Re: LDAP group objects?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
I'm not seeing my LDAP groups listed when I use Windows file sharing tools
to modify ACLs on a share.

I see all of the LDAP users.

Ubuntu 16.04, hosted LDAP ("in the cloud", although I hate that term,
provided by JumpCloud.com), no AD.

I'm able to assign LDAP users to ACLs.

The groups are of objectClass 'groupsOfNames'.

Is this expected behavior?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
On Thu, 21 Dec 2017 11:24:06 -0600
Daniel Turner via samba <[hidden email]> wrote:

> I'm not seeing my LDAP groups listed when I use Windows file sharing
> tools to modify ACLs on a share.
>
> I see all of the LDAP users.
>
> Ubuntu 16.04, hosted LDAP ("in the cloud", although I hate that term,
> provided by JumpCloud.com), no AD.
>
> I'm able to assign LDAP users to ACLs.
>
> The groups are of objectClass 'groupsOfNames'.
>
> Is this expected behavior?

Sorry, but this question doesn't seem to have anything to do with
Samba, are you actually using Samba ?
Have you asked Jumpcloud ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
On Thu, 21 Dec 2017 11:53:03 -0600
Daniel Turner <[hidden email]> wrote:

> Sorry, I didn't include enough information.
>
> Samba installed on Ubuntu 16.04, using ldapsam:ldaps:// as my auth
> "DB" (instead of tdbsam).
>
> Share created on local storage.
>
> When I connect to the share from a windows machine and attempt to
> change the security settings for a folder or file I can search for
> users and see all of the users on the LDAP server - as expected.
> However, I don't see any LDAP groups.
>
> Really my question is, what objectClass type does Samba look for when
> querying LDAP for groups? I'm wondering if the LDAP server I'm
> connected to is configured to use the wrong objectClass for groups.
>
> Or, does Samba simply not show the groups listed in LDAP in this
> situation? I.E, is this expected behavior?
>

No, it is not expected behaviour, It might help if you could post your
smb.conf.

Depending on how you have Samba set up, you may need different
objectclasse, but the main ones for a group are 'posixGroup' and
'sambaGroupMapping'

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
On Thu, 21 Dec 2017 13:45:14 -0600
Daniel Turner <[hidden email]> wrote:

> re: "Depending on how you have Samba set up, you may need different
> objectclasse, but the main ones for a group are 'posixGroup' and
> 'sambaGroupMapping'
>
> What configuration changes would affect which objectClass type is
> used? I'm not able to find any information about this on the wiki.
>
> My smb.conf:
>
> [global]
> log level = 12
> workgroup = WORKGROUP
> server string = MySAN %v
> security = user
> dns proxy = no
>
> #passdb backend = tdbsam
>
> passdb backend  =    ldapsam:ldaps://ldap.jumpcloud.com:636
> ldap admin dn   =    "uid=daniel.turner,ou=Users,o=
> 5a21683914f827970a385d7b,dc=$
> ldap ssl        =    off
> ldap suffix     =    o=5a21683914f827970a385d7b,dc=jumpcloud,dc=com
>
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
>
> [LocalStorage]
>         path = /mnt/localhd
>         valid users = daniel.turner,tucker.dragoo,daniel
>         directory mask = 0771
>         write list = daniel.turner,tucker.dragoo,daniel
>         create mask = 0660
>         writeable = yes
>         force group = users
>         browsable = yes
>

You are running Samba as a standalone server with an ldap backend and
isn't used much (this may not be true, it just isn't asked about on the
mailing list.)

There are problems with doing this with the authentication in the
cloud, you still need the same users and groups on the client machines.

Try reading these webpages:

https://help.ubuntu.com/lts/serverguide/samba-ldap.html
https://spredzy.wordpress.com/2013/08/30/samba-standalone-openldap/

They should show you the basis of what you need.

You basically seem to be running a 'workgroup' with one of the machines
in the cloud.
 
Are you allowed to create your own machine in this cloud, if so you
will probably be better off setting up a DC and then use this for
authentication, this way you wouldn't need the same users stored
locally.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
Thank you, those links were indeed helpful.

It appears to me that while JumpCloud.com touts it's Samba compatibility
(including "Samba Schema support"), their's is an imperfect implementation.
Because they do not leverage the Samba group objectclass they are hampering
Samba's ability.

The method they've used to implement groups does not allow those groups to
be used by Samba. I'm no expert on LDAP, but I believe the addition of an
attribute on their groupOfNames style of group may be all that is needed -
I'm spinning up an OpenLDAP instance to confirm.

Now to try to convince them of this fact in the hopes of future
improvements.

On Thu, Dec 21, 2017 at 2:17 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 21 Dec 2017 13:45:14 -0600
> Daniel Turner <[hidden email]> wrote:
>
> > re: "Depending on how you have Samba set up, you may need different
> > objectclasse, but the main ones for a group are 'posixGroup' and
> > 'sambaGroupMapping'
> >
> > What configuration changes would affect which objectClass type is
> > used? I'm not able to find any information about this on the wiki.
> >
> > My smb.conf:
> >
> > [global]
> > log level = 12
> > workgroup = WORKGROUP
> > server string = MySAN %v
> > security = user
> > dns proxy = no
> >
> > #passdb backend = tdbsam
> >
> > passdb backend  =    ldapsam:ldaps://ldap.jumpcloud.com:636
> > ldap admin dn   =    "uid=daniel.turner,ou=Users,o=
> > 5a21683914f827970a385d7b,dc=$
> > ldap ssl        =    off
> > ldap suffix     =    o=5a21683914f827970a385d7b,dc=jumpcloud,dc=com
> >
> > ldap user suffix = ou=Users
> > ldap group suffix = ou=Groups
> >
> > [LocalStorage]
> >         path = /mnt/localhd
> >         valid users = daniel.turner,tucker.dragoo,daniel
> >         directory mask = 0771
> >         write list = daniel.turner,tucker.dragoo,daniel
> >         create mask = 0660
> >         writeable = yes
> >         force group = users
> >         browsable = yes
> >
>
> You are running Samba as a standalone server with an ldap backend and
> isn't used much (this may not be true, it just isn't asked about on the
> mailing list.)
>
> There are problems with doing this with the authentication in the
> cloud, you still need the same users and groups on the client machines.
>
> Try reading these webpages:
>
> https://help.ubuntu.com/lts/serverguide/samba-ldap.html
> https://spredzy.wordpress.com/2013/08/30/samba-standalone-openldap/
>
> They should show you the basis of what you need.
>
> You basically seem to be running a 'workgroup' with one of the machines
> in the cloud.
>
> Are you allowed to create your own machine in this cloud, if so you
> will probably be better off setting up a DC and then use this for
> authentication, this way you wouldn't need the same users stored
> locally.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
On Thu, 21 Dec 2017 17:02:31 -0600
Daniel Turner <[hidden email]> wrote:

> Thank you, those links were indeed helpful.
>
> It appears to me that while JumpCloud.com touts it's Samba
> compatibility (including "Samba Schema support"), their's is an
> imperfect implementation. Because they do not leverage the Samba
> group objectclass they are hampering Samba's ability.
>
> The method they've used to implement groups does not allow those
> groups to be used by Samba. I'm no expert on LDAP, but I believe the
> addition of an attribute on their groupOfNames style of group may be
> all that is needed - I'm spinning up an OpenLDAP instance to confirm.
>
> Now to try to convince them of this fact in the hopes of future
> improvements.
>

I have always been a bit doubtful about 'cloud' usage, you are
dependant on what the 'cloud' provides and what happens if it rains and
the cloud goes away ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP group objects?

Samba - General mailing list
I understand the concern. But with so many relying on web-based
applications in day-to-day operations, we are dependent on connectivity
already.

JumpCloud is interesting because it isn't just LDAP, and the other parts do
not require JumpCloud to be accessible all the time.

By creating one list of users in JumpCloud you can auto provision the users
in G Suite or O365, allow the JC agent to creat local accounts on Windows,
MacOS, and Linux. You can tie in more than 100 SAML enabled webapps, all
using your list of users.

It isn't perfect, especially the LDAP/Samba side it seems. And while it
does a lot, it isn't a replacement for AD. But for small groups of users
who don't have the infrastructure to support a full ad setup and who do
most of their business online, it might work well.
On Fri, Dec 22, 2017 at 3:07 AM Rowland Penny via samba <
[hidden email]> wrote:

> On Thu, 21 Dec 2017 17:02:31 -0600
> Daniel Turner <[hidden email]> wrote:
>
> > Thank you, those links were indeed helpful.
> >
> > It appears to me that while JumpCloud.com touts it's Samba
> > compatibility (including "Samba Schema support"), their's is an
> > imperfect implementation. Because they do not leverage the Samba
> > group objectclass they are hampering Samba's ability.
> >
> > The method they've used to implement groups does not allow those
> > groups to be used by Samba. I'm no expert on LDAP, but I believe the
> > addition of an attribute on their groupOfNames style of group may be
> > all that is needed - I'm spinning up an OpenLDAP instance to confirm.
> >
> > Now to try to convince them of this fact in the hopes of future
> > improvements.
> >
>
> I have always been a bit doubtful about 'cloud' usage, you are
> dependant on what the 'cloud' provides and what happens if it rains and
> the cloud goes away ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba