>> Hi, >> >> I'm using samba 3b3 (+ldapsam) and have created a user belonging to two >> groups : >> >> - his primary group is mapped to the "Domain Users" Windows group, >> - his secondary one is mapped to the "Domain Admins" Windows group.
> It should be fine. Can you send me a level 10 debug log showing the > session setup portion where the user's groups are initialized? # net groupmap list Domain Users (S-1-5-21-1320293332-2887003436-4113625284-513) -> opususers Domain Admins (S-1-5-21-1320293332-2887003436-4113625284-512) -> opusadmins # getent group ... opususers:x:1001: opusadmins:x:1002:opususer ... # getent passwd ... opususer:x:1002:1001::/home/opususer:/bin/bash ... # id opususer uid=1002(opususer) gid=1001(opususers) groups=1001(opususers),1002(opusadmins) # Ldap entries dn: uid=opususer,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr uid: opususer sambaSID: S-1-5-21-1320293332-2887003436-4113625284-3004 sambaPrimaryGroupSID: S-1-5-21-1320293332-2887003436-4113625284-513 sambaPwdCanChange: 1060162576 sambaPwdMustChange: 1061976976 sambaLMPassword: B8AC092B6597E9E6944E2DF489A880E4 sambaNTPassword: 75892BB02A31553735DD03163476A3C8 sambaPwdLastSet: 1060162576 sambaAcctFlags: [U ] objectClass: sambaSamAccount objectClass: account sambaHomeDrive: U: sambaLogonScript: opususer.cmd sambaProfilePath: \\OPUS_DC1\profiles\opususer sambaHomePath: \\OPUS_DC1\opususer dn: cn=opususers,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 cn: opususers memberUid: opususer sambaSID: S-1-5-21-1320293332-2887003436-4113625284-513 sambaGroupType: 2 displayName: Domain Users dn: cn=opusadmins,ou=Users,ou=Opus,dc=der,dc=edf,dc=fr objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1002 cn: opusadmins memberUid: opususer sambaSID: S-1-5-21-1320293332-2887003436-4113625284-512 sambaGroupType: 2 displayName: Domain Admins # Log extract (logon time) [2003/08/11 07:07:21, 2] lib/smbldap.c:smbldap_search_suffix(1056) smbldap_search_suffix: searching for: [(&(uid=opususer)(objectclass=sambaSamAccount))] [2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456) Entry found for user: opususer [2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_password_ok(218) sam_password_ok: Checking NT MD4 password [2003/08/11 07:07:21, 4] auth/auth_sam.c:sam_account_ok(324) sam_account_ok: Checking SMB password for user opususer [2003/08/11 07:07:21, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1002 Primary group is 1001 and contains 2 supplementary groups Group[ 0]: 1001 Group[ 1]: 1002 [2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619) ldapsam_search_one_group: searching for: [(&(objectClass=sambaGroupMapping)(gidNumber=1001))] [2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799) smbldap_open: cannot access LDAP when not root.. [2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888) Connection to LDAP Server failed for the 1 try! [2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)ldapsam_search_one_group: Query was: ou=Opus,dc=der,dc=edf,dc=fr, (&(obj ectClass=sambaGroupMapping)(gidNumber=1001)) [2003/08/11 07:07:21, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619) ldapsam_search_one_group: searching for: [(&(objectClass=sambaGroupMapping)(gidNumber=1002))] [2003/08/11 07:07:21, 0] lib/smbldap.c:smbldap_open(799) smbldap_open: cannot access LDAP when not root.. [2003/08/11 07:07:21, 1] lib/smbldap.c:smbldap_retry_open(888) Connection to LDAP Server failed for the 1 try! [2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634) [2003/08/11 07:07:21, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)ldapsam_search_one_group: Query was: ou=Opus,dc=der,dc=edf,dc=fr, (&(obj ectClass=sambaGroupMapping)(gidNumber=1002)) [2003/08/11 07:07:21, 10] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004 contains 7 SIDs SID[ 0]: S-1-5-21-1320293332-2887003436-4113625284-3004 SID[ 1]: S-1-5-21-1320293332-2887003436-4113625284-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-1320293332-2887003436-4113625284-3003 SID[ 6]: S-1-5-21-1320293332-2887003436-4113625284-3005 [2003/08/11 07:07:21, 5] auth/auth_util.c:make_server_info_sam(815) make_server_info_sam: made server info for user opususer -> opususer [2003/08/11 07:07:21, 3] auth/auth.c:check_ntlm_password(265) check_ntlm_password: sam authentication for user [opususer] succeeded [2003/08/11 07:07:21, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2003/08/11 07:07:21, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2003/08/11 07:07:21, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/08/11 07:07:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2003/08/11 07:07:21, 5] auth/auth.c:check_ntlm_password(289) check_ntlm_password: PAM Account for user [opususer] succeeded [2003/08/11 07:07:21, 2] auth/auth.c:check_ntlm_password(302) check_ntlm_password: authentication for user [opususer] -> [opususer] -> [opususer] succeeded # Log extract (trying to change date/time on the workstation) [2003/08/11 07:06:07, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(283) Got user=[opususer] domain=[OPUS] workstation=[OPUSWKS] len1=24 len2=24 [2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info_map(216) make_user_info_map: Mapping user [OPUS]\[opususer] from workstation [OPUSWKS] [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(132) attempting to make a user_info for opususer (opususer) [2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(142) making strings for opususer's user_info struct [2003/08/11 07:06:07, 5] auth/auth_util.c:make_user_info(184) making blobs for opususer's user_info struct [2003/08/11 07:06:07, 10] auth/auth_util.c:make_user_info(193) made an encrypted user_info for opususer (opususer) [2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(216) check_ntlm_password: Checking password for unmapped user [OPUS] [EMAIL PROTECTED] with the new password interface [2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(228) check_ntlm_password: auth_context challenge created by random [2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(230) challenge is: [2003/08/11 07:06:07, 10] auth/auth.c:check_ntlm_password(256) check_ntlm_password: guest had nothing to say [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 2] lib/smbldap.c:smbldap_search_suffix(1056) smbldap_search_suffix: searching for: [(&(uid=opususer)(objectclass=sambaSamAccount))] [2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(456) Entry found for user: opususer [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_password_ok(218) sam_password_ok: Checking NT MD4 password [2003/08/11 07:06:07, 4] auth/auth_sam.c:sam_account_ok(324) sam_account_ok: Checking SMB password for user opususer �[2003/08/11 07:06:07, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 1002 Primary group is 1001 and contains 2 supplementary groups Group[ 0]: 1001 Group[ 1]: 1002 [2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619) ldapsam_search_one_group: searching for: [(&(objectClass=sambaGroupMapping)(gidNumber=1001))] [2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665) Entry found for group: 1001 [2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619) ldapsam_search_one_group: searching for: [(&(objectClass=sambaGroupMapping)(gidNumber=1002))] [2003/08/11 07:06:07, 2] passdb/pdb_ldap.c:init_group_from_ldap(1665) Entry found for group: 1002 [2003/08/11 07:06:07, 10] auth/auth_util.c:debug_nt_user_token(491) NT user token of user S-1-5-21-1320293332-2887003436-4113625284-3004 contains 6 SIDs SID[ 0]: S-1-5-21-1320293332-2887003436-4113625284-3004 SID[ 1]: S-1-5-21-1320293332-2887003436-4113625284-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-1320293332-2887003436-4113625284-512 [2003/08/11 07:06:07, 5] auth/auth_util.c:make_server_info_sam(815) make_server_info_sam: made server info for user opususer -> opususer [2003/08/11 07:06:07, 3] auth/auth.c:check_ntlm_password(265) check_ntlm_password: sam authentication for user [opususer] succeeded [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/08/11 07:06:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/11 07:06:07, 5] auth/auth.c:check_ntlm_password(289) check_ntlm_password: PAM Account for user [opususer] succeeded [2003/08/11 07:06:07, 2] auth/auth.c:check_ntlm_password(302) check_ntlm_password: authentication for user [opususer] -> [opususer] -> [opususer] succeeded I thought my troubles were related to the "cannot access LDAP when not root " error, but the SID table finally contains the "Domain Admins" RID, very strange... And I can't change time on my windows machine... Either the "Domain Admins" group hasn't been mapped to the "Local Admins" group on Windows (unlikely to be possible, if I set opusadmins as a primary group for opususer, he becomes a "Domain Admin" and then a "Local Admin" and can change time/date), or samba ignores the "Domain Admins" group listed in the user's SIDs. >> Unfortunately, only the first group seems to be known by Samba, since the >> user doesn't become a "Domain Admin" at all (but he is a "Domain User")... > You could have this problem if libc is not returning the secondary groups > for a user via NSS. A precision : I'm using nss to access /etc/passwd and /etc/group ; I'm not using libnss_ldap at all. I've created every account/group on my unix box before creating it under samba. >> I've googled a lot and haven't been able to find much info about >> multiple-groups-per-user handling in Samba ; some users seem to get the >> same problem without getting a solution ; Redhat did record this as a bug >> in bugzilla... > Do you know that bug #id offhand ? Well, the bug is closed, here is the link : http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=91768 ; but doesn't seem to be what I'm in trouble with : it is related to libnss-ldap ! >> So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to have >> a user belonging to two (or more) Windows domain groups ? >It would be a bug. Whether it is our bug or not is unknown right now. >That log file would help me to determine what is going on. All my tests >are turning up correct results. Thank you very much, Regards, Ganael. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
