Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 23:58 keltezéssel, steve írta: > On 02/06/2012 08:10 PM, Gémes Géza wrote: >> 2012-02-06 09:29 keltezéssel, steve írta: >>> On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: > Hi > I've created a Samba 4 group called suseusers and mixed in posixGroup > and gidNumber using samba-tool group add as a basis. > > It works, e.g. when I added an existing user to the group: > getent group suseusers > suseusers:*:2000: > and > getent passwd steve4 > steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash > and > id > uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) > > but there seems to be something wrong with getent group. A local > group > gives this: > getent group users > users:x:100:machine > x not * > > This happens both on the Samba 4 machine and a client with his /home > directory on nfs4. The uid:gid mappings and permissions are > perfect at > both ends:) But what is the difference between the group info coming > from Samba 4 and the group info coming from /etc/group? I'm sure that > this is an error on my part, but I can't force it into failing no > matter what I throw at it. > Thanks, > Steve > For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza >>> Hi >>> >>> /etc/nsswitch.conf >>> passwd: files ldap >>> group: files ldap >>> shadow: files ldap >>> hosts: files mdns4_minimal [NOTFOUND=return] dns >>> networks: files dns >>> services: files >>> protocols: files >>> rpc:files >>> ethers: files >>> netmasks: files >>> >>> Ah, maybe this has something to do with it. For the user ldapmodify I >>> have: >>> >>> dn: cn=steve4,cn=Users,dc=hh3,dc=site >>> changetype: modify >>> add: objectclass >>> objectclass: posixaccount >>> - >>> add: objectclass >>> objectclass: shadowaccount >>> - >>> add: uidnumber >>> uidnumber: 321 >>> - >>> add: gidnumber >>> gidnumber: 2000 >>> - >>> add:unixhomedirectory >>> unixhomedirectory: /home/CACTUS/steve2 >>> - >>> add: loginshell >>> loginshell: /bin/bash >>> >>> and for the group I have: >>> >>> dn: cn=suseusers,cn=Users,dc=hh3,dc=site >>> changetype: modify >>> add: objectclass >>> objectclass: posixGroup >>> - >>> add: gidnumber >>> gidnumber: 2000 >>> >>> /etc/nslcd.conf: >>> uid nslcd-user >>> gid nslcd-user >>> uri ldap://192.168.1.3 >>> base dc=hh3,dc=site >>> mappasswd uid sAMAccountName >>> mappasswd homeDirectoryunixHomeDirectory >>> mapshadow uid sAMAccountName >>> #mappasswd gidNumbergidNumber >>> sasl_mech GSSAPI >>> sasl_realm HH3.SITE >>> krb5_ccname /tmp/krb5cc_0 >>> >>> Then: >>> samba-tool group addmembers suseusers steve4 >>> >>> getent group suseusers >>> suseusers:*:2000: >>> Comes out with the * >>> >>> But steve4 comes out correctly, as a local user would: >>> getent passwd steve4 >>> steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash >>> >>> The only difference I see is that steve4 has a shadowaccount object >>> which can't be mapped for the group (because it doesn't have one). Is >>> there anything else here? Any other files needed? >>> >>> In fact, I don't think I need shadowaccount mappings at all do I? >>> Isn't that where the unix passwords are stored? But that's probably >>> another thread. >>> >>> Thanks, >>> Steve >> I'm ot sure but maybe you should change how nslcd.conf maps group >> memberships (by default it looks at membership expecting stock >> posixaccount and posixgroup objectclasses, while AD uses member and >> memberoff which are close but not the same). >> You can safely ignore anything shadowaccont related, because you would >> be better authenticating via kerberos anyway. >> >> Regards >> >> Geza > Hi Geza, hi everyone > > This looks like good news. > > I asked the nslcd author directly: > > > My question is, how do I extract the gid from the ldap? I've tried: > map group gid gidnumber > > You shouldn't need to map the gidNumber attribute because nslcd already > uses that attribute by default. In any case if you're trying to find the > primary group of a user you should do: > > map passwd gidNumber XXX > > (where XXX is the attribute in your LDAP server) The passwd map is what > defines the output of getent passwd, the group map defines the > information on groups. > > > That seems true. The posixGroup I defined is mapped without me doing > anything in nslcd and > map passwd gidNumber gidNumber > would seem pointless as it's already got the gidNumber. > > You are right about the shadowaccount. This also solves the x and *. I > removed the objectclass shadowaccount from ldap and the map shadow uid > from nslcd and hey: > getent passwd steve4 > steve4:*:319:2000:steve4:/home/CACTUS
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix --defaultgroup=somegroup Also, a startup script for samba4 and nslcd which I think should just be a 2 liner. Cheers, Steve -- To unsubscribe from this list go to the following URL and read th
[Samba] BDC constantly rebinds to master ldap server causing browsing delay
Hello, I seem to be having an issue where one of my BDC servers constantly needs to rebind to the "master" ldap server (ldap1.ae-solutions.com). Whenever this happens I see several entries in the log like this: "smbldap_search_ext: waiting 928 milliseconds for LDAP replication." It appears to cause delay when browsing samba shares whenever this happens. The master ldap server is at a different WAN site, this BDC does have a local slave ldap server (ldap1.mpls.ae-solutions.com) that it should be using instead. Everything was working correctly before, it seems to have started after the last yum update I did on this server. Server Info: CentOS 5.7 x64 samba3x-3.5.4-0.83.el5_7.2 (updated from samba3x-3.5.4-0.70.el5_6.1) Here is a snippet of the output of "pdbedit -v username" -- - winbind failed to find a gid for sid S-1-5-21-112718084-1284083569-2990761952-5055 lookup_global_sam_rid: looking up RID 5055. smbldap_search_ext: base => [dc=ae-solutions,dc=com], filter => [(&(sambaSID=S-1-5-21-112718084-1284083569-2990761952-5055)(objectclass=sa mbaSamAccount))], scope => [2] smbldap_search_ext: waiting 921 milliseconds for LDAP replication. smbldap_search_ext: go on! ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-112718084-1284083569-2990761952-5055] count=0 smbldap_search_ext: base => [dc=ae-solutions,dc=com], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-112718084-1284083569- 2990761952-5055))], scope => [2] init_group_from_ldap: Entry found for group: 2027 LEGACY: sid S-1-5-21-112718084-1284083569-2990761952-5055 -> gid 2027 pdb_set_group_sid: setting group sid S-1-5-21-112718084-1284083569-2990761952-5055 Cache entry with key = ACCT_POL/minimum password age couldn't be found ldapsam_get_account_policy_from_ldap smbldap_search_ext: base => [sambaDomainName=AEI,dc=ae-solutions,dc=com], filter => [(objectClass=sambaDomain)], scope => [0] ldapsam_get_account_policy: failed to retrieve from ldap ldapsam_set_account_policy_in_ldap smbldap_modify: dn => [sambaDomainName=AEI,dc=ae-solutions,dc=com] rebindproc_connect_with_state: Rebinding to ldap://ldap1.ae-solutions.com/sambaDomainName=AEI,dc=ae-solutions,dc=com as "cn=Manager,dc=ae-solutions,dc=com" rebindproc_connect_with_state: setting last_rebind timestamp (req: 0x66) Failed to modify dn: sambaDomainName=AEI,dc=ae-solutions,dc=com, error: 17 (Undefined attribute type) (sambaMinPwdAge: attribute type undefined) Cache entry with key = ACCT_POL/maximum password age couldn't be found ldapsam_get_account_policy_from_ldap smbldap_search_ext: base => [sambaDomainName=AEI,dc=ae-solutions,dc=com], filter => [(objectClass=sambaDomain)], scope => [0] smbldap_search_ext: waiting 928 milliseconds for LDAP replication. smbldap_search_ext: go on! ldapsam_get_account_policy: failed to retrieve from ldap ldapsam_set_account_policy_in_ldap smbldap_modify: dn => [sambaDomainName=AEI,dc=ae-solutions,dc=com] rebindproc_connect_with_state: Rebinding to ldap://ldap1.ae-solutions.com/sambaDomainName=AEI,dc=ae-solutions,dc=com as "cn=Manager,dc=ae-solutions,dc=com" rebindproc_connect_with_state: setting last_rebind timestamp (req: 0x66) Failed to modify dn: sambaDomainName=AEI,dc=ae-solutions,dc=com, error: 17 (Undefined attribute type) (sambaMaxPwdAge: attribute type undefined) Here's the global section of smb.conf on this server: [global] workgroup = AEI server string = passdb backend = ldapsam:ldap://ldap1.mpls.ae-solutions.com log level = 10 log file = /var/log/samba/log.%m printcap name = /etc/printcap add user script = /usr/sbin/smbldap-useradd -m '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = %U.bat logon path = logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 34 preferred master = Auto domain master = No dns proxy = No wins server = 10.2.0.2 ldap admin dn = cn=Manager,dc=ae-solutions,dc=com ldap group suffix = ou=Group ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=ae-solutions,dc=com ldap ssl = no ldap user suffix = ou=People invalid users = daemon, sys, adm, lp, smtp, uucp, nuucp, listen, noaccess, nobody4 If more info is needed please let me know. Thanks, Dave L. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Offline Caching
On 06/02/2012 06:43, Volker Lendecke wrote: On Sun, Feb 05, 2012 at 10:47:49AM -0500, Charles Marcus wrote: On 2012-02-04 10:33 AM, Volker Lendecke wrote: On Sat, Feb 04, 2012 at 02:54:13PM, Mike Howard wrote: I'm sure this has been asked before but I can't find anything recent. Using Samba4 and windows clients, the client logs include lots off 'windows has detected that offline caching is enabled on the roaming profile share...' messages. Is this an issue and if so, how do I sort it? I've found references to 'csc policy = disable' but this is not recognised in samba4 smb.conf. Probably someone needs to take the time to port this feature from the Samba3 based fileserver to the Samba4 based one. Patches welcome:-) Confused on both the question and answer... Is the question 'How do I enable offline caching for shares in Samba4', or 'how do I *disable* offline caching for a specific share in samba4'? My answer was in response to the "csc policy" parameter. The samba3 based file server has it, but it seems the samba4 based one does not. So if you require the samba4 based file server for some reason, someone needs to port this feature to the samba4 based file server to fulfill your requirements. So the info on the Samba4/Howto page about profiles is misleading then? Do the roaming profiles need to stored on a different, samba3 box, leaving the Samab4 box to to AD stuff only? The profiles area is still a share being served and if caching isn't disabled, is subject to corruption according to MS. If that is the case, then a 'Franky' like setup, with both 3 & 4 on the same box would make sense (at least to me). Is that viable? Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 09:29 keltezéssel, steve írta: > On 02/06/2012 07:19 AM, Gémes Géza wrote: >> 2012-02-06 01:27 keltezéssel, steve írta: >>> Hi >>> I've created a Samba 4 group called suseusers and mixed in posixGroup >>> and gidNumber using samba-tool group add as a basis. >>> >>> It works, e.g. when I added an existing user to the group: >>> getent group suseusers >>> suseusers:*:2000: >>> and >>> getent passwd steve4 >>> steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash >>> and >>> id >>> uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) >>> >>> but there seems to be something wrong with getent group. A local group >>> gives this: >>> getent group users >>> users:x:100:machine >>> x not * >>> >>> This happens both on the Samba 4 machine and a client with his /home >>> directory on nfs4. The uid:gid mappings and permissions are perfect at >>> both ends:) But what is the difference between the group info coming >>> from Samba 4 and the group info coming from /etc/group? I'm sure that >>> this is an error on my part, but I can't force it into failing no >>> matter what I throw at it. >>> Thanks, >>> Steve >>> >> For an answer we would need some configuration details, first of all >> nsswitch.conf, then depending on that maybe other files >> >> Regards >> >> Geza > Hi > > /etc/nsswitch.conf > passwd: files ldap > group: files ldap > shadow: files ldap > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files dns > services: files > protocols: files > rpc:files > ethers: files > netmasks: files > > Ah, maybe this has something to do with it. For the user ldapmodify I > have: > > dn: cn=steve4,cn=Users,dc=hh3,dc=site > changetype: modify > add: objectclass > objectclass: posixaccount > - > add: objectclass > objectclass: shadowaccount > - > add: uidnumber > uidnumber: 321 > - > add: gidnumber > gidnumber: 2000 > - > add:unixhomedirectory > unixhomedirectory: /home/CACTUS/steve2 > - > add: loginshell > loginshell: /bin/bash > > and for the group I have: > > dn: cn=suseusers,cn=Users,dc=hh3,dc=site > changetype: modify > add: objectclass > objectclass: posixGroup > - > add: gidnumber > gidnumber: 2000 > > /etc/nslcd.conf: > uid nslcd-user > gid nslcd-user > uri ldap://192.168.1.3 > base dc=hh3,dc=site > mappasswd uid sAMAccountName > mappasswd homeDirectoryunixHomeDirectory > mapshadow uid sAMAccountName > #mappasswd gidNumbergidNumber > sasl_mech GSSAPI > sasl_realm HH3.SITE > krb5_ccname /tmp/krb5cc_0 > > Then: > samba-tool group addmembers suseusers steve4 > > getent group suseusers > suseusers:*:2000: > Comes out with the * > > But steve4 comes out correctly, as a local user would: > getent passwd steve4 > steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash > > The only difference I see is that steve4 has a shadowaccount object > which can't be mapped for the group (because it doesn't have one). Is > there anything else here? Any other files needed? > > In fact, I don't think I need shadowaccount mappings at all do I? > Isn't that where the unix passwords are stored? But that's probably > another thread. > > Thanks, > Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share-based security
On Mon, Feb 6, 2012 at 12:37 AM, Chris Smith wrote: > On Sun, Feb 5, 2012 at 5:09 PM, Nico Kadel-Garcia wrote: >> And you're correct, the man page points this out. >> >> I've tried to avoid this particular kind of manipulation ever since I >> first used Samba (way, way too long ago!!!) because the difference >> between the permissions management of of specific shares in smb.conf >> and the underlying POSIX compatible filesystem based permissions were >> easier to audit, safer and more robust to manage on the fileserver >> side, rather than being overlaid or overwritten by any mismatched CIFS >> based ownership. > > Just the opposite, from a long time Samba (and Windows) user as well. > I prefer to do whatever can be done at share level security first and > only deal with file lever security if needed. I've been doing a lot of "share it via NFS for Linux and UNIX users, via Samba for Windows users" work. Skew between the permissions iis awkward, and having to manage only one set of permissions has been definitely easier fo rme and my clients. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] upgraded to 3.6.2
Hi Folks, I have upgraded my very stock Ubuntu 8.04.4 running 3.0.28a to 3.6.2 by compiling in place as per these notes: http://www.jeremycole.com/blog/2009/12/01/upgrade-samba-3-0-28a-to-3-4-3-on-ubuntu-8-04-lts/ Worked a treat - big respect to the team. However, I am struggling a little with group mapping net groupmap list used to show the half dozen or so groups but now it doesn't Have I broken it or is it no longer done that way? Any tips on troubleshooting would be most helpful... TIA Simon -- Simon Faulkner 01538 303 900 Staffordshire Moorlands -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba