Hi, I also deleted my /var/lib/samba/group_mapping.tdb as you suggested in your mail before (I am using ldapsam, but I was afraid that there might be something left after the installation) But unfortunatly it does not work.
My groupmap seems to be ok ok time for going to sleep :) greetings from munich hansj�rg [EMAIL PROTECTED] root]# net groupmap list Domain Admins (S-1-5-21-3723159834-3326906825-3408399175-512) -> Domain Admins Domain Users (S-1-5-21-3723159834-3326906825-3408399175-513) -> Domain Users Domain Guests (S-1-5-21-3723159834-3326906825-3408399175-514) -> Domain Guests Administrators (S-1-5-21-3723159834-3326906825-3408399175-544) -> Administrators Users (S-1-5-21-3723159834-3326906825-3408399175-545) -> Users Guests (S-1-5-21-3723159834-3326906825-3408399175-546) -> Guests Power Users (S-1-5-21-3723159834-3326906825-3408399175-547) -> Power Users Account Operators (S-1-5-21-3723159834-3326906825-3408399175-548) -> Account Operators Server Operators (S-1-5-21-3723159834-3326906825-3408399175-549) -> Server Operators Print Operators (S-1-5-21-3723159834-3326906825-3408399175-550) -> Print Operators Backup Operators (S-1-5-21-3723159834-3326906825-3408399175-551) -> Backup Operators Replicators (S-1-5-21-3723159834-3326906825-3408399175-552) -> Replicator Domain Computers (S-1-5-21-3723159834-3326906825-3408399175-553) -> Domain Computers sensodrivegroup (S-1-5-21-3723159834-3326906825-3408399175-3001) -> sensodrivegroup Managementgroup (S-1-5-21-3723159834-3326906825-3408399175-3003) -> managementgroup H Hansjoerg Maurer sagte: > Hi > > i switched to > valid users = +managementgroup > > and still get > > 2004/01/08 10:46:52, 2] lib/access.c:check_access(324) > Allowed connection from (192.168.1.100) > [2004/01/08 10:46:52, 2] smbd/service.c:make_connection_snum(391) > user 'sporer' (from session setup) not permitted to access this share > (test) > [2004/01/08 10:46:52, 3] smbd/error.c:error_packet(118) > error packet at smbd/reply.c(286) cmd=117 (SMBtconX) > NT_STATUS_ACCESS_DENIED > > > (changed thename of the share to test to avoid a naming conflict with > user managment) > > [EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\test > Password: > tree connect failed: NT_STATUS_ACCESS_DENIED > > [EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\sporer > Password: > smb: \> > > [EMAIL PROTECTED] root]# smbclient -U sporer \\\\LINA\\projekte-share > Password: > smb: \> > > With the share, wher sporer has the primary group in, it still works > with the +sensodrivegroup > > Thank you > > Hansj�rg > > > > > John H Terpstra wrote: > >>Hansjoerg, >> >>Instead of: >> valid users = @Groupe >> >>Please try: >> valid users = +Groupe >> >>Thanks. >> >>- John T. >> >> >>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: >> >> >> >>>Hi >>> >>>thank you, for your fast replay. >>>I have a user sporer >>>[EMAIL PROTECTED] root]# id -a sporer >>>uid=1000(sporer) gid=1000(sensodrivegroup) >>>Gruppen=1000(sensodrivegroup),1001(managementgroup) >>> >>>The user and the group is in ldap and nss_ldap seems to work.. >>>[EMAIL PROTECTED] root]# getent group >>>root:x:0:root >>>.... >>>Domain Admins:x:912: >>>Domain Users:x:913: >>>Domain Guests:x:914: >>>Administrators:x:944: >>>Users:x:945: >>>Guests:x:946: >>>Power Users:x:947: >>>Account Operators:x:948: >>>Server Operators:x:949: >>>Print Operators:x:950:Administrator >>>Backup Operators:x:951: >>>Replicator:x:952: >>>Domain Computers:x:953: >>>sensodrivegroup:x:1000:sporer,haehnle,sporers,unterholzner,geist,bertleff,hauschild,sensodrive,root >>>managementgroup:x:1001:management,root,haehnle,sporer,sporers >>> >>>I am using >>>[EMAIL PROTECTED] root]# rpm -q nss_ldap >>>nss_ldap-207-3 >>> >>>on RH9 >>> >>>Within samba I have to shares >>>[Projekte] >>> comment = Sensodrive-Projekte >>> path = /home/sensodrive >>> force group = sensodrivegroup >>> force user = sensodrive >>> valid users = @sensodrivegroup,root >>> >>>[Management] >>> comment = Sensodrive-Management >>> path = /home/management >>> force group = managementgroup >>> force user = management >>> valid users = @managementgroup,root >>> >>>Every user can access the Projekte share, because the primary group of >>>every user is sensodrivegroup. >>>When user sporer tries to acess the Management share, he gets >>> user 'sporer' (from session setup) not permitted to access this share >>>(Management) >>> >>>If I add the user sporer by his username to valid users it works >>> valid users = @managementgroup,root,sporer,haehnle,sporers >>> >>>Maybe this helps to solve the problem >>>If you need more information, or further testing give me a note >>> >>>Thank you very much >>> >>>Greetings >>> >>>Hansj�rg >>> >>> >>> >>> >>>John H Terpstra wrote: >>> >>> >>> >>>>On Thu, 8 Jan 2004, Hansjoerg Maurer wrote: >>>> >>>> >>>> >>>> >>>> >>>>>Hi >>>>> >>>>>i have a question related to the groupmapping with ldapsam as backend. >>>>>You discribed, that groupentries have to be in /etc/group with tdbsam >>>>> as >>>>>backend. >>>>> >>>>>I recognized, that samba 3,0.1 with ldapsam does not recognize >>>>> secondary >>>>>groups in ldap. >>>>>(e.g for accessing a share) >>>>> >>>>>The problem is described by [EMAIL PROTECTED] to (see his email >>>>>attached). >>>>> >>>>>Do secondary groups have to be in /etc/groups in order to be >>>>> recognized >>>>>by samba even with ldapsam? >>>>> >>>>> >>>>> >>>>> >>>>Whether or not this will work depends on how you configure ID >>>> resolution. >>>> >>>>Winbind apparently does not resolve secondary group membership. >>>> >>>>On the other hand, if you configure LDAP based ID resolution via the >>>> name >>>>service switcher (NSS) for both users and groups then secondary group >>>>membership resolution seems to work ok. The Posix user account should >>>> be >>>>in the LDAP database. You can then add users to multiple groups either >>>> in >>>>/etc/group or in the LDAP groups container. >>>> >>>>How did you configure /etc/nsswitch.conf? >>>> >>>>What does 'getent group' and 'getent passwd' show? >>>> >>>>If you have a user who is a member of mulitple secondary groups and you >>>>execute: >>>> id 'username' >>>> >>>>What does this report for that user? >>>> >>>>If LDAP based resolution of multiple group membership fails that is >>>>something that must be reported to PADL, the authors of nss_ldap. >>>> >>>>On the test systems I used to create the environments I used to create >>>> the >>>>example files for the new "Samba-3 by Example" book, I compiled >>>> nss_ldap >>>>version 212 and found that to work fine with multiple groups. >>>> >>>>Is this what you tried also? >>>> >>>>Cheers, >>>>John T. >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Thank you very much >>>>> >>>>>Hansj�rg >>>>> >>>>> >>>>>Hello, >>>>>I found an interesting thing that I don't know if it is a bug, by >>>>> design >>>>>or I need to be doing something that I'm not but here goes. >>>>> >>>>>My system >>>>>RedHat 8.0 (1) PDC with LDAP 2.1.23 backend master, >>>>>(3) BDC with LDAP slave backend. All are Samba 3.0. >>>>> >>>>>I had a probelem with secondary, tertiary etc groups that people >>>>> belong >>>>>to and Samba recognizing these groups if they were stored in LDAP. The >>>>>primary group was no problem. When I created shares but used >>>>>"@groupname" for valid users or write list, Samba would fail to get >>>>>that info from LDAP. They needed to be in /etc/group to work. As soon >>>>> as >>>>>I added users in secondary groups to /etc/group users were recognized >>>>>and rights were assigned. >>>>> >>>>>As a side note each line of /etc/group is limited to 1024 bytes, so >>>>>there is a limit on how many users you can add to a group using >>>>>/etc/group. If you exceed that when the system scans the /etc/group >>>>>file, it will fail at the line >1024 bytes and any groups below will >>>>>fail to be recognized. I believe that this is a bug. If you do "ls" on >>>>> a >>>>>directory or "id <username>" where one of the entries in your >>>>> /etc/group >>>>>has exceeded the limit, the groups will show as numbers and not a >>>>> group >>>>>name. >>>>> >>>>> >>>>>Can I use pam_winbindd to extract group membership from LDAP at this >>>>> >>>>>time for secondary, tertiary etc groups? >>>>> >>>>> >>>>> >>>>>John H Terpstra wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>On Wed, 7 Jan 2004, Andrew Judge wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>I think that most of my problems are somewhat resolved except for >>>>>>> this last >>>>>>>one. I can not get domain admin rights to the ntadmins users. I >>>>>>> get the >>>>>>>following output for groupmaps: >>>>>>> >>>>>>>[EMAIL PROTECTED] i386]# net groupmap list >>>>>>>System Operators (S-1-5-32-549) -> -1 >>>>>>>Replicators (S-1-5-32-552) -> -1 >>>>>>>Guests (S-1-5-32-546) -> -1 >>>>>>>Domain Users (S-1-5-21-4130613172-3879250231-1853402206-513) -> >>>>>>> users >>>>>>>Domain Guests (S-1-5-21-3168668608-3928139368-1822977481-514) -> -1 >>>>>>>Domain Admins (S-1-5-21-3168668608-3928139368-1822977481-512) -> -1 >>>>>>>Domain Guests (S-1-5-21-1206063004-3966108128-1487570950-514) -> -1 >>>>>>>Power Users (S-1-5-32-547) -> -1 >>>>>>>Print Operators (S-1-5-32-550) -> -1 >>>>>>>Administrators (S-1-5-32-544) -> -1 >>>>>>>Account Operators (S-1-5-32-548) -> -1 >>>>>>>Domain Admins (S-1-5-21-4130613172-3879250231-1853402206-512) -> >>>>>>> ntadmins >>>>>>>Domain Users (S-1-5-21-1206063004-3966108128-1487570950-513) -> -1 >>>>>>>Domain Users (S-1-5-21-3168668608-3928139368-1822977481-513) -> -1 >>>>>>>Domain Guests (S-1-5-21-4130613172-3879250231-1853402206-514) -> -1 >>>>>>>Backup Operators (S-1-5-32-551) -> -1 >>>>>>>Users (S-1-5-32-545) -> -1 >>>>>>> >>>>>>> >>>>>>>Obviously there is a problem with the domain '*' SID because there >>>>>>> are >>>>>>>duplicates. Any idea how to correct this problem and get the users >>>>>>> logged >>>>>>>in with admin rights. I have RH EN v.3 and samba 3.0.0-14.3E from >>>>>>> RH. I >>>>>>>can see the users from the samba server and the users can log in, >>>>>>> but no >>>>>>>rights. Big problem. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>Ok. Roll up your sleeves! >>>>>> >>>>>>I am presuming that you are NOT using and LDAP backend, that you >>>>>> still are >>>>>>using an smbpasswd backend datafile. >>>>>> >>>>>>1. Stop Samba >>>>>>2. Delete the group_mapping.tdb file. >>>>>>3. Restart Samba >>>>>> - the default Domain Groups will automatically be created if you >>>>>> are NOT using LDAP ldapsam. >>>>>>4. Map your groups as follows: >>>>>> >>>>>>net groupmap modify ntgroup="Domain Users" unixgroup=users >>>>>>net groupmap modify ntgroup="Domain Admins" unixgroup=root >>>>>>net groupmap modify ntgroup="Domain Guests" unixgroup=nobody >>>>>> >>>>>>Add any Domain Groups you may want. Do tie them to existing (manually >>>>>>created UNIX groups) eg: >>>>>> >>>>>>groupadd engineers >>>>>>net groupmap add ntgroup="Domain Engineers" unixgroup=engineers >>>>>> type=d >>>>>> >>>>>>groupadd ntadmins >>>>>>net groupmap add ntgroup="Domain Power Users" unixgroup=ntadmins >>>>>> type=d >>>>>> >>>>>> >>>>>>PS: If you have a problem with these commands email me, I'll help >>>>>> you. >>>>>> >>>>>> >>>>>>5. Add all users who should have Domain Admin rights to the UNIX root >>>>>>group in /etc/group, like this: >>>>>> >>>>>>root:0::jht,jimbo,jack,jill >>>>>> >>>>>> >>>>>>6. Add all users who should have Workstation Admin rights (Power >>>>>> Users) to >>>>>>the UNIX ntadmins group in /etc/group, like this: >>>>>> >>>>>>ntadmins:123::maryo,susant,billm >>>>>> >>>>>> >>>>>>7. Verify that the groups are correctly mapped: >>>>>> >>>>>>net groupmap list. >>>>>> >>>>>> >>>>>>8. Now: On every windows client machine add: >>>>>> >>>>>> a) Domain Admins to the Local Administrators Group >>>>>> b) Domain Power Users to the Local Power Users Group >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>Now... I migrated from 2.2.3a to the above and I have all the tdb >>>>>>> and I >>>>>>>cahnged the SID to the last PDC. Anyway, how would I get the right >>>>>>> SID? I >>>>>>>have NTUSER.DAT files that I can run profiles against to read them. >>>>>>> Would >>>>>>>that help? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>You can use the Samba-3.0.x tools 'profiles' to reset the SID in the >>>>>>NTUSER.DAT files. >>>>>> >>>>>>To obtain the domain SID just run: >>>>>> >>>>>> net getlocalsid >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>First one that can point me in the right direction to get this >>>>>>> resolved - >>>>>>>I'll buy them a amazon gift cert for $50. Beats going bald from >>>>>>> pulling out >>>>>>>my hair. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>It's a deal man! >>>>>> >>>>>> >>>>>>- John T. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > > -- > _________________________________________________________________ > > Dr. Hansjoerg Maurer | LAN- & System-Manager > | > Deutsches Zentrum | DLR Oberpfaffenhofen > f. Luft- und Raumfahrt e.V. | > Institut f. Robotik | > Postfach 1116 | Muenchner Strasse 20 > 82230 Wessling | 82234 Wessling > Germany | > | > Tel: 08153/28-2431 | E-mail: [EMAIL PROTECTED] > Fax: 08153/28-1134 | WWW: http://www.robotic.dlr.de/ > __________________________________________________________________ > > > There are 10 types of people in this world, > those who understand binary and those who don't. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- Dr. Hansj�rg Maurer itsystems Deutschland AG Linprunstr. 10 D-80335 M�nchen Ph/Fax +49 89 52 04 68-41/-59 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
