i have a question related to the groupmapping with ldapsam as backend.
You discribed, that groupentries have to be in /etc/group with tdbsam as backend.
I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap.
(e.g for accessing a share)
The problem is described by [EMAIL PROTECTED] to (see his email attached).
Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam?
Thank you very much
Hansj�rg
Hello,
I found an interesting thing that I don't know if it is a bug, by design
or I need to be doing something that I'm not but here goes.
My system
RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master,
(3) BDC with LDAP slave backend. All are Samba 3.0.
I had a probelem with secondary, tertiary etc groups that people belong
to and Samba recognizing these groups if they were stored in LDAP. The
primary group was no problem. When I created shares but used
"@groupname" for valid users or write list, Samba would fail to get
that info from LDAP. They needed to be in /etc/group to work. As soon as
I added users in secondary groups to /etc/group users were recognized
and rights were assigned.
As a side note each line of /etc/group is limited to 1024 bytes, so
there is a limit on how many users you can add to a group using
/etc/group. If you exceed that when the system scans the /etc/group
file, it will fail at the line >1024 bytes and any groups below will
fail to be recognized. I believe that this is a bug. If you do "ls" on a
directory or "id <username>" where one of the entries in your /etc/group
has exceeded the limit, the groups will show as numbers and not a group
name.
Can I use pam_winbindd to extract group membership from LDAP at this
time for secondary, tertiary etc groups?
John H Terpstra wrote:
On Wed, 7 Jan 2004, Andrew Judge wrote:
I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps:
[EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Obviously there is a problem with the domain '*' SID because there are
duplicates. Any idea how to correct this problem and get the users logged
in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I
can see the users from the samba server and the users can log in, but no
rights. Big problem.
Ok. Roll up your sleeves!
I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile.
1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows:
net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg:
groupadd engineers net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
groupadd ntadmins net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
PS: If you have a problem with these commands email me, I'll help you.
5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this:
root:0::jht,jimbo,jack,jill
6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this:
ntadmins:123::maryo,susant,billm
7. Verify that the groups are correctly mapped:
net groupmap list.
8. Now: On every windows client machine add:
a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group
Now... I migrated from 2.2.3a to the above and I have all the tdb and I
cahnged the SID to the last PDC. Anyway, how would I get the right SID? I
have NTUSER.DAT files that I can run profiles against to read them. Would
that help?
You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files.
To obtain the domain SID just run:
net getlocalsid
First one that can point me in the right direction to get this resolved -
I'll buy them a amazon gift cert for $50. Beats going bald from pulling out
my hair.
It's a deal man!
- John T.
-- _________________________________________________________________
Dr. Hansjoerg Maurer | LAN- & System-Manager
|
Deutsches Zentrum | DLR Oberpfaffenhofen
f. Luft- und Raumfahrt e.V. |
Institut f. Robotik |
Postfach 1116 | Muenchner Strasse 20
82230 Wessling | 82234 Wessling
Germany |
|
Tel: 08153/28-2431 | E-mail: [EMAIL PROTECTED]
Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/
__________________________________________________________________There are 10 types of people in this world, those who understand binary and those who don't.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
