Open matthias-ronge opened 3 years ago
Thank you for sharing this information.
It seems that the best solution would be to get all of the writable LDAP stuff out of Production. Instead, the script_createUserHome
invokes useradd
and samba-tool user create
to create the user locally and create the file share. A second script_updateUserPassword
could handle password changes. This would save us a lot of complexity in the Production server installation process.
I do not mean to dispose of all of the LDAP functionality, but to keep the LDAP functionality only optionally usable for authenticating against an external LDAP. In combination with local scripts, local file shares could even be combined with authentication against external LDAP without any problems, which is currently not possible.
If we move the LDAP writing stuff for samba into this scripts but keep the other functionality alive then should this changes "small". Except that I did not know how this scripts are integrated into the application. Calling them outside by an administrator is not a solution in my opinion.
Votes: 1
Has anyone already tested the current setup on newer Kernel Versions >= 5.15, which are shipping with Debian 12 or Ubuntu 22/24? There seem to be problems with SMBv1 already: https://bugzilla.kernel.org/show_bug.cgi?id=215375
Description
I asked a question on Ask Ubuntu. As a side note, I was told:
This will mess up our whole system of using LDAP, with LDAP groups, for creating Samba users.
TODO:
It seems to me, that the simplest solution is: to do without LDAP authentication for file upload access. Instead, the
script_createUserHome
should be passed the user password in clear text so that the script can configure file upload access using system commands. A secondscript_changeUserPassword
would need to be added, which is run when a user changes their password so that the script can catch up with the password change for file upload access.This does not affect the options for authentication against LDAP, which will still be possible. But, on the other hand, it would also make it possible for Production to manage file upload access, even if the LDAP is a non-writable, company-wide directory (that does not support a Samba scheme, for example Microsoft Active Directory), which is currently not supported.
Estimated Costs and Complexity
This is a mid-ranged project with 5 PT.