Re: [Samba] Samba domain member server using only nss ldap
On Sat, 2012-02-25 at 19:49 +0100, steve wrote: one little problem. When I execute ls -la in the directory there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this problem, there is no delay. Is there any solution without using nscd? nss-ldapd with nslcd. Much quicker mappings. http://arthurdejong.org/nss-pam-ldapd/ +1 Use nslcd, not nscd. It also reduces the number of separate connections to the DSA. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
It seems that I found a working solution. With the following smb.conf all works as I expected [global] workgroup = W3 server string = Test file server netbios name = FS2 security = domain load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/samba.log max log size = 5 encrypt passwords = yes winbind enum groups = yes winbind enum users = yes idmap backend = ldap:ldap://pdc.w3.lan/; ldap idmap suffix = ou=idmap idmap uid = 1000-50 idmap gid = 1000-50 idmap config W3 : backend = nss idmap config W3 : range = 1000-50 ldapsam:trusted = yes ldapsam:editposix = yes ldap suffix = dc=w3,dc=lan ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap admin dn = cn=root,dc=w3,dc=lan ldap ssl = no enable privileges = yes os level = 8 local master = no domain master = no preferred master = no domain logons = no wins server = 192.168.210.104 dns proxy = yes client ntlmv2 auth = yes client plaintext auth = no lanman auth = no lm announce = no deadtime = 15 display charset = utf8 unix charset = utf8 dos charset = cp866 log level = 3 host msdfs = no [Test] comment = Test path = /tmp/Test/ public = yes guest ok = no valid users = @W3\w3-nssldap write list = @W3\w3-nssldap browseable = yes force create mode = 0770 create mode = 0770 force directory mode = 0770 directory mode = 0770 create mask = 0660 directory mask = 0770 The main difference is that I removed the following line winbind trusted domains only = yes # id nssldap uid=1890(nssldap) gid=1354(w3-nssldap) groups=513(Domain Users),1354(w3-nssldap) # getent passwd nssldap nssldap:x:1890:1354:System User:/home/w3u/nssldap:/bin/false # getent group w3-nssldap w3-nssldap:*:1354:nssldap # wbinfo -i w3\\nssldap W3\nssldap:*:1890:1354:nssldap:/home/W3/nssldap:/bin/false # wbinfo --name-to-sid=nssldap S-1-5-21-250625134-237382211-2379110221-4780 User (1) # wbinfo --name-to-sid=w3-nssldap S-1-5-21-250625134-237382211-2379110221-3709 Domain Group (2) # wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780 1890 # wbinfo --sid-to-gid=S-1-5-21-250625134-237382211-2379110221-3709 1354 But there's one little problem. When I execute ls -la in the directory there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this problem, there is no delay. Is there any solution without using nscd? On Tue, Feb 21, 2012 at 10:13 AM, Alex Domoradov alex@gmail.com wrote: Thanks, I'll try your solution On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch abo...@cilma.net wrote: Hi, not sure if you solved this. I'll give my advice anyway. if you know how to configure NSS/LDAP at system level is the simplest way i've found to configure a member server. first, be sure to have all nss related configured (nsswitch.conf, ldap.conf) and check it with getent passwd and getent group. once you have that, create a machine account on the PDC and join the member server (net rpc join). then configure member server as a simple file server with no reference to LDAP. you don't need any ldap setting in smb.conf, just something like: [global] workgroup = MYDOM server string = %h server security = DOMAIN password server = mypdc.example.com [prova3] comment = proves de membre samba path = /tmp/prova3 read only = No guest ok = Yes this is the simplest way i've found to do it. regards, abosch - Original Message - From: Alex Domoradov alex@gmail.com To: samba@lists.samba.org Sent: Wednesday, February 15, 2012 10:29:19 PM Subject: Re: [Samba] Samba domain member server using only nss ldap On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I need to do idmapping via winbind or something else? I haven't had much luck with member servers either. it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I need to use LDAP only for samba accounts, not local (unix) I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind but according to http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf I have one domain and all server are the member of this domain there is no need to use winbind at all. Did I miss something
Re: [Samba] Samba domain member server using only nss ldap
one little problem. When I execute ls -la in the directory there is a delay about 1-2 seconds. Is it normal? nscd deamon solves this problem, there is no delay. Is there any solution without using nscd? nss-ldapd with nslcd. Much quicker mappings. http://arthurdejong.org/nss-pam-ldapd/ HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
Thanks, I'll try your solution On Mon, Feb 20, 2012 at 10:56 AM, Angel Bosch abo...@cilma.net wrote: Hi, not sure if you solved this. I'll give my advice anyway. if you know how to configure NSS/LDAP at system level is the simplest way i've found to configure a member server. first, be sure to have all nss related configured (nsswitch.conf, ldap.conf) and check it with getent passwd and getent group. once you have that, create a machine account on the PDC and join the member server (net rpc join). then configure member server as a simple file server with no reference to LDAP. you don't need any ldap setting in smb.conf, just something like: [global] workgroup = MYDOM server string = %h server security = DOMAIN password server = mypdc.example.com [prova3] comment = proves de membre samba path = /tmp/prova3 read only = No guest ok = Yes this is the simplest way i've found to do it. regards, abosch - Original Message - From: Alex Domoradov alex@gmail.com To: samba@lists.samba.org Sent: Wednesday, February 15, 2012 10:29:19 PM Subject: Re: [Samba] Samba domain member server using only nss ldap On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I need to do idmapping via winbind or something else? I haven't had much luck with member servers either. it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I need to use LDAP only for samba accounts, not local (unix) I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind but according to http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf I have one domain and all server are the member of this domain there is no need to use winbind at all. Did I miss something? This means that you would be able to type getent user1 and getent MYDOMAIN\user1. I I don't need such case, in my case local and domain users always unique I think it appears you are getting group information from winbind since have the force group entry in smb.conf. It's strange. When I added force user to the share description, samba set uid of the new file from ldap You should look at the man page for idmap_nss. In theory, this should let you use a local backend to store the idmap entries, and the idmap system should use map the SID's to the existing unix uid and gid. Never worked for me in practice. I read the man http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't get clear understanding Alternately, you may want to manually edit the idmap entries in ldap. The domain controller should have automatically created them. there are a 10-15 entries in the ou Idmap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
Hi, not sure if you solved this. I'll give my advice anyway. if you know how to configure NSS/LDAP at system level is the simplest way i've found to configure a member server. first, be sure to have all nss related configured (nsswitch.conf, ldap.conf) and check it with getent passwd and getent group. once you have that, create a machine account on the PDC and join the member server (net rpc join). then configure member server as a simple file server with no reference to LDAP. you don't need any ldap setting in smb.conf, just something like: [global] workgroup = MYDOM server string = %h server security = DOMAIN password server = mypdc.example.com [prova3] comment = proves de membre samba path = /tmp/prova3 read only = No guest ok = Yes this is the simplest way i've found to do it. regards, abosch - Original Message - From: Alex Domoradov alex@gmail.com To: samba@lists.samba.org Sent: Wednesday, February 15, 2012 10:29:19 PM Subject: Re: [Samba] Samba domain member server using only nss ldap On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I need to do idmapping via winbind or something else? I haven't had much luck with member servers either. it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I need to use LDAP only for samba accounts, not local (unix) I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind but according to http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf I have one domain and all server are the member of this domain there is no need to use winbind at all. Did I miss something? This means that you would be able to type getent user1 and getent MYDOMAIN\user1. I I don't need such case, in my case local and domain users always unique I think it appears you are getting group information from winbind since have the force group entry in smb.conf. It's strange. When I added force user to the share description, samba set uid of the new file from ldap You should look at the man page for idmap_nss. In theory, this should let you use a local backend to store the idmap entries, and the idmap system should use map the SID's to the existing unix uid and gid. Never worked for me in practice. I read the man http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't get clear understanding Alternately, you may want to manually edit the idmap entries in ldap. The domain controller should have automatically created them. there are a 10-15 entries in the ou Idmap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
Unfortunately I am not sure if the idmapping functionality in Samba depends on winbind. it appears that it does http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I do have some member servers that I am not using winbindd. We are using LDAP for Unix level authentication since we have both windows and unix clients. On these member servers, if you look at the file permissions in windows you will see entries like UNIX\someuser instead of MYDOMAIN\someuser.I have not tried the idmap_nss on this. This is OK if most of the changes to the files or file permissions is done in unix. If a windows user connects, samba will map MYDOMAIN\someuser to the unix user and respect the existing unix permissions. but it makes it hard to set file permissions in windows. From a windows client, you may try to grant permissions to MYDOMAIN\someotheruser but in that case samba will not handle the mapping correctly and setting permissions fails. With the idmap_nss backend example, samba should try to use nsswitch to locate the user id's for user's in your domain. It will expect user and group uid's to be 1000 or higher but under 1 milllion. Any other users or groups (e.g. from trusted domains) will have use a local database file to create or retrieve idmapping entries. For users in your domain samba should determine that MYDOMAIN\someuser is the same person as the unix someuser account. And hopefully display the file permissions in windows appropriately. [global] idmap backend = tdb idmap uid = 100-199 idmap gid = 100-199 idmap config SAMBA : backend = nss idmap config SAMBA : range = 1000-99 As I said, I have not got this to work. I have also found that the samba how-to documentation does not always keep pace with the software updates- although the man pages usually do. It is just sometimes difficult to get an overall picture of how something should work from the man pages. On 02/15/12 16:29, Alex Domoradov wrote: On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I need to do idmapping via winbind or something else? I haven't had much luck with member servers either. it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I need to use LDAP only for samba accounts, not local (unix) I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind but according to http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap If I have one domain and all server are the member of this domain there is no need to use winbind at all. Did I miss something? This means that you would be able to type getent user1 and getent MYDOMAIN\user1. I I don't need such case, in my case local and domain users always unique I think it appears you are getting group information from winbind since have the force group entry in smb.conf. It's strange. When I added force user to the share description, samba set uid of the new file from ldap You should look at the man page for idmap_nss. In theory, this should let you use a local backend to store the idmap entries, and the idmap system should use map the SID's to the existing unix uid and gid. Never worked for me in practice. I read the man http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't get clear understanding Alternately, you may want to manually edit the idmap entries in ldap. The domain controller should have automatically created them. there are a 10-15 entries in the ou Idmap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba domain member server using only nss ldap
I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain users in the shares permissions On the domain member server I have the following smb.conf [global] workgroup = W3 server string = File server netbios name = FS1 security = domain load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/samba.log max log size = 5 encrypt passwords = yes winbind trusted domains only = yes idmap backend = ldap:ldap://pdc.w3.lan/; ldap idmap suffix = ou=idmap idmap uid = 5-50 idmap gid = 5-50 ldapsam:trusted = yes ldapsam:editposix = yes ldap suffix = dc=w3,dc=lan ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap admin dn = cn=root,dc=w3,dc=lan ldap ssl = no socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 enable privileges = yes os level = 8 local master = no domain master = no preferred master = no domain logons = no wins server = 192.168.210.104 dns proxy = yes client ntlmv2 auth = yes client plaintext auth = no lanman auth = no lm announce = no deadtime = 15 display charset = utf8 unix charset = utf8 dos charset = cp866 log level = 3 host msdfs = no [Test] comment = Test path = /data/production/Test/ public = yes guest ok = no valid users = @W3\w3-nssldap write list = @W3\w3-nssldap browseable = yes force create mode = 0770 create mode = 0770 force directory mode = 0770 directory mode = 0770 create mask = 0660 directory mask = 0770 force group = @W3\w3-nssldap # cat /etc/nsswitch.conf | grep ldap passwd: files ldap shadow: files ldap group: files ldap When I create any folder in the share Test I get the following uid/gid # ls -l total 4 drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test # ls -ln total 4 drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test # getent group | grep ^w3-nssldap w3-nssldap:*:1354:nssldap # id nssldap uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain Users) # wbinfo --name-to-sid=nssldap S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1) # wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780 50290 It's seems that samba get uid from LDAP and gid from winbind. So my question is - Is it possible to use only nss ldap on domain member server to mapping uid/gid? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I haven't had much luck with member servers either.it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind This means that you would be able to type getent user1 and getent MYDOMAIN\user1. I I think it appears you are getting group information from winbind since have the force group entry in smb.conf. You should look at the man page for idmap_nss. In theory, this should let you use a local backend to store the idmap entries, and the idmap system should use map the SID's to the existing unix uid and gid. Never worked for me in practice. Alternately, you may want to manually edit the idmap entries in ldap. The domain controller should have automatically created them. On 02/15/12 10:21, Alex Domoradov wrote: I have NT4 domain on samba-3.x integrated with LDAP. I need to use domain users in the shares permissions On the domain member server I have the following smb.conf [global] workgroup = W3 server string = File server netbios name = FS1 security = domain load printers = no show add printer wizard = no printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/samba.log max log size = 5 encrypt passwords = yes winbind trusted domains only = yes idmap backend = ldap:ldap://pdc.w3.lan/; ldap idmap suffix = ou=idmap idmap uid = 5-50 idmap gid = 5-50 ldapsam:trusted = yes ldapsam:editposix = yes ldap suffix = dc=w3,dc=lan ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap admin dn = cn=root,dc=w3,dc=lan ldap ssl = no socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 enable privileges = yes os level = 8 local master = no domain master = no preferred master = no domain logons = no wins server = 192.168.210.104 dns proxy = yes client ntlmv2 auth = yes client plaintext auth = no lanman auth = no lm announce = no deadtime = 15 display charset = utf8 unix charset = utf8 dos charset = cp866 log level = 3 host msdfs = no [Test] comment = Test path = /data/production/Test/ public = yes guest ok = no valid users = @W3\w3-nssldap write list = @W3\w3-nssldap browseable = yes force create mode = 0770 create mode = 0770 force directory mode = 0770 directory mode = 0770 create mask = 0660 directory mask = 0770 force group = @W3\w3-nssldap # cat /etc/nsswitch.conf | grep ldap passwd: files ldap shadow: files ldap group: files ldap When I create any folder in the share Test I get the following uid/gid # ls -l total 4 drwxrwx--- 2 nssldap 321909 4096 Feb 15 17:00 test # ls -ln total 4 drwxrwx--- 2 1890 321909 4096 Feb 15 17:00 test # getent group | grep ^w3-nssldap w3-nssldap:*:1354:nssldap # id nssldap uid=1890(nssldap) gid=1354(w3-nssldap) groups=1354(w3-nssldap),513(Domain Users) # wbinfo --name-to-sid=nssldap S-1-5-21-250625134-237382211-2379110221-4780 SID_USER (1) # wbinfo --sid-to-uid=S-1-5-21-250625134-237382211-2379110221-4780 50290 It's seems that samba get uid from LDAP and gid from winbind. So my question is - Is it possible to use only nss ldap on domain member server to mapping uid/gid? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba domain member server using only nss ldap
On a member server, the ldap backend should not be needed for user and group look up. You do need some sort of idmapping for the unix level to see the UID's and GID's assigned to the samba users, and use those uid's and gid's to set file permissions. I need to do idmapping via winbind or something else? I haven't had much luck with member servers either. it does get trickier when you have ldap used for both unix accounts and samba accounts. I found it easier to configure my primary machines as domain controllers. I need to use LDAP only for samba accounts, not local (unix) I think generally your nsswitch.conf file should include entries to allow unix to retrieve uid's and gid's from winbind. passwd: files ldap winbind shadow: files ldap winbind group: files ldap winbind but according to http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldapIf I have one domain and all server are the member of this domain there is no need to use winbind at all. Did I miss something? This means that you would be able to type getent user1 and getent MYDOMAIN\user1. I I don't need such case, in my case local and domain users always unique I think it appears you are getting group information from winbind since have the force group entry in smb.conf. It's strange. When I added force user to the share description, samba set uid of the new file from ldap You should look at the man page for idmap_nss. In theory, this should let you use a local backend to store the idmap entries, and the idmap system should use map the SID's to the existing unix uid and gid. Never worked for me in practice. I read the man http://www.samba.org/samba/docs/man/manpages-3/idmap_nss.8.html but didn't get clear understanding Alternately, you may want to manually edit the idmap entries in ldap. The domain controller should have automatically created them. there are a 10-15 entries in the ou Idmap -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
