diff --git a/hosts/skydick/DATAPOOL.md b/hosts/skydick/DATAPOOL.md index 695a281..15936ec 100644 --- a/hosts/skydick/DATAPOOL.md +++ b/hosts/skydick/DATAPOOL.md @@ -22,10 +22,20 @@ - `skydick` resolves POSIX users and groups from LDAP at `ldap://10.0.0.1/`, base `dc=skyw,dc=top` -- Local `/etc/passwd` users still win if the same username exists both locally and in LDAP -- SMB still uses Samba's local password database (`tdbsam`), not LDAP-backed SMB auth +- SMB now uses Samba's LDAP passdb (`ldapsam`) against the same directory tree +- On this standalone server, the Samba account-domain object is expected to be + `sambaDomainName=SKYDICK`, matching the NetBIOS name, not the browse workgroup `WORKGROUP` +- Shared `public` / `media` access is carried by the LDAP `posixGroup` + `cn=storage,ou=posix_groups,dc=skyw,dc=top` with `gidNumber: 997` - NFS still does not authenticate users; it trusts client IPs and export options +Current admin users on skydick intentionally use the same canonical usernames as their LDAP +identities, for example `ye-lw21`. In those collisions, local NSS lookup still wins for the final +Unix UID/GID/group resolution on the server, while SMB password data still comes from LDAP. + +The bootstrap LDIF for the Samba domain object, the LDAP `storage` group, and the machine OU is +checked in at [`samba-ldap-bootstrap.ldif`](samba-ldap-bootstrap.ldif). + ## Connecting via SMB (Windows / macOS / Linux GUI) ### Windows @@ -38,8 +48,8 @@ \\10.0.1.1\ ``` -When prompted, enter your Samba credentials (set by the admin on skydick with `smbpasswd -a `). -LDAP identity on skydick does not replace SMB passwords yet. +When prompted, enter your SMB credentials. Admins provision or reset them on skydick with +`smbpasswd -a `, which now writes the user's `sambaSamAccount` data into LDAP. ### macOS @@ -126,6 +136,10 @@ - SMB: read-write for `@storage` - NFS: read-write with `root_squash` (root maps to nobody, normal UIDs pass through) +Shared access is governed by LDAP membership in `cn=storage,ou=posix_groups,dc=skyw,dc=top`. +`skydick` also keeps a local `storage` group at GID 997 so on-disk ownership, service accounts, +and same-name local admin overlays stay stable. + ### Media library (`/srv/media/library`) Read-only organized media (movies, TV, music). Managed by the automation stack (qBittorrent + @@ -143,6 +157,7 @@ Private per-user storage. Only you can access your tree. - SMB: Samba `[homes]` share — connect as `\\SKYDICK\`, authenticates with your Samba password +- SMB provisioning: `smbpasswd -a ` on skydick creates or updates your `sambaSamAccount` - NFS: `/users/` export with `all_squash` mapping all operations to your UID/GID Your NFS export maps every client UID to your server-side UID. This means any process on any @@ -185,6 +200,9 @@ - `homeDirectory` - `objectClass: posixAccount` +If the user should see `public` and `media`, also add their LDAP `uid` as a `memberUid` of +`cn=storage,ou=posix_groups,dc=skyw,dc=top`. + Check it on skydick: ```bash @@ -193,7 +211,9 @@ ### 2. Add a local NixOS user only if needed -Only do this if the user needs SSH login, sudo, or a fixed local override that should win over LDAP. +Only do this if the user needs SSH login, sudo, or an intentional local override. If you do create +a same-name local admin user, remember that skydick will use the local Unix UID/GID for on-server +authorization while SMB passwords still come from LDAP. In `hosts/skydick/default.nix`: @@ -244,6 +264,9 @@ Replace `` and `` with the LDAP-backed numeric IDs from `getent passwd`. +Example: the user previously called `ylw` in local NixOS config is now canonicalized to +`ye-lw21` everywhere, so the per-user share path is `/srv/users/ye-lw21`. + ### 4. Deploy NixOS config ```bash @@ -271,13 +294,14 @@ done ``` -### 6. Set Samba password +### 6. Enable SMB login ```bash smbpasswd -a ``` -This is still required even if the user exists in LDAP, because Samba auth is not LDAP-backed yet. +This is required even if the user already exists as a POSIX account in LDAP. `smbpasswd -a` +creates or updates the user's `sambaSamAccount` attributes in LDAP for SMB authentication. The user can now connect via SMB and NFS. @@ -348,9 +372,11 @@ ### SMB authentication fails -- Samba uses its own password database (tdbsam), separate from Unix login passwords and LDAP -- Admin must run `smbpasswd -a ` on skydick to create/reset the Samba password -- `getent passwd ` succeeding only proves LDAP/NSS lookup works; it does not create an SMB login +- Samba uses LDAP-backed `sambaSamAccount` entries for SMB auth, not the Unix login password +- Admin must run `smbpasswd -a ` on skydick to create/reset the Samba SMB password in LDAP +- `getent passwd ` succeeding only proves Unix account lookup works; it does not create an SMB login +- If `public` or `media` access fails but the home share works, check LDAP `storage` membership and + verify the `memberUid` list for `cn=storage,ou=posix_groups,dc=skyw,dc=top` ### Slow NFS transfers