Is this machine configured as a PDC? I partially misread your earlier e-mail- I missed that you had typed "pdbedit -Lv Test" rather than "pdbedit -Lv."
What does "getent passwd Test" show? I would guess it will show that Test has a primary group of "39901." I would guess that group "39901" does not exist OR is in a part of the ldap tree that samba does not search for groups. You could have samba configured (in smb.conf) to create idmap entries in "ou=idmap,dc=mydomain,dc=com" while your "ldap group suffix" points to "ou=groups,dc=mydomain,dc=com." you may want to explicitly set your user's primary group to a group you know is valid. If my setup, users have a primary group called, for example, "research." The research group is defined in ldap as both a unix group and windows group. It has a SID so that "net groupmap list" will show it as a valid mapping. I have a lot of ldap groups - they don't all need to be defined as samba (windows) groups but any groups that are either "well known windows" groups or primary user groups are. On 06/08/12 08:18, Cédric Carlen wrote: > The wbinfo commande doesn't work in my server ^^, > > but when i tape pdbedit -Lv | more, i've got : > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAINTEST))] > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > The LDAP server is successfully connected > smbldap_search_paged: base => [dc=my,dc=test], filter => > [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pag > esize => [1024] > smbldap_search_paged: search was successful > init_sam_from_ldap: Entry found for user: root > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > init_sam_from_ldap: Entry found for user: nobody > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=65534)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=65534)) > init_sam_from_ldap: Entry found for user: kimdotcom > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > init_sam_from_ldap: Entry found for user: Test > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > init_sam_from_ldap: Entry found for user: test1 > init_group_from_ldap: Entry found for group: 513 > > > 2012/6/8 Gaiseric Vandal <[email protected] > <mailto:[email protected]>> > > That looks good. Not all well known groups need to be mapped. > Domain Admins is one of the groups that needs to be. I would > add mappings for “Authenticated Users” and some of the other ones > just to rule them out as causing problems, although I don’t really > think is the issue. I don’t make heavy use of group policies but > I do see that “authenticated users” appear in some policies. > > > > Group “33901” has such a high GID- is it allocated by Winbind or > IDMAP. Can you post your sanitized idmap and group sections of > smb.conf > > > > On my machine (Samba 3.5.x PDC, winbind/idmap not used for users > or groups in the domain) > > > > # pdbedit -Lv | more > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_DOMAIN_NAME))] > > smbldap_open_connection: connection opened > > ldap_connect_system: successful connection to the LDAP server > > > > > > My guess is that your system has allocated group 33901 as your > default samba user group or some critical well known windows > group. Maybe idmap created the group in one section of the > ldap tree (or in a local TDB file ) but the main samba process > does not search for groups. What does the following show? > > > > #wbinfo –g > > #wbinfo --gid-info=33901 > > > > You can also use wbinfo to lookup the gid from sid or vice versa. > Or you can browse the idmap created groups with an ldap editor. > > > > > > *From:*Cédric Carlen [mailto:[email protected] > <mailto:[email protected]>] > *Sent:* Friday, June 08, 2012 3:25 AM > > > *To:* [email protected] <mailto:[email protected]> > *Subject:* Re: [Samba] ldapsam_getgroup > > > > The net groupmap list give me : > > > > Domain Admins (S-1-5-21-2027065376-1956064403-1110974320-512) -> > Domain Admins > > Domain Users (S-1-5-21-2027065376-1956064403-1110974320-513) -> > Domain Users > > Domain Guests (S-1-5-21-2027065376-1956064403-1110974320-514) -> > Domain Guests > > Domain Computers (S-1-5-21-2027065376-1956064403-1110974320-515) > -> Domain Computers > > Administrators (S-1-5-32-544) -> Administrators > > Account Operators (S-1-5-32-548) -> Account Operators > > Print Operators (S-1-5-32-550) -> Print Operators > > Backup Operators (S-1-5-32-551) -> Backup Operators > > Replicators (S-1-5-32-552) -> Replicators > > > > > > 2012/6/8 Cédric Carlen <[email protected] > <mailto:[email protected]>> > > Hi, > > > > When I make pdbedit -Lv Test there is a problem : > > > > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=39901)) > > ldapsam_getsampwsid: Unable to locate SID > [S-1-5-21-2027065376-1956064403-1110974320-513] count=0 > > > > I have the SID S-1-5-21-2027065376-1956064403-1110974320-513, but > not the gidNumver 39901 in my base. > > > > Do you think that it could be the fact that samba doesn't > recognize the password policy of LDAP ??? > > > > Cédric > > > > > > 2012/6/8 Gaiseric Vandal <[email protected] > <mailto:[email protected]>> > > Well known groups are things like "Domain Administrators" and > "Administrators" - they always have the same SID or RID (relative > ID.) > With an LDAP backend, you may have windbind/idmap automatically > allocating > unix group id's so this may be hidden from you. In my environment I > support linux clients (ssh and nfs) so I still have to manage unix > uid's and > gid's. it means I also have to create unix groups that > represented any > windows groups. > > On the unix server, as root in a unix session, can you see the > owner, group > and permissions on the files you are creating from windows? If > you run > "pdbedit -Lv somesambauser" you should see the name of the unix > account for > that user. Is there a mismatch? Can you set file permissions > via unix > so that the windows users can see them? Have you defined any > force user, > force group or force mask options on the file share? > > > > > > -----Original Message----- > From: Murthy [mailto:[email protected] <mailto:[email protected]>] > Sent: Thursday, June 07, 2012 6:49 PM > To: [email protected] <mailto:[email protected]> > Subject: Re: [Samba] ldapsam_getgroup > > Hello: > > I am not sure what you mean by setup Unix groups and domain > mappings for > additional windows "well known groups". > > I tried the following experiment. I changed the permissions on the > directory > to 777 and mapped it to a share. > I am able to see all the directories in that share directory (i.e all > sub-directories). However, I cannot see any individual files. Same > thing > happens if a create new subdirectories. I can see newly created > sub-directories but I cannot see any individual files. > > I have been working on this for about 3 days now. I am really > frustrated why > things have to to so complicated. > > Murthy > > > > On Jun 7, 2012, at 9:46 AM, Gaiseric Vandal wrote: > > > You may need to set up unix groups and domain mappings for some > > additional windows "well known groups" (google for windows well > known > > groups.) > > > > > > > > > > on my server I can see my group mappings: > > > > # net groupmap list > > ..... > > Domain Users (S-1-5-21-xxxxx-xxxx-xxxxx-513) -> Domain Users > > Administrators (S-1-5-32-544) -> Builtin Admins Domain Controllers > > (S-1-5-21-xxxxx-xxxx-xxxxx-516) -> Domain Cont rollers > > > > .... > > Authenticated Users (S-1-5-11) -> Authenticated Users Network > > (S-1-5-2) -> Network Everyone (S-1-1-0) -> Everyone .... > > > > > > So > > > > #net groupmap add ntgroup="Authenticated Users " unixgroup=xxx > > rid="S-1-5-11" > > > > Or you can update in ldap. > > > > > > > > On 06/07/12 05:56, Cédric Carlen wrote: > >> Hello, hello > >> > >> I'm writing you this email because when i want to set up a password > policy > >> with LDAP, this one isn't recognize by samba. > >> > >> In the log i've got this : > >> > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11)) > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2)) > >> ldapsam_getgroup: Did not find group, filter was > >> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0)) > >> > >> When i look with LdapAdmin, i don't have SID like this. Why > ldap check > this > >> SID if they don't exist ? > >> > >> Thanks for you help > >> > >> Flake > >> > >> P.S.: I don't past files, because I don't know which one could help > >> > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > Cédric CARLEN > Élève-ingénieur à TELECOM Lille 1 > Promotion FI15 > ☎06.59.42.81.55 > > > > > > -- > Cédric CARLEN > Élève-ingénieur à TELECOM Lille 1 > Promotion FI15 > ☎06.59.42.81.55 > > > > > -- > Cédric CARLEN > Élève-ingénieur à TELECOM Lille 1 > Promotion FI15 > ☎ 06.59.42.81.55 > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
