Re : [Samba] Solaris nss_ldap vs PADL nss_ldap
Hi Duncan, I have the same issue on Solaris and Samba (3.028a and 3.31) that is OK for primary groups but not for secondaries. can you describe how do you get / configurePADL's nss_ldap? Thanks in advance Regards Alban - Message d'origine De : Duncan Brannen [EMAIL PROTECTED] À : samba@lists.samba.org Envoyé le : Mercredi, 27 Août 2008, 18h09mn 55s Objet : [Samba] Solaris nss_ldap vs PADL nss_ldap Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re : Re : [Samba] Solaris nss_ldap vs PADL nss_ldap
Thanks Duncan. Before going to get the nss_ldap, I just create fresh user accounts in my AD and it works fine! I recreate the existing ones everything is OK. There is no difference detected with the former accounts. so it's an unexplained working tips So, as an advice from the filed, for future readres of this message, check the entire line of responsablity, starting from the infra to the data (ALL kind of involved data) Best regards Alban - Message d'origine De : Duncan Brannen [EMAIL PROTECTED] À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Vendredi, 12 Septembre 2008, 13h20mn 30s Objet : Re: Re : [Samba] Solaris nss_ldap vs PADL nss_ldap Hi Alban, You can download padl's nss_ldap library from http://www.padl.com/Contents/OpenSourceSoftware.html If you've already configured solaris for groups and password in LDAP, it should just work once you replace the Solaris nss_ldap with the padl one ( back it up first ;) and add / configure /etc/ldap.conf mine looks like TLS_CACERT /etc/certs/cacert.pem TLSCIPHERSUITE TLSv1 host ldap.st-andrews.ac.uk rootbinddn base ou=People,dc=st-andrews,dc=ac,dc=uk ldap_version 3 nss_base_passwd ou=People,dc=st-andrews,dc=ac,dc=uk?one nss_base_shadow ou=People,dc=st-andrews,dc=ac,dc=uk?one nss_base_group ou=Groups,dc=st-andrews,dc=ac,dc=uk?one ssl start_tls tls_cacertfile /etc/certs/ certificate? tls_cacertdir /etc/certs tls_ciphers TLSv1 With the admin user password in /etc/ldap.secret permission 600. You could also try group: compat as suggested by Douglas Engert, I've not managed to get back to trying this yet. Have you tried using Solaris version withthis in the nsswitch.conf: group: compat group_compat ldap and adding the + in the /etc/group file. This appears to work as expected, getting groups info from both local and ldap. Or (I have not tried this): group: files [SUCCESS=continue] ldap Cheers, Duncan [EMAIL PROTECTED] wrote: Hi Duncan, I have the same issue on Solaris and Samba (3.028a and 3.31) that is OK for primary groups but not for secondaries. can you describe how do you get / configurePADL's nss_ldap? Thanks in advance Regards Alban - Message d'origine De : Duncan Brannen À : samba@lists.samba.org Envoyé le : Mercredi, 27 Août 2008, 18h09mn 55s Objet : [Samba] Solaris nss_ldap vs PADL nss_ldap Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
details on grous command To have the secondary groups, I have to enter id -a logged as the user As root, It doesn't work. id -a jdoe just returns the primary group - Message d'origine De : Duncan Brannen [EMAIL PROTECTED] À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Hi, I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working with Samba 3.0.28 and groups nis in nsswitch.conf) Solaris 10 SPARC Everything looks ok, getent, groups etc when logged in as root, but if I su to the user not getting any groups and type groups I don't see any groups there bar the primary one. Are you seeing the same thing? IE if you're logged in as root and type groups jdoe You see all of jdoe's groups but if you su to jdoe and type groups You only see the primary group? Just a long shot but might push you in the right direction? Cheers, Duncan [EMAIL PROTECTED] wrote: Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user toto jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes obey pam restrictions = Yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = cn=myadmin,cn=users,dc=MYDOMAIN,dc=local ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = 0-2 #idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 #idmap config MYDOMAIN:schema_mode = rfc2307 ## part winbind ## winbind nss info = rfc2307 winbind cache time = 5 winbind refresh tickets = Yes winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind enum groups = Yes winbind enum users = Yes [data] comment = Samba data folder path = /samba/data read only = No create mask = 0740 directory mask = 0750 guest ok = Yes Check the Unix name resolution getent passwd jdoe jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh getent group grp2 grp2::10004:myadmin,jdoe,demo1,demo2,demo3 I can check that Samba can resolve if the user is member of the group /usr/local/samba/bin/net ads user info jdoe grp2 grp1 /usr/local/samba/bin/wbinfo -G 10004 S-1-5-21-2269603188-533060101-51835291-1642 /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642 10004 /usr/local/samba/bin/wbinfo -R 10004 winbind_lookup_rids failed Could not lookup RIDs 10004 Review of the access rights ls -al /samba/data/level1/level2/level3/level4 drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 . drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 .. drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general -rwxr-+ 1 jdoe grp20
Re : Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
good remark, Duncan, but on the samba side, the commande net ads user info jdoe can resolve all the user groups included secondary I check on unix side with the ldapsearch command that using kerberos that the authentication of the involved accounts can read requires all attributes in users and groups and it is OK I have no idea on what's wrong I am stuck and an expert could probably help us Regards - Message d'origine De : Duncan Brannen [EMAIL PROTECTED] À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 15h28mn 47s Objet : Re: Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Someone more knowledgeable may correct me, but I'd guess you have to fix that, if Solaris isn't picking up secondary groups for a user, I'd think Samba won't find them either. On my systems id -a returns all the groups, it's just the groups command when run as a non root user that doesn't work on my systems with groups configured in ldap and this seems enough to stop Samba picking up my secondary groups. Your systems seems to be misbehaving in the opposite way. If I fix mine, I'll let you know what was wrong, I may just go back to NIS groups in nsswitch.conf. Cheers, Duncan [EMAIL PROTECTED] wrote: details on grous command To have the secondary groups, I have to enter id -a logged as the user As root, It doesn't work. id -a jdoe just returns the primary group - Message d'origine De : Duncan Brannen À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Hi, I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working with Samba 3.0.28 and groups nis in nsswitch.conf) Solaris 10 SPARC Everything looks ok, getent, groups etc when logged in as root, but if I su to the user not getting any groups and type groups I don't see any groups there bar the primary one. Are you seeing the same thing? IE if you're logged in as root and type groups jdoe You see all of jdoe's groups but if you su to jdoe and type groups You only see the primary group? Just a long shot but might push you in the right direction? Cheers, Duncan [EMAIL PROTECTED] wrote: Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user toto jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help he parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes obey pam restrictions = Yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = cn=myadmin,cn=users,dc=MYDOMAIN,dc=local ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = 0-2 #idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 #idmap config MYDOMAIN:schema_mode = rfc2307 ## part winbind ## winbind nss info = rfc2307 winbind cache time = 5
[Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user toto jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes obey pam restrictions = Yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = cn=myadmin,cn=users,dc=MYDOMAIN,dc=local ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = idmap_rid:MYDOMAIN=1-2 #idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 #idmap config MYDOMAIN:schema_mode = rfc2307 ## part winbind ## winbind nss info = rfc2307 winbind cache time = 5 winbind refresh tickets = Yes winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind enum groups = Yes winbind enum users = Yes [data] comment = Samba data folder path = /samba/data read only = No create mask = 0740 directory mask = 0750 guest ok = Yes Check the Unix name resolution getent passwd jdoe jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh getent group grp2 grp2::10004:myadmin,jdoe,demo1,demo2,demo3 I can check that Samba can resolve if the user is member of the group /usr/local/samba/bin/net ads user info jdoe grp2 grp1 /usr/local/samba/bin/wbinfo -G 10004 S-1-5-21-2269603188-533060101-51835291-1642 /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642 10004 /usr/local/samba/bin/wbinfo -R 10004 winbind_lookup_rids failed Could not lookup RIDs 10004 Review of the access rights ls -al /samba/data/level1/level2/level3/level4 drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 . drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 .. drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general -rwxr-+ 1 jdoe grp20 Aug 15 11:18 New Text Document from Windows.txt -rwxrw 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt *** ACTION: I try on Unix to change the group owner of .. by grp2 but that remove all jdoe access from Windows Test POSIX ACLs getfacl -a /samba/data/level1/level2/level3/level4/ # file: /samba/data/level1/level2/level3/level4/ # owner: myadmin # group: grp2 user::rwx group::rwx #effective:rwx other:r-x getfacl -a /samba/data/level1/level2/level3 # file: /samba/data/level1/level2/level3 # owner: myadmin # group: grp1 user::rwx group::r-x #effective:r-x mask:r-x other:--- getfacl -a /samba/data/level1/level2 # file: /samba/data/level1/level2 # owner: myadmin # group: grp1 user::rwx group::r-x #effective:r-x other:r-x getfacl -a /samba/data/level1 # file: /samba/data/level1 # owner: root # group: root user::rwx group::r-x #effective:r-x mask:r-x other:r-x getfacl -a /samba/data # file: /samba/data # owner: myadmin # group: grp1 user::rwx user:user123:rwx#effective:rwx group::r-x #effective:r-x mask:rwx other:r-x From MS Windows side properties/security The group is in the group and user names list there is no check box in the Allow or deny clomn Advanced/permissions TypeNamePermission
