Re: [Samba] samba 3.4.3 DC breaks Windows groups

[Gaiseric Vandal]

I consolidated group entries as described in the previous post.
By mistake, I initially set same SID for the "Domain Users" and "Domain 
Guests."      So "net rpc user info someuser" would display the wrong 
output.  I fixed this but had to my Samba 3.0.x BDC to get the update to 
stick.  I also zapped all the *cache*.tdb files on that machine, which 
may have been a mistake.

Initially the Samba 3.0.x BDC would not start.  smb.conf had the "guest 
account = nobody" entry, which had worked in the past.  However, the 
error logs that "nobody" no longer existed. I had to create an 
ldap/samba "smb_nobody" user and group and update smb.conf for "guest 
account = smb_nobody."  At that point samba would start, however, I 
could not view or access either the samba server in network 
neighborhood, or access any shares via "net use..." or "smbclient ..."

For the moment, I have reverted to the earlier smb.conf and disabled 
samba 3.4.x.   My guess is that samba choked on loading groups that did 
not have a proper SID.  I have about 230 unix/ldap groups and didn't 
want to have to create an explicit group mapping (SID entry) for each group.








On 11/25/09 22:42, Gaiseric Vandal wrote:
I think I have found the problem:

Samba 3.0.x looks for group mappings in the "ldap group suffix" param.  On
my systems this is "ldap group suffix = ou=smb_groups."   Regular unix
groups are just in ou=groups.   Initially we had used NIS (then LDAP) for
unix groups, and had used tdbsam for the samba account backend.  Group
mappings were also in tdb.  When we moved to ldap backend, group mappings
were imported into ou=smb_groups.

Samba 3.4.x reads thru the entire ldap tree.    Since I have both
"cn=Domain Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group"
both with the same gidNumber, group membership processing fails.

Therefore I think the solution will be to consolidate entries.  For
example,
        Replace cn=smb_domadmins,ou=group" with "cn=Domain
Administrators,ou=group"
       Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to
"cn=Domain Administrators,ou=group"
        Repeat for all the other mapped groups
        Update smb.conf on the 3.0.x servers to use "ldap group suffix =
ou=group."


This is assuming of course that Solaris doesn't have problems with group
names with spaces.




-----Original Message-----
From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com]
Sent: Wednesday, November 25, 2009 10:01 PM
To: samba@lists.samba.org
Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups

I have done the following

   - Added index for sambaSID and other attributes as per the following

      http://wiki.samba.org/index.php/2.0:_Configuring_LDAP

    - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
Server) with the 3.2 version

    -  installed samba 3.4.3 packages from sun freeware to replace those I
compiled from from source.

    - Reindexed with "dsconf reindex -h ldapserver  -t sambaSID
o=mydomain.com"

Unfortunately did not resolve the group membership problem  (i.e. a user
account only appears to be in its primary group )


Querying the Samba 3.4.x BDC

# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users
#


Querying the Samba 3.0.x PDC

# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users
#


As far as I can tell from the comments at the top of each ldif file, the
only change was the addition of sambaTrustedDomainPassword objectClasses.




On 11/25/09 03:41, Jan Wenzel wrote:
   
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gaiseric Vandal schrieb:

     
I assume an index is not an actual LDAP attribute or object like
sambaSID but is more like a database index for optimizing searches?

       
You're right :) But in some cases like substring search (samba searches
i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
get results. I don't know where to configure the indexes exactly in SDS,
but I'm sure it is possible.



     
I use Sun's Directory Server (LDAP server) as the backend.  I use
       
Apache
   
Directory Studio for managing objects and attributes with in ldap.    I
should be able to use Sun's web-based console for creating the indexes.

Is there something I need to specify in smb.conf to tell Samba to use
the index?

       
Samba does not know anything about the configuration details of the LDAP
server,
it only talks LDAP - so it should instantly show groups when the index
is present.


     
I also noticed that if I try to compile samba with Active Directory
support, configure fails with

configure: error: Active Directory support requires ldap_initialize

       
I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
you have a linux system).


     
Since sun has ldap client support included in the OS I do not have
openldap installed.    I don't need Active Directory but it makes me
suspect that there may be some other ldap compatibility issues when
using Sun ldap client vs Openldap client.


Thanks

       
HTH
Jan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
=4Old
-----END PGP SIGNATURE-----

     
   

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba