Hi Wolfgang, hi all,I have just taken a look at your Samba changes for Debian Edu 11. Thanks for working on this.
I have several questions and comments regarding this. 1. NT4 Domain Support vs. LDAP Samba3 Support =============================================In previous discussions/chats we came to the conclusion that Samba must stay, although NT4 style domain support has been removed from Samba (entirely, or from Samba in Debian?). Recent Windows 10 clients have dropped NT4 style domain support, as well, so probably nothing to discuss here.
However, has the Samba3-like LDAP support also been dropped from the recent Samba version in Debian testing/unstable? If not, we could have dropped the NT4 domain, but leave the Samba-LDAP stuff intact, so that SMB account things don't need to be handled via GOsa hooks leveraging smbpasswd.
Btw, do you have any URL / post / mailing list announcement where the non-availability of NT4 style domain support in Samba had been announced? I just looked at the Samba packages sources and could not find it there. (But maybe my grepping was just bad).
2. mixing LDAP users and local groups =====================================I saw a "usermod -a -G sambashare $USERID" in share/debian-edu-config/tools/gosa-create. This command adds LDAP users into a POSIX group in /etc/group.
While this works, it does not scale very well. With a handful of users, you should not notice any problems.
I have schools with a thousand users in LDAP (plus several hundred deactivated accounts, too). I'd love to not see all those users added to a group in /etc/group.
The fix for this would be changing Samba to use the "students" (or "teachers") group and mimick the functionality that gets granted by the local system group "sambashares". This might involve various chown commands under /var/lib/samba.
3. Samba / Winbind and Radius / MSCHAP ======================================Another aspect, why having a usable Samba in Debian Edu is the option to install a freeradius server on the Debian Edu main server and support MSCHAPv2 authenation with that. The setup I use at my customers proxies the authentication requests for MSCHAPv2 over to the winbind service and this requires ntPassword hashes being available to winbind.
This should basically continue to work with your setup, but I'd prefer having those password hashes stored in LDAP (and also being used from there).
Idea / Proposal ===============My overall idea is in fact to roll back some of your Samba reduction changes and go back to a state where Samba authentication in smb.conf uses an ldapsam:// auth backend. Furthermore, I think we need to amend the sambashares issue described in 2. (see above).
Please let me know what you think about this. Thanks! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpEubpmsaGo6.pgp
Description: Digitale PGP-Signatur