PDA

View Full Version : SAMBA and LDAP - Group Permissions



heinzk1
07-Nov-2012, 21:34
I have been testing on a SLES 11 SP2 server trying to understand how SAMBA works but I just dont get it. I have been reading multiple books as well as looking through the internet and I am thinking I am doing things right but groups just aren't working for me.

I am setting up SAMBA to run as a PDC with LDAP. I set up some shares with different rights per Groups and it appears that SAMBA is only looking at the primary group set with chgrp. I made several users and added them to samba via YAST and they show up in SAMBA but if the users primary group does not match the directories group, it doesn't let me change rights via SAMBA share options.

I did check to make sure that the LDAP server by running some commands which I can't remember off hand - that did respond that users were authenticating against LDAP.

My questions are:
Does SAMBA look at the LDAP groups or are the LDAP and unix groups supposed to be mapped together?

What are the Free or relatively low cost programs out there that will help me do LDAP and SAMBA management? (I looked at the LAM program but it costs to allow SLES deal with groups)

Any help would appreciated,
Heinzk1

jmozdzen
08-Nov-2012, 12:30
Hi Heinz,

I feel for you - it took me quite some time to go through all the settings and queries until I got SAMBA to work with LDAP-stored domain information. I ended up actually tracing LDAP queries to understand what's really going on. And then there was a version change in SAMBA and I had to re-learn...

> Does SAMBA look at the LDAP groups or are the LDAP and unix groups supposed to be mapped together?

Which groups are you asking for? There are SMB groups and system level groups - SAMBA maps SMB to system groups... SMB groups are stored in the SAMBA data store, which can be either LDAP or other - system groups can be either local and/or LDAP, depending on the system configuration.

I *believe* that SAMBA will simply map the SMB user to the system user and then the system will take that user's system groups into consideration. So again the question arises: Which groups did you change:

> I set up some shares with different rights per Groups

From what I've seen, SAMBA will set ACLs on the directories/files to accomplish the "multiple group rights" feature - how are the actual system permissions on those directories? And pardon the question, but I don't get what you're actually doing (what tool, what action) when you "change rights via SAMBA share options" :[

> What are the Free or relatively low cost programs out there that will help me do LDAP and SAMBA management?

LDAP: I'm too old-school: "gq" will work nicely, especially as it let's you see and modify what is actually stored. It doesn't help you when it comes to identifying what to store where - know-how is still left to the user :)

SAMBA: Iirc, there are tons of web-based fronts ends out there, then there's YaST and you can do things right from a MS Windows workstation - so the answer basically depends on what you're actually trying to do with the admin tool...

Regards,
Jens

heinzk1
08-Nov-2012, 14:23
Hi Heinz,

I feel for you - it took me quite some time to go through all the settings and queries until I got SAMBA to work with LDAP-stored domain information. I ended up actually tracing LDAP queries to understand what's really going on. And then there was a version change in SAMBA and I had to re-learn...

> Does SAMBA look at the LDAP groups or are the LDAP and unix groups supposed to be mapped together?

Which groups are you asking for? There are SMB groups and system level groups - SAMBA maps SMB to system groups... SMB groups are stored in the SAMBA data store, which can be either LDAP or other - system groups can be either local and/or LDAP, depending on the system configuration.

I *believe* that SAMBA will simply map the SMB user to the system user and then the system will take that user's system groups into consideration. So again the question arises: Which groups did you change:

> I set up some shares with different rights per Groups

From what I've seen, SAMBA will set ACLs on the directories/files to accomplish the "multiple group rights" feature - how are the actual system permissions on those directories? And pardon the question, but I don't get what you're actually doing (what tool, what action) when you "change rights via SAMBA share options" :[

> What are the Free or relatively low cost programs out there that will help me do LDAP and SAMBA management?

LDAP: I'm too old-school: "gq" will work nicely, especially as it let's you see and modify what is actually stored. It doesn't help you when it comes to identifying what to store where - know-how is still left to the user :)

SAMBA: Iirc, there are tons of web-based fronts ends out there, then there's YaST and you can do things right from a MS Windows workstation - so the answer basically depends on what you're actually trying to do with the admin tool...

Regards,
Jens

Thanks for replying back.

Basically what we are trying to accomplish is allowing read-only rights to most everyone in the company to almost all folders and files in the shares then depending on which directory we are assigning write privileges. Naturally we will have some directories in those shares that we only want administrators and or accounting personal access to.

Well what I have tried was using the chgrp command and chmod command on the shares to grant different rights to groups, but for instance I made a share with chmod 755 chrgrp everyone thinking that I could make a LDAP/Samba group and include all of my users in the Everyone group just not make it their primary group.

Then in the share options I made a Write list = @Engineers

I assumed that since I had created a user and made his primary group "Engineers" and toggled the Manage Samba attribute that this user could write to the share where everyone else would be read-only. It didn't.

I think where I am going wrong is that my Samba groups are being mapped to the system groups cause when I go to the local groups all that is there is the users group.

Thanks again for replying, Linux and Samba are sure making me feel dumb.
Heinzk1