base > >>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld > >>>> > >>>> The sambaDomainName is stored in an entry in LDAP path > >>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all > >>>> use the same SID. > >>>> > >>>> This setup is not exactly pretty, but it "works". Still, > >>>> unexpectedly Samba on server01 sees groups in other branches than > >>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). > >>>> > >>>> example: > >>>> - group is > >>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld > >>>> - on server01 this group is visible with "net groupmap list > >>>> ntgroup=testgroup" > >>>> - "getent group testgroup" does not work (as expected) > >>>> Why is this? > >>>> > >>>> thx > >>>> matthias > >>>> > >>> > >>> You are going to have to give us more info ;-) > >>> What OS's ? > >>> What version(s) of Samba ? > >>> Have there been any updates/upgrades to anything ? > >>> > >>> Rowland > >>> > >> > >> thx for quick reply. > >> Samba is 4.8.3 on CentOS 7. > >> LDAP server is IBM Tivoli Directory Server on AIX. > >> The situation has always been like this, upgrades didn't change > >> anything. > >> > >> Matthias > >> > > > > It sounds like you are running Samba in much the same way as a PDC > > and in a very old way, but I cannot be sure about this because you > > seem to be refusing to post your smb.conf. > > > > You posted: > > > > Still, unexpectedly Samba on server01 > > > > To me, A native English speaking person, that sounds like your > > problem had just started. I think you meant: > > > > However, Samba on server01 > > > > If your NON_PDC PDC is set up correctly, 'getent group testgroup' > > would work. > > > > Rowland > > > > Thanks for help. > > I'm attaching the output of "testparm" for one of the servers. > Indeed I wanted to express "However, Samba on server01", I wasn't > aware of this potential for misunderstanding, sorry.No Problem, it was just a misunderstanding, I misunderstood what you meant, but I understand now.> I don't know any recent SAMBA + LDAP documentation, I roughly follow > https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a > PDC with smbldap-tools a long time ago, but I know that this is not a > PDC right now. What are the differences for non PDC servers?Not much, what you are running is a PDC, you just don't have any clients. As for recent Samba with LDAP documentation, there isn't any and there isn't any real impetus to write any, they are a dying breed ;-) It is much easier to set up an Samba AD DC domain> > When I tell Samba + NSS to use LDAP branch > 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information > I don't expect that group 'testgroup' in branch > 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found.Try setting up a test computer and use this smb.conf: [global] workgroup = SAMBA security = USER server max protocol = NT1 passdb backend = ldapsam ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld ldap suffix = dc=domain,dc=tld ldap group suffix = ou=group01,ou=smb,ou=Groups ldap user suffix = ou=people idmap config * : range = 500-19999 idmap config * : backend = ldap idmap config * : ldap_url = ldap://ldap.domain.tld idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [foo_home] admin users = +foo_admin browseable = No path = /srv/foo/lv01/home read only = No if that doesn't work, pretend your AIX server is an AD DC and follow this wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Matthias Leopold
2019-Feb-11 16:29 UTC
[Samba] visibility of groups when multiple Samba servers use the same LDAP server
Am 11.02.19 um 16:33 schrieb Rowland Penny via samba:> On Mon, 11 Feb 2019 15:40:02 +0100 > Matthias Leopold via samba <samba at lists.samba.org> wrote: > >> >> >> Am 11.02.19 um 14:22 schrieb Rowland Penny via samba: >>> On Mon, 11 Feb 2019 13:46:05 +0100 >>> Matthias Leopold via samba <samba at lists.samba.org> wrote: >>> >>>> >>>> >>>> Am 11.02.19 um 13:22 schrieb Rowland Penny via samba: >>>>> On Mon, 11 Feb 2019 12:30:51 +0100 >>>>> Matthias Leopold via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> we are using a _single_ LDAP server as backend for _multiple_ >>>>>> Samba standalone file servers (security=user). This LDAP server >>>>>> serves mainly other purposes and access for Samba is read only >>>>>> so the situation is not optimal but "it works for us". Still I >>>>>> don't understand one phenomenon concerning visibility of LDAP >>>>>> groups. >>>>>> >>>>>> The LDAP configuration in smb.conf for all our Samba servers is >>>>>> basically like this (with each server having it's own branch for >>>>>> "ldap group suffix", that's the point): >>>>>> >>>>>> passdb backend = ldapsam:ldap://ldap.domain.tld >>>>>> ldap suffix = dc=domain,dc=tld >>>>>> ldap user suffix = ou=people >>>>>> ldap group suffix = ou=server01,ou=smb,ou=Groups >>>>>> >>>>>> NSS uses LDAP via SSSD like this: >>>>>> >>>>>> [domain/LDAP] >>>>>> id_provider = ldap >>>>>> >>>>>> ldap_uri = ldap://ldap.domain.tld >>>>>> ldap_search_base = dc=domain,dc=tld >>>>>> >>>>>> ldap_user_search_base = ou=People,dc=domain,dc=tld >>>>>> ldap_group_search_base >>>>>> ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld >>>>>> >>>>>> The sambaDomainName is stored in an entry in LDAP path >>>>>> ou=smb,dc=domain,dc=tld. Each server has it's own entry, but all >>>>>> use the same SID. >>>>>> >>>>>> This setup is not exactly pretty, but it "works". Still, >>>>>> unexpectedly Samba on server01 sees groups in other branches than >>>>>> "ou=server01,ou=smb,ou=Groups" (with "net groupmap list"). >>>>>> >>>>>> example: >>>>>> - group is >>>>>> cn=testgroup,ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld >>>>>> - on server01 this group is visible with "net groupmap list >>>>>> ntgroup=testgroup" >>>>>> - "getent group testgroup" does not work (as expected) >>>>>> Why is this? >>>>>> >>>>>> thx >>>>>> matthias >>>>>> >>>>> >>>>> You are going to have to give us more info ;-) >>>>> What OS's ? >>>>> What version(s) of Samba ? >>>>> Have there been any updates/upgrades to anything ? >>>>> >>>>> Rowland >>>>> >>>> >>>> thx for quick reply. >>>> Samba is 4.8.3 on CentOS 7. >>>> LDAP server is IBM Tivoli Directory Server on AIX. >>>> The situation has always been like this, upgrades didn't change >>>> anything. >>>> >>>> Matthias >>>> >>> >>> It sounds like you are running Samba in much the same way as a PDC >>> and in a very old way, but I cannot be sure about this because you >>> seem to be refusing to post your smb.conf. >>> >>> You posted: >>> >>> Still, unexpectedly Samba on server01 >>> >>> To me, A native English speaking person, that sounds like your >>> problem had just started. I think you meant: >>> >>> However, Samba on server01 >>> >>> If your NON_PDC PDC is set up correctly, 'getent group testgroup' >>> would work. >>> >>> Rowland >>> >> >> Thanks for help. >> >> I'm attaching the output of "testparm" for one of the servers. >> Indeed I wanted to express "However, Samba on server01", I wasn't >> aware of this potential for misunderstanding, sorry. > > No Problem, it was just a misunderstanding, I misunderstood what you > meant, but I understand now. > >> I don't know any recent SAMBA + LDAP documentation, I roughly follow >> https://wiki.samba.org/index.php/Samba_%26_LDAP and I did set up a >> PDC with smbldap-tools a long time ago, but I know that this is not a >> PDC right now. What are the differences for non PDC servers? > > Not much, what you are running is a PDC, you just don't have any > clients. As for recent Samba with LDAP documentation, there isn't any > and there isn't any real impetus to write any, they are a dying > breed ;-) It is much easier to set up an Samba AD DC domain > >> >> When I tell Samba + NSS to use LDAP branch >> 'ou=server01,ou=smb,ou=Groups,dc=domain,dc=tld' for group information >> I don't expect that group 'testgroup' in branch >> 'ou=server02,ou=smb,ou=Groups,dc=domain,dc=tld' is found. > > Try setting up a test computer and use this smb.conf: > > [global] > workgroup = SAMBA > security = USER > server max protocol = NT1 > passdb backend = ldapsam > ldap admin dn = uid=ldapadmin,ou=services,dc=domain,dc=tld > ldap suffix = dc=domain,dc=tld > ldap group suffix = ou=group01,ou=smb,ou=Groups > ldap user suffix = ou=people > idmap config * : range = 500-19999 > idmap config * : backend = ldap > idmap config * : ldap_url = ldap://ldap.domain.tld > idmap config * : ldap_base_dn = ou=idmap,dc=domain,dc=tld > idmap config * : ldap_user_dn = uid=ldapadmin,ou=services,dc=domain,dc=tld > > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [foo_home] > admin users = +foo_admin > browseable = No > path = /srv/foo/lv01/home > read only = No > > if that doesn't work, pretend your AIX server is an AD DC and follow > this wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Rowland > >thanks to you and harry jede I will discuss all of this with our LDAP admin, he's looking for a ITDS replacement anyway ;-) Matthias
Seemingly Similar Threads
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server
- visibility of groups when multiple Samba servers use the same LDAP server