Well here's the deal and I haven't tested it live yet, but it should work -samba queries the groups with a wildcard search against sambaSID. -sambaSID was set to be indexed by 'eq' not 'sub' -sambaSID cannot be indexed by 'sub' without an updated schema. I used the one from the samba3 package I just installed -after changing the index type in slapd.conf, slapindex has to be run. -after that wildcard searches against ou=groups, etc for the sambaSID attribute work -ergo, when I run this live, samba searches for group, should work as well
Thanks Volker for setting me on the right path. My slapd.conf is a mishmash from several howto's from a time when I understood less. Is there an ideal setup for indexing? currently I've got this index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index sambaGroupType eq index sambaSIDList eq index uniqueMember eq index default sub sambaSID will be changed, as of tonight some time. but are there any other entries that are a pitfall for the future? On Mon, Feb 2, 2009 at 3:37 PM, Ray Klassen <[email protected]> wrote: > well that is the weirdest thing > > Just like the samba ldap request, it returns nothing > > although if I look at the record using > > ldapsearch -x -b ou=Groups,dc=thisdomain,dc=com '(&(cn=groupname*)) > > ...the sambaSID attribute is there just like it should be, with the > right number and everything. > > Would a slapindex be in order? or what' > > > On Mon, Feb 2, 2009 at 10:17 AM, Volker Lendecke > <[email protected]> wrote: >> On Mon, Feb 02, 2009 at 09:16:06AM -0800, Ray Klassen wrote: >>> One sanitized debug lo coming up. This is not using user manager for >>> domains. This is with net rpc group list. >>> >>> >>> > What you need to do is provide a debug level 10 log of smbd >>> > trying to enumerate groups. >>> > >>> > Volker >>> > >>> >>> smbldap_search_paged: base => [ou=Groups,dc=thisdomain,dc=com], >>> filter => >>> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))],scope >>> => [2], pagesize => [1024] >>> [2009/02/02 08:41:20, 5] lib/smbldap.c:smbldap_search_ext(1182) >>> smbldap_search_ext: base => [ou=Groups,dc=thisdomain,dc=com], filter >>> => >>> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))], >>> scope => [2] >>> [2009/02/02 08:41:20, 3] lib/smbldap.c:smbldap_search_paged(1333) >>> smbldap_search_paged: search was successfull >>> [2009/02/02 08:41:20, 10] >>> rpc_server/srv_samr_nt.c:_samr_query_dispinfo(1289) >>> samr_reply_query_dispinfo: starting group enumeration at index 0 >>> [2009/02/02 08:41:20, 3] smbd/sec_ctx.c:pop_sec_ctx(356) >>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >>> [2009/02/02 08:41:20, 5] rpc_parse/parse_samr.c:init_sam_dispinfo_3(1810) >>> init_sam_dispinfo_3: num_entries: 0 >> >> To me this looks as if you don't have any groups in your >> LDAP tree under ou=Groups,dc=thisdomain,dc=com. You should >> be able to do the exact same search with ldapsearch: >> >> ldapsearx -x -b ou=Groups,dc=thisdomain,dc=com >> '(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX*))' >> >> and see what comes back. >> >> Volker >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
