On Sat, Jun 12, 2010 at 1:58 PM, Gaiseric Vandal <[email protected]> wrote: > On each machine I would try running > > net groupmap list > > net user info someuser -U Administrator > > > That is to make sure that the group mappings for key groups (e.g. Domain > Users) is setup to verify that users are in the groups you think that they > are. You don't need group mappings for all your user groups (you will see > warnings in logs about missing SID's) but for the well known groups and > groups used in shares you will need mappings. > > > I found that when I moved to samba 3.4.x that the ou=groups seemed to be > ignored, and that the entire LDAP branch for the domain was searched for > groups (I had had one ou for unix groups and one ou for group mappings.) > The results was that access was broken if it required a user being in the > "domain users" group, or "domain users" being in the local users groups on > windows server. > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Alberto Moreno > Sent: Friday, June 11, 2010 9:27 PM > To: [email protected] > Subject: [Samba] Problems with ldap groups in share folders ACCESS_DENIED > > Hi I have been working all week with samba 3.4.7 in Centos 5.5 > PDC(3.4.7) with LDAP backend+Centos 5.5(3.4.7) BDC with LDAP slave. > > I already have 5 clients join. > > 1 Windows XP > 1 Windows 7 UE > 1 Centos 5.5 Desktop > 1 Ubuntu 9.x > 1 Centos 5.5 > > I can browse inside windows and see my clients, access some shares. I > want to create private shares inside my PDC, I use: > > force group > valid users > write list > > I create a group with smbldap-tools name :it, add 2 users: test1,test2. > > Centos PDC and others are enable to get users+groups from LDAP: > > id test1 > id test1 > uid=10001(test1) gid=513(Domain Users) groups=513(Domain Users),10001(it) > > getent passwd > root:x:0:0:root:/root:/bin/bash > bin:x:1:1:bin:/bin:/sbin/nologin > daemon:x:2:2:daemon:/sbin:/sbin/nologin > adm:x:3:4:adm:/var/adm:/sbin/nologin > lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin > sync:x:5:0:sync:/sbin:/bin/sync > shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown > halt:x:7:0:halt:/sbin:/sbin/halt > mail:x:8:12:mail:/var/spool/mail:/sbin/nologin > news:x:9:13:news:/etc/news: > uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin > operator:x:11:0:operator:/root:/sbin/nologin > games:x:12:100:games:/usr/games:/sbin/nologin > gopher:x:13:30:gopher:/var/gopher:/sbin/nologin > ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin > nobody:x:99:99:Nobody:/:/sbin/nologin > nscd:x:28:28:NSCD Daemon:/:/sbin/nologin > vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin > rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin > sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin > dbus:x:81:81:System message bus:/:/sbin/nologin > avahi:x:70:70:Avahi daemon:/:/sbin/nologin > haldaemon:x:68:68:HAL daemon:/:/sbin/nologin > avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin > exim:x:93:93::/var/spool/exim:/sbin/nologin > ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false > pcap:x:77:77::/var/arpwatch:/sbin/nologin > apache:x:48:48:Apache:/var/www:/sbin/nologin > root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false > nobody:x:999:514:nobody:/dev/null:/bin/false > rot:x:1004:513:System User:/home/rot:/sbin/nologin > smbbdc$:*:1005:515:Computer:/dev/null:/bin/false > pim-win7ue$:*:1006:515:Computer:/dev/null:/bin/false > test1:x:10001:513:Test Test Uno:/home/test1:/sbin/nologin > test2:x:10002:513:Test Test2:/home/test2:/bin/bash > smbpdc$:*:1007:515:Computer:/dev/null:/bin/false > pim-winxpa$:*:1008:515:Computer:/dev/null:/bin/false > pim-ubuntu$:*:1009:515:Computer:/dev/null:/bin/false > pim-centos1$:*:1010:515:Computer:/dev/null:/bin/false > > getent group > > root:x:0:root > bin:x:1:root,bin,daemon > daemon:x:2:root,bin,daemon > sys:x:3:root,bin,adm > adm:x:4:root,adm,daemon > tty:x:5: > disk:x:6:root > lp:x:7:daemon,lp > mem:x:8: > kmem:x:9: > wheel:x:10:root > mail:x:12:mail,exim > news:x:13:news > uucp:x:14:uucp > man:x:15: > games:x:20: > gopher:x:30: > dip:x:40: > ftp:x:50: > lock:x:54: > nobody:x:99: > users:x:100: > nscd:x:28: > floppy:x:19: > vcsa:x:69: > utmp:x:22: > utempter:x:35: > slocate:x:21: > audio:x:63: > rpc:x:32: > ecryptfs:x:101: > sshd:x:74: > dbus:x:81: > avahi:x:70: > haldaemon:x:68: > avahi-autoipd:x:102: > exim:x:93: > ldap:x:55: > screen:x:84: > pcap:x:77: > apache:x:48: > Domain Admins:*:512:root > Domain Users:*:513:test1 > Domain Guests:*:514: > Domain Computers:*:515: > Administrators:*:544: > Account Operators:*:548: > Print Operators:*:550: > Backup Operators:*:551: > Replicators:*:552: > it:*:10001:test1,test2ll > > I can add ldap groups to directories: > > total 2088 > drwxrwx--- 5 root it 4096 Jun 8 19:32 it > > This is my smb.conf for this share: > [sis] > path = /opt/it > available = Yes > browseable = Yes > read only = No > guest ok = No > writeable = Yes > valid users = @it > write list = @PIMPOM\it > directory mode = 0770 > > I have try: > valid users: @it > valid users = \it > valid users = @PIMPOM\it > > the same for write list, combinations, etc and cannot make this happen. > > If I handle this by user it works, example: > > valid users = test1 > write list = test1 > > I just need this small thing to work and done. > > log: > > [2010/06/08 19:52:04, 3] smbd/process.c:1273(switch_message) > switch message SMBtconX (pid 11075) conn 0x0 > [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token) > NT user token: (NULL) > [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2010/06/08 19:52:04, 5] smbd/uid.c:368(change_to_root_user) > change_to_root_user: now uid=(0,0) gid=(0,0) > [2010/06/08 19:52:04, 4] smbd/reply.c:680(reply_tcon_and_X) > Client requested device type [?????] for share [SIS] > [2010/06/08 19:52:04, 5] smbd/service.c:1216(make_connection) > making a connection to 'normal' service sistemas > [2010/06/08 19:52:04, 3] lib/access.c:362(only_ipaddrs_in_list) > only_ipaddrs_in_list: list has non-ip address (127.) > [2010/06/08 19:52:04, 3] lib/access.c:396(check_access) > check_access: hostnames in host allow/deny list. > [2010/06/08 19:52:04, 2] lib/access.c:406(check_access) > Allowed connection from 172.16.5.204 (172.16.5.204) > [2010/06/08 19:52:04, 3] lib/util_sid.c:228(string_to_sid) > string_to_sid: Sid @PIMPOM\it does not start with 'S-'. > [2010/06/08 19:52:04, 5] smbd/password.c:403(user_in_netgroup) > Unable to get default yp domain, let's try without specifying it > [2010/06/08 19:52:04, 5] smbd/password.c:407(user_in_netgroup) > looking for user test1 of domain (ANY) in netgroup PIMPOM\it > [2010/06/08 19:52:04, 5] smbd/password.c:423(user_in_netgroup) > looking for user test1 of domain (ANY) in netgroup PIMPOM\it > [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2010/06/08 19:52:04, 3] smbd/uid.c:428(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2010/06/08 19:52:04, 5] auth/token_util.c:522(debug_nt_user_token) > NT user token: (NULL) > [2010/06/08 19:52:04, 5] auth/token_util.c:548(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2010/06/08 19:52:04, 5] lib/smbldap.c:1295(smbldap_search_ext) > smbldap_search_ext: base => [dc=pimpom,dc=loc], filter => > [(&(objectClass=sambaGroupMapping)(|(displayName=it)(cn=it)))], scope > => [2] > [2010/06/08 19:52:04, 2] passdb/pdb_ldap.c:2434(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 10001 > [2010/06/08 19:52:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/06/08 19:52:04, 2] smbd/service.c:596(create_connection_server_info) > user 'test1' (from session setup) not permitted to access this share (SIS) > [2010/06/08 19:52:04, 1] smbd/service.c:676(make_connection_snum) > create_connection_server_info failed: NT_STATUS_ACCESS_DENIED > [2010/06/08 19:52:04, 3] smbd/error.c:60(error_packet_set) > error packet at smbd/reply.c(689) cmd=117 (SMBtconX) > NT_STATUS_ACCESS_DENIED > [2010/06/08 19:52:04, 5] lib/util.c:632(show_msg) > [2010/06/08 19:52:04, 5] lib/util.c:642(show_msg) > > My smb.cong general settings are: > > [global] > workgroup = PIMPOM > server string = PDC Domain > netbios name = SMBPDC > hosts allow = 172.16.0.0/16 127. > interfaces = eth0, lo > bind interfaces only = Yes > deny hosts = 0.0.0.0 > # passwd backend > encrypt passwords = yes > passdb backend = ldapsam:ldap://127.0.0.1/ > enable privileges = yes > pam password change= Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %nn > *ReType*new*UNIX*password* %nn * > passwd:*all*authentication*tokens*updated*successfully* > unix password sync = Yes > > # Log options > log level = 5 > log file = /var/log/samba/%m.%U.log > max log size = 500 > syslog = 1 > > # Name resolution > name resolve order = wins hosts bcast lmhost > > # misc > timeserver = No > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > # Dos-Attribute > map hidden = No > map system = No > map archive = No > map read only = No > store dos attributes = Yes > host msdfs = No > # printers - configured to use CUPS and automatically load them > load printers = No > printcap name = > #printing = > cups options = > show add printer wizard = No > > > # scripts invoked by samba > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p %g > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %m > > # LDAP-iConfiguration > #ldap delete dn = Yes > ldap ssl = off > ldap passwd sync = Yes > ldap suffix = dc=pimpom,dc=loc > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=pimpom,dc=loc > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > # logon options > logon script = > logon path = > logon path = > logon home = > logon drive = > > # setting up as domain controller > username map = /home/samba/usermap > preferred master = Yes > wins support = Yes > domain logons = Yes > domain master = Yes > local master = Yes > os level = 64 > map acl inherit = Yes > unix charset = UTF8 > password level = 6 > > Do u see any issues with my settings? > > Thanks for your time, any help will be appreciated!!! > -- > LIving the dream... > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
mmm interesting. In this case u have sometime like: ou=Group ou=Groups Under the same domain? How do u handle this or could u explain in more detail, I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
