Re: [Samba] nested groups with user mapping doesn't work

Fri, 02 Feb 2007 06:31:39 -0800 

Hi,
if I deactivate the user mapping over 'username map' samba can see that the windows user raiweber is member of several windows groups. 

 [2007/02/02 14:07:32, 10] auth/auth_util.c:debug_nt_user_token(454)
  NT user token of user S-1-5-21-781721396-396832292-1671184278-1107
  contains 11 SIDs
  SID[  0]: S-1-5-21-781721396-396832292-1671184278-1107
  SID[  1]: S-1-5-21-781721396-396832292-1671184278-513
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-5-21-781721396-396832292-1671184278-1118
  SID[  6]: S-1-5-21-781721396-396832292-1671184278-1108
  SID[  7]: S-1-5-21-781721396-396832292-1671184278-1117
  SID[  8]: S-1-5-21-781721396-396832292-1671184278-1115
  SID[  9]: S-1-5-21-702622059-3335440352-4138491235-2001
  SID[ 10]: S-1-5-32-545
  SE_PRIV  0x0 0x0 0x0 0x0

If I activate user mapping again I can only see the following in the log.
[2007/02/02 15:21:17, 10] libads/authdata.c:dump_pac_logon_info(723)
  The PAC:
        User Flags: 0x20 (32)
        User Flags: LOGON_EXTRA_SIDS 0x20 (32)
        User SID: S-1-5-21-781721396-396832292-1671184278-1107
        Group SID: S-1-5-21-781721396-396832292-1671184278-513
        Group Membership (Global and Universal Groups of own domain):
                0: sid: S-1-5-21-781721396-396832292-1671184278-513
                   attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT 
SE_GROUP_ENABLED
                1: sid: S-1-5-21-781721396-396832292-1671184278-1118
                   attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT 
SE_GROUP_ENABLED
                2: sid: S-1-5-21-781721396-396832292-1671184278-1108
                   attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT 
SE_GROUP_ENABLED
                3: sid: S-1-5-21-781721396-396832292-1671184278-1117
                   attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT 
SE_GROUP_ENABLED
                4: sid: S-1-5-21-781721396-396832292-1671184278-1115
                   attr: 0x7 == SE_GROUP_MANDATORY SE_GROUP_ENABLED_BY_DEFAULT 
SE_GROUP_ENABLED
        Group Membership (Domain Local Groups and Groups from Trusted Domains):
        Group Membership (Ressource Groups (SID History ?)):

and

[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2007/02/02 15:21:17, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups


And I nested groups doesn't work.
Can some one please tell me where the problem is?

My smb.conf
[global]
        workgroup = WINDOWS
        realm = WINDOWS.LOCAL
        security = ADS
        map to guest = Bad User
        password server = 192.168.254.156
        root directory = /
        username map = /usr/local/samba/private/user.map
        lanman auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 10
        min protocol = NT1
        client signing = required
        server signing = required
        load printers = No
        domain master = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        hosts allow = 192.168.254.156, 192.168.254.121, 192.168.254.236

[local_home]
        path = /local_home
        read only = No


Thanks.

Rainer

Rainer Weber wrote:

Hi,


i've a samba server (3.0.23d) as a domain member (not a PDC/BDC). My 
problem is that if I'm using user mapping with the option 'username map 
= user.map' the samba server doesn't see that I'm a member of several 
domain groups and the nested groups doesn't work. If I deactivate the 
user mapping then nested groups works fine but I've a different UID on 
the unix FS (from the idmap uid range) and  I can't access my files.


The unix user:
 bash-3.00# getent passwd raiweber
raiweber:x:120:14:Rainer Weber:/home/raiweber:/usr/bin/bash

The windows user:
bash-3.00# getent passwd WINDOWS+raiweber
raiweber:*:10005:10002:Rainer Weber:/home/raiweber:/bin/bash

The user.map entry looks like:
raiweber = "WINDOWS+raiweber"


The PDC is a Windows Server 2003 and we have both unix and windows user 
with the same name.




How can I map windows users to a specific UID (e.g. WINDOWS+raiweber to 
UID 120) and use nested groups?


Thanks.

Rainer



--
+--------------------------------------+
| Max Planck Institute for Mathematics |
|        System Administration         |
|                                      |
|  Vivatsgasse 7, 53111 Bonn, Germany  |
|  Tel       +49 (0)228-402-239        |
|  Fax       +49 (0)228-402-277        |
|  Email     [EMAIL PROTECTED] |
+--------------------------------------+
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to