[Samba] Access and group issues on domain member server (PDC is Samba as well)

Wed, 01 Aug 2012 03:21:02 -0700 

Hi List,

I created a domain member server in my samba domain.
I start to realize that there are some issues when colleagues could not access some folders in the their shares. After searching for a solution I found that on that member server I have no "samba" groups available. 

First of all my setup:
Domain controller:
CentOS 6.2 x86_64, latest updates installed
Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64)
LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64)

Domain member:
exact same OS and versions as on domain controller
also with LDAP backend


I followed the instructions from 
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( 
Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution) for 
adding the member server.
(BTW: If anyone on this list has access to this guide: Paragraph 8: the 
"wbinfo --set-auth-user=" has been replaced with "net setauthuser")
Both servers access the same LDAP directory for the linux accounts and 
for Samba incl. IDMAPs

Everything in this guide worked as described.


"getent passwd" and "getent groups" works successfully on both servers 
(shows all entries from LDAP)

"net rpc group list" shows all groups correctly on the PDC
"net groupmap list" shows all group mappings correctly on the PDC

On the member server though:
"net rpc group list" only gives me Administrators and Users
"net groupmap list" only gives me:
Administrators (S-1-5-32-544) -> 16777216
Users (S-1-5-32-545) -> 16777217


I also tried to run winbind on the domain member, domain member+PDC and 
whithout winbind at all (We only have this one domain, do I even need 
winbind then? As I understood it would only be needed if I have multiple 
domains running. Is this correct?)

But these commands always show me the same output on the member server.


Should this commands even produce more output on domain members? Or is 
it just for PDCs?


smb.confs from both servers are added at the end.

Thanks in advance!
best regards,
philipp

PS: some additional info to our "folder sharing system":

All users only connect to their home-share. Inside this share we add 
symbolic links to the allowed group shares of the user.
This group share folders are owned by root, group is one of the 
(allowed) Usergroups. Directory mask is 770, group-sticky bit is set.



smb.conf from PDC:

[root@srvad1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
    workgroup = ATV
    server string = SRVAD1
    interfaces = 192.168.249.0/24, 127.0.0.1/8
    passdb backend = ldapsam:ldap://192.168.249.7/
    log file = /var/log/samba/%m.log
    max log size = 50
    smb ports = 139
    time server = Yes
    unix extensions = No
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap name = CUPS
    add user script = /usr/sbin/smbldap-useradd -m
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    logon script = login.bat
    logon path =
    logon drive = U:
    logon home = \\SRVFILE1\%U
    domain logons = Yes
    os level = 65
    preferred master = Auto
    domain master = Yes
    dns proxy = No
    wins support = Yes
    ldap admin dn = cn=Manager,dc=at-visions,dc=com
    ldap delete dn = Yes
    ldap group suffix = ou=Groups,o=default
    ldap machine suffix = ou=Computers,ou=Samba,ou=System
    ldap passwd sync = yes
    ldap suffix = dc=at-visions,dc=com
    ldap ssl = no
    ldap user suffix = ou=Users,o=default
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    cups options = raw
    case sensitive = No
    veto files = /.*/
    hide files = /.*/
    locking = No
    wide links = Yes
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[netlogon]
    path = /home/samba/netlogon
    share modes = No

[printers]
    comment = All Printers
    path = /var/spool/samba
    printable = Yes
    browseable = No

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    write list = @adm, root
    guest ok = Yes

smb.conf from domain member:

[root@srvfile1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
    unix charset = LOCALE
    workgroup = ATV
    server string = SRVFILE1
    interfaces = 192.168.249.0/24, 127.0.0.1/8
    security = DOMAIN
    log level = 4 ads:10 auth:10 sam:10
    syslog = 0
    log file = /var/log/samba/%m.log
    max log size = 50
    smb ports = 139
    name resolve order = wins bcast hosts
    unix extensions = No
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    os level = 65
    wins server = 192.168.249.1
    ldap admin dn = cn=Manager,dc=at-visions,dc=com
    ldap group suffix = ou=Groups,o=default
    ldap idmap suffix = ou=Idmap,ou=Samba,ou=System
    ldap machine suffix = ou=Computers,ou=Samba,ou=System
    ldap suffix = dc=at-visions,dc=com
    ldap ssl = no
    ldap user suffix = ou=Users,o=default
    case sensitive = No
    veto files = /.*/
    hide files = /.*/
    locking = No
    wide links = Yes
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]
    comment = Home Directories
    valid users = %S
    read only = No
    create mask = 0660
    force directory mode = 02770
    veto files = /*Maildir*/*.procmail*/*.spam*/*.profile*/.bash*/
    browseable = No
    level2 oplocks = No

Stats from PDC:
[root@srvad1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-125.el6.x86_64
samba-winbind-3.5.10-125.el6.x86_64
samba-winbind-clients-3.5.10-125.el6.x86_64
samba-client-3.5.10-125.el6.x86_64
[root@srvad1 samba]# rpm -qa | grep ldap
smbldap-tools-0.9.8-1.el6.noarch
openldap-2.4.23-20.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
openldap-clients-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
[root@srvad1 samba]# net rpc group list
Enter root's password:
Admins
Default
Domain Admins
Domain Users
IT
VISIONS
termuser
GL
mailOnly
Marketing
FUTURE
WEB
Projects
OMCmonitor
ATVASIA
ATVAUSTRIA
Domain Computers
TimeSheetReports
[root@srvad1 samba]# net groupmap list
Admins (S-1-5-21-3998129111-2374863605-1514640864-3005) -> Admins
Default (S-1-5-21-3998129111-2374863605-1514640864-3007) -> Default

Domain Admins (S-1-5-21-3998129111-2374863605-1514640864-512) -> Domain 
Admins

Domain Users (S-1-5-21-3998129111-2374863605-1514640864-513) -> Domain Users
IT (S-1-5-21-3998129111-2374863605-1514640864-3207) -> IT
VISIONS (S-1-5-21-3998129111-2374863605-1514640864-3211) -> VISIONS
termuser (S-1-5-21-3998129111-2374863605-1514640864-3217) -> termuser
GL (S-1-5-21-3998129111-2374863605-1514640864-3099) -> GL
mailOnly (S-1-5-21-3998129111-2374863605-1514640864-3125) -> mailOnly
Marketing (S-1-5-21-3998129111-2374863605-1514640864-3139) -> Marketing
FUTURE (S-1-5-21-3998129111-2374863605-1514640864-3141) -> FUTURE
WEB (S-1-5-21-3998129111-2374863605-1514640864-3143) -> WEB
Projects (S-1-5-21-3998129111-2374863605-1514640864-3145) -> Projects
OMCmonitor (S-1-5-21-3998129111-2374863605-1514640864-3149) -> OMCmonitor
ATVASIA (S-1-5-21-3998129111-2374863605-1514640864-3151) -> ATVASIA
ATVAUSTRIA (S-1-5-21-3998129111-2374863605-1514640864-3153) -> ATVAUSTRIA

Domain Computers (S-1-5-21-3998129111-2374863605-1514640864-515) -> 
Domain Computers
TimeSheetReports (S-1-5-21-3998129111-2374863605-1514640864-3159) -> 
TimeSheetReports


Stats from domain member:
[root@srvfile1 samba]# rpm -qa | grep samba
samba-3.5.10-116.el6_2.x86_64
samba-common-3.5.10-116.el6_2.x86_64
samba-winbind-3.5.10-116.el6_2.x86_64
samba-winbind-clients-3.5.10-116.el6_2.x86_64
[root@srvfile1 samba]# rpm -qa | grep ldap
openldap-2.4.23-20.el6.x86_64
pam_ldap-185-11.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
[root@srvfile1 samba]# net rpc group list
Enter root's password:
Administrators
Users
[root@srvfile1 samba]# net groupmap list
Administrators (S-1-5-32-544) -> 16777216
Users (S-1-5-32-545) -> 16777217



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to