i switched to valid users = +managementgroup
and still get
2004/01/08 10:46:52, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.1.100)
[2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391)
user 'sporer' (from session setup) not permitted to access this share (test)
[2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118)
error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
(changed thename of the share to test to avoid a naming conflict with user managment)
[EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\test Password: tree connect failed: NT_STATUS_ACCESS_DENIED
[EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\sporer Password: smb: \>
[EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\projekte-share Password: smb: \>
With the share, wher sporer has the primary group in, it still works with the +sensodrivegroup
Thank you
Hansj�rg
John H Terpstra wrote:
Hansjoerg,
Instead of: valid users = @Groupe
Please try: valid users = +Groupe
Thanks.
- John T.
On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
Hi
thank you, for your fast replay. I have a user sporer [EMAIL PROTECTED] root]# id -a sporer uid=1000(sporer) gid=1000(sensodrivegroup) Gruppen=1000(sensodrivegroup),1001(managementgroup)
The user and the group is in ldap and nss_ldap seems to work.. [EMAIL PROTECTED] root]# getent group root:x:0:root .... Domain Admins:x:912: Domain Users:x:913: Domain Guests:x:914: Administrators:x:944: Users:x:945: Guests:x:946: Power Users:x:947: Account Operators:x:948: Server Operators:x:949: Print Operators:x:950:Administrator Backup Operators:x:951: Replicator:x:952: Domain Computers:x:953: sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root managementgroup:x:1001:management,root,haehnle,sporer,sporers
I am using [EMAIL PROTECTED] root]# rpm -q nss_ldap nss_ldap-207-3
on RH9
Within samba I have to shares [Projekte] comment = Sensodrive-Projekte path = /home/sensodrive force group = sensodrivegroup force user = sensodrive valid users = @sensodrivegroup,root
[Management] comment = Sensodrive-Management path = /home/management force group = managementgroup force user = management valid users = @managementgroup,root
Every user can access the Projekte share, because the primary group of every user is sensodrivegroup. When user sporer tries to acess the Management share, he gets user 'sporer' (from session setup) not permitted to access this share (Management)
If I add the user sporer by his username to valid users it works valid users = @managementgroup,root,sporer,haehnle,sporers
Maybe this helps to solve the problem If you need more information, or further testing give me a note
Thank you very much
Greetings
Hansj�rg
John H Terpstra wrote:
On Thu, 8 Jan 2004, Hansjoerg Maurer wrote:
HiWhether or not this will work depends on how you configure ID resolution.
i have a question related to the groupmapping with ldapsam as backend. You discribed, that groupentries have to be in /etc/group with tdbsam as backend.
I recognized, that samba 3,0.1 with ldapsam does not recognize secondary groups in ldap. (e.g for accessing a share)
The problem is described by [EMAIL PROTECTED] to (see his email attached).
Do secondary groups have to be in /etc/groups in order to be recognized by samba even with ldapsam?
Winbind apparently does not resolve secondary group membership.
On the other hand, if you configure LDAP based ID resolution via the name service switcher (NSS) for both users and groups then secondary group membership resolution seems to work ok. The Posix user account should be in the LDAP database. You can then add users to multiple groups either in /etc/group or in the LDAP groups container.
How did you configure /etc/nsswitch.conf?
What does 'getent group' and 'getent passwd' show?
If you have a user who is a member of mulitple secondary groups and you execute: id 'username'
What does this report for that user?
If LDAP based resolution of multiple group membership fails that is something that must be reported to PADL, the authors of nss_ldap.
On the test systems I used to create the environments I used to create the example files for the new "Samba-3 by Example" book, I compiled nss_ldap version 212 and found that to work fine with multiple groups.
Is this what you tried also?
Cheers, John T.
Thank you very much
Hansj�rg
Hello, I found an interesting thing that I don't know if it is a bug, by design or I need to be doing something that I'm not but here goes.
My system RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, (3) BDC with LDAP slave backend. All are Samba 3.0.
I had a probelem with secondary, tertiary etc groups that people belong to and Samba recognizing these groups if they were stored in LDAP. The primary group was no problem. When I created shares but used "@groupname" for valid users or write list, Samba would fail to get that info from LDAP. They needed to be in /etc/group to work. As soon as I added users in secondary groups to /etc/group users were recognized and rights were assigned.
As a side note each line of /etc/group is limited to 1024 bytes, so there is a limit on how many users you can add to a group using /etc/group. If you exceed that when the system scans the /etc/group file, it will fail at the line >1024 bytes and any groups below will fail to be recognized. I believe that this is a bug. If you do "ls" on a directory or "id <username>" where one of the entries in your /etc/group has exceeded the limit, the groups will show as numbers and not a group name.
Can I use pam_winbindd to extract group membership from LDAP at this
time for secondary, tertiary etc groups?
John H Terpstra wrote:
On Wed, 7 Jan 2004, Andrew Judge wrote:
Ok. Roll up your sleeves!I think that most of my problems are somewhat resolved except for this last one. I can not get domain admin rights to the ntadmins users. I get the following output for groupmaps:
[EMAIL PROTECTED] i386]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> users Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1 Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1 Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> ntadmins Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1 Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1 Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1
Obviously there is a problem with the domain '*' SID because there are duplicates. Any idea how to correct this problem and get the users logged in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from RH. I can see the users from the samba server and the users can log in, but no rights. Big problem.
I am presuming that you are NOT using and LDAP backend, that you still are using an smbpasswd backend datafile.
1. Stop Samba 2. Delete the group_mapping.tdb file. 3. Restart Samba - the default Domain Groups will automatically be created if you are NOT using LDAP ldapsam. 4. Map your groups as follows:
net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
Add any Domain Groups you may want. Do tie them to existing (manually created UNIX groups) eg:
groupadd engineers net groupmap add ntgroup="Domain Engineers" unixgroup=engineers type=d
groupadd ntadmins net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins type=d
PS: If you have a problem with these commands email me, I'll help you.
5. Add all users who should have Domain Admin rights to the UNIX root group in /etc/group, like this:
root:0::jht,jimbo,jack,jill
6. Add all users who should have Workstation Admin rights (Power Users) to the UNIX ntadmins group in /etc/group, like this:
ntadmins:123::maryo,susant,billm
7. Verify that the groups are correctly mapped:
net groupmap list.
8. Now: On every windows client machine add:
a) Domain Admins to the Local Administrators Group b) Domain Power Users to the Local Power Users Group
Now... I migrated from 2.2.3a to the above and I have all the tdb and I cahnged the SID to the last PDC. Anyway, how would I get the right SID? I have NTUSER.DAT files that I can run profiles against to read them. Would that help?
You can use the Samba-3.0.x tools 'profiles' to reset the SID in the NTUSER.DAT files.
To obtain the domain SID just run:
net getlocalsid
It's a deal man!First one that can point me in the right direction to get this resolved - I'll buy them a amazon gift cert for $50. Beats going bald from pulling out my hair.
- John T.
-- _________________________________________________________________
Dr. Hansjoerg Maurer | LAN- & System-Manager
|
Deutsches Zentrum | DLR Oberpfaffenhofen
f. Luft- und Raumfahrt e.V. |
Institut f. Robotik |
Postfach 1116 | Muenchner Strasse 20
82230 Wessling | 82234 Wessling
Germany |
|
Tel: 08153/28-2431 | E-mail: [EMAIL PROTECTED]
Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/
__________________________________________________________________There are 10 types of people in this world, those who understand binary and those who don't.
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
