Hi Mike, [ Mike Gabriel, 2020-10-23 ] > I have just taken a look at your Samba changes for Debian Edu 11. > Thanks for working on this. > > I have several questions and comments regarding this. > > > 1. NT4 Domain Support vs. LDAP Samba3 Support > ============================================= > > In previous discussions/chats we came to the conclusion that Samba > must stay, although NT4 style domain support has been removed from > Samba (entirely, or from Samba in Debian?). Recent Windows 10 clients > have dropped NT4 style domain support, as well, so probably nothing to > discuss here. AFAICT, it has been dropped from Samba entirely. > However, has the Samba3-like LDAP support also been dropped from the > recent Samba version in Debian testing/unstable? If not, we could have > dropped the NT4 domain, but leave the Samba-LDAP stuff intact, so that > SMB account things don't need to be handled via GOsa hooks leveraging > smbpasswd. As far as I was able to find out, Samba in LDAP needs a NT4-style domainsetup. > Btw, do you have any URL / post / mailing list announcement where the > non-availability of NT4 style domain support in Samba had been > announced? I just looked at the Samba packages sources and could not > find it there. (But maybe my grepping was just bad). No, failed to find anything about it; needed to go the hard way via trial and error. > 2. mixing LDAP users and local groups > ===================================== > > I saw a "usermod -a -G sambashare $USERID" in > share/debian-edu-config/tools/gosa-create. This command adds LDAP users into > a POSIX group in /etc/group. > > While this works, it does not scale very well. With a handful of users, you > should not notice any problems. > > I have schools with a thousand users in LDAP (plus several hundred > deactivated accounts, too). I'd love to not see all those users added to a > group in /etc/group. > > The fix for this would be changing Samba to use the "students" (or > "teachers") group and mimick the functionality that gets granted by the > local system group "sambashares". This might involve various chown commands > under /var/lib/samba. Thought about the GOsa groups as well, but to no avail up to now. Please go ahead. > 3. Samba / Winbind and Radius / MSCHAP > ====================================== > > Another aspect, why having a usable Samba in Debian Edu is the option to > install a freeradius server on the Debian Edu main server and support > MSCHAPv2 authenation with that. The setup I use at my customers proxies the > authentication requests for MSCHAPv2 over to the winbind service and this > requires ntPassword hashes being available to winbind. > > This should basically continue to work with your setup, but I'd prefer > having those password hashes stored in LDAP (and also being used from > there). > > > Idea / Proposal > =============== > > My overall idea is in fact to roll back some of your Samba reduction changes > and go back to a state where Samba authentication in smb.conf uses an > ldapsam:// auth backend. Furthermore, I think we need to amend the > sambashares issue described in 2. (see above). Please go ahead... Wolfgang
Attachment:
signature.asc
Description: PGP signature