Rowland Penny
2018-Aug-20 16:34 UTC
[Samba] multiple passdb backends for standalone fileserver?
On Mon, 20 Aug 2018 18:02:32 +0200 Harry Jede via samba <samba at lists.samba.org> wrote:> Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold > via samba: > > Hi, > > > > i (naively) would like to have local AND ldap users (and groups...) > > on my standalone fileserver (security = user). "passdb backend > > ldapsam" already works OK and i found some old posts on the internet > > about "chaining" passdb backends. > Round about 12 years ago "chaining passdb backends" was removed! But > their are other possibilities: > > 1. You can map local unix users and groups to their windows entrys.Well, yes you can, but the OP wanted to use users stored in ldap and users stored in /etc/passwd, but you cannot do both at the same time.> > 2. You can use winbind's idmap feature; obey the "idmap ranges" and > honor that the syntax has changed several times.The OP referred to a 'standalone server' and these do not need to run winbind and if it is running, all the idmap backends need SID's, there might not be any in the OP's ldap.> > Just read the man pages of the samba version you are using!!! before > searching the web.Very wise words, most web pages get something wrong ;-) Rowland
Harry Jede
2018-Aug-20 18:19 UTC
[Samba] multiple passdb backends for standalone fileserver?
Hi Rowland,> On Mon, 20 Aug 2018 18:02:32 +0200 > > Harry Jede via samba <samba at lists.samba.org> wrote: > > Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold > > > > via samba: > > > Hi, > > > > > > i (naively) would like to have local AND ldap users (and > > > groups...) > > > on my standalone fileserver (security = user). "passdb backend > > > ldapsam" already works OK and i found some old posts on the > > > internet > > > about "chaining" passdb backends. > > > > Round about 12 years ago "chaining passdb backends" was removed!But> > their are other possibilities: > > > > 1. You can map local unix users and groups to their windows entrys. > > Well, yes you can, but the OP wanted to use users stored in ldap and > users stored in /etc/passwd, but you cannot do both at the same time.Me can!> > 2. You can use winbind's idmap feature; obey the "idmap ranges" and > > honor that the syntax has changed several times. > > The OP referred to a 'standalone server' and these do not need to run > winbindyes, but i said you can!> and if it is running, all the idmap backends need SID's,yes, local unix user sids are stored in /var/lib/samba/passdb.tdb ldap user sids are stored in passdb.tdb if the server is a normal standalone server and the ldap server has NOT loaded the samba3.schema but get stored in ldap if the server is configured as standalone, PDC or BDC and ldap has samba3.schema loaded. You must configure smb.conf, pam and nss a little different. Maybe, i should write a howto. But time ...> there > might not be any SID's in the OP's ldap.yes, their can be sids but this is not a must have, but a usual case.> > > Just read the man pages of the samba version you are using!!! before > > searching the web. > > Very wise words, > most web pages get something wrong ;-)Oh, I believe they are most right at time of writing, but the writers forget to tell the readers the version, release number and ofen do not mention if they are using vanilla samba or a distro modified package. At the end this are pages to inspire someone but not more.> Rowland-- Gruss Harry Jede
Rowland Penny
2018-Aug-20 19:29 UTC
[Samba] multiple passdb backends for standalone fileserver?
On Mon, 20 Aug 2018 20:19:11 +0200 Harry Jede <walk2sun at arcor.de> wrote:> Hi Rowland, > > > On Mon, 20 Aug 2018 18:02:32 +0200 > > > > Harry Jede via samba <samba at lists.samba.org> wrote: > > > Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold > > > > > > via samba: > > > > Hi, > > > > > > > > i (naively) would like to have local AND ldap users (and > > > > groups...) > > > > on my standalone fileserver (security = user). "passdb backend > > > > ldapsam" already works OK and i found some old posts on the > > > > internet > > > > about "chaining" passdb backends. > > > > > > Round about 12 years ago "chaining passdb backends" was removed! > But > > > their are other possibilities: > > > > > > 1. You can map local unix users and groups to their windows > > > entrys. > > > > Well, yes you can, but the OP wanted to use users stored in ldap and > > users stored in /etc/passwd, but you cannot do both at the same > > time. > Me can! > > > > 2. You can use winbind's idmap feature; obey the "idmap ranges" > > > and honor that the syntax has changed several times. > > > > The OP referred to a 'standalone server' and these do not need to > > run winbind > yes, but i said you can! > > > and if it is running, all the idmap backends need SID's, > yes, local unix user sids are stored in /var/lib/samba/passdb.tdb > > ldap user sids are stored in passdb.tdb if the server is a normal > standalone server and the ldap server has NOT loaded the > samba3.schema > > but get stored in ldap if the server is configured as standalone, PDC > or BDC and ldap has samba3.schema loaded. You must configure > smb.conf, pam and nss a little different. > > Maybe, i should write a howto. But time ... > > > there > > might not be any SID's in the OP's ldap. > yes, their can be sids but this is not a must have, but a usual case.If you have a SID, it is either from a Samba machine or a Windows machine, but an LDAP user doesn't have to have a SID, in fact, unless you extend LDAP with the Samba schema, you cannot add them.> > > > > > Just read the man pages of the samba version you are using!!! > > > before searching the web. > > > > Very wise words, > > most web pages get something wrong ;-) > Oh, I believe they are most right at time of writing, but the writers > forget to tell the readers the version, release number and ofen do > not mention if they are using vanilla samba or a distro modified > package. At the end this are pages to inspire someone but not more.Not from my experience, most pages tend to get a lot of things correct, but then add things that are either not required or wrong, they also tend to miss vital things. Rowland
Maybe Matching Threads
- multiple passdb backends for standalone fileserver?
- multiple passdb backends for standalone fileserver?
- Windows ACL behaviour in standalone fileservers (LDAP vs TDB)
- visibility of groups when multiple Samba servers use the same LDAP server
- Windows ACL behaviour in standalone fileservers (LDAP vs TDB)