Hello again, I do not know what
On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede <[email protected]> wrote: > On 20:15:56 wrote Andrej Šimko: > > net getdomainsid > > SID for local machine HOST is: > > S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: > > S-1-5-21-2390795950-2727105968-4008069955 > > > > I compared my smb.conf with yours. I have "ldap suffix" before > > "ldap group suffix". > > > > I switched that but result still the same. > > > > ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null > > dn: cn=admin,dc=example,dc=sk > > > > tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) > > > > ldapsearch -LLLY external -H ldapi:/// > > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid > > =users)))" 2>/dev/null > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk > > objectClass: sambaSidEntry > > objectClass: sambaGroupMapping > > sambaSID: S-1-5-32-545 > > sambaGroupType: 4 > > displayName: Users > > gidNumber: 10000 > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 > > Sorry, that I haven't seen this in your mail at 09:07 > > This is a working group object: > > # ldapsearch -LLLY external -H ldapi:/// > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) > (uid=users)))" 2>/dev/null > dn: cn=users,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 545 > cn: users > description: Netbios Domain Users > sambaSID: S-1-5-32-545 > sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 > sambaGroupType: 4 > displayName: Users > > > The main difference ist the objectclass posixGroup instead of > sambaSidEntry. > Samba Group Mapping is not a simple task. Your definition with > objectclass=sambasidentry is not totally wrong, but the intended use is > that you store your posixgroups in /etc/group or in NIS. > With an LDAP backend that is not the best approach. > > I dont understand what are you trying to say :( Do you think that if I have all necessary groups in /etc/group or in NIS, than the windows computer will find grups in domain? I still dont understand why ldap search filter generated by samba ( i have this from samba log ) cannot find anything in database: smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter => [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope => [2], pagesize => [1024] [2012/11/29 18:15:14.227560, 3] lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged: search was successful [2012/11/29 18:15:14.227647, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 0 If I remove sambaSID and try to find it in ldap, I will get all my groups. Filter = (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*)) Is this normal behavior or my ldap configuration can be incorrect? > Here the three standard definitions with objectclass=posixgroup > > ### > A primary group: posix and windows primary > members should NOT stored here > > dn: cn=teachers,ou=groups,dc=europa,dc=xx > cn: teachers > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 1001 > sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 > sambaGroupType: 2 > displayName: teachers > > # getent group teachers > teachers:*:1001: > > # net rpc group members teachers > # <nothing> > > > > ### > A regular group in posix, a global group in windows > members are stored in memberUid > > dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 512 > cn: DomainAdmins > memberUid: Administrator > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 > sambaGroupType: 2 > displayName: Domain Admins > > # getent group domainadmins > DomainAdmins:*:512:Administrator,root > > > # Asking for the Windows name, which is stored in "displayName" > # net rpc group members "domain admins" > EUROPA\Administrator > EUROPA\root > > # Asking for the posix name, which is stored in "cn" > # net rpc group members domainadmins > EUROPA\Administrator > EUROPA\root > > > ### > A windows/samba builtin group > no posix members > Windows members must be stored in sambaSIDList. These type of groups > will be used in Windows OS (client and/or server) > > # ldapsearch -LLLY external -H ldapi:/// > "(&(objectclass=sambaGroupMapping)(cn=administrators))" 2>/dev/null > dn: cn=Administrators,ou=groups,dc=europa,dc=xx > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 544 > cn: Administrators > description: Netbios Domain Members can fully administer the computer > sambaSID: S-1-5-32-544 > sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 > sambaGroupType: 4 > displayName: Administrators > > > # getent group administrators > Administrators:*:544: > > # net rpc group members administrators > EUROPA\Domain Admins > > ### > -- > > Gruss > Harry Jede > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
